Sticky Keys Exploit RRS feed

  • Question

  • Sticky keys (sethc.exe) within C:\Windows\System32 is too commonly replaced by a re-named copy of CMD.exe (to sethc.exe), and, placed into the System32 directory.

    From the login screen, the shift key is then quickly tapped 5 times which allows winlogon.exe to run CMD presenting a CLI at Administrator level - this happens pre-logon...

    From this elevated CLI, commands may be entered to enable the Administrator account (e.g., "Net User Administrator/Active:yes"), and upon reboot, the administrator account is now accessible with no password. Also, from this CLI at next login, the activated Administrator account may be given personal security (e.g., "Net User Administrator newpassword" which equates to a new Administrator password being set. I have even seen iexplore.exe run from this CLI at YouTube before logon.

    This exploit will surely damage the Microsoft brand if not addressed!

    I am hoping to gather ideas on how Windows can be made to ENSURE this exploit does not continue. Thanks in advance!

    Monday, March 11, 2013 9:32 AM


  • You can turn off Keyboard Sticky from All Control Panel Items\Ease of Access Center\Set up Sticky Keys

    Niki Han
    TechNet Community Support

    Wednesday, March 13, 2013 2:46 AM

All replies

  • You can turn off Keyboard Sticky from All Control Panel Items\Ease of Access Center\Set up Sticky Keys

    Niki Han
    TechNet Community Support

    Wednesday, March 13, 2013 2:46 AM
  • This is not so....

    when accessing the hack.

    on the logon screen, at the bottom left hand side there is a bar you can click on, when the widow pops open, you are able to turn sticky keys on and off by free will.

    this hack/exploit can not be stopped, unless making sure no one can access your account (which can be easily done using konboot)

    Tuesday, January 13, 2015 11:54 PM
  • You can gladly disable the startup repair so this exploit cannot be abused.

    /bcdedit /set {default} bootstatuspolicy ignoreallfailures

    Then i would suggest disabling the sticky keys and the ease of access center.

    Control Panel > Ease of Access Center > Make Keyboard Easier > Then un-check "Turn On Sticky Keys".

    Sincerely - Syntax.. :) LMK of any questions you have. Email -

    • Proposed as answer by Acreed02 Monday, July 20, 2015 7:15 PM
    Monday, July 20, 2015 4:25 PM
  • Sorry for the necro, but this exploit isn't fixed. If you boot the computer using a Linux OS (for example, Kali), you can just mount the windows install (usually /dev/sda2) and then just rename the file in system32. You could use a bootlocker, or disable the boot menu from the bios, but should a vulnerabiliy in the OS really not be pached, and should it be left for the computer/mobo manufacturer to make sure it's not broken into?
    • Edited by Atoc_ Tuesday, January 23, 2018 6:56 PM
    Tuesday, January 23, 2018 6:56 PM
  • I couldn't agree more.  and so far I haven't been able to mitigate this on a windows 10 1709 machine.  the Utilman.exe is also vulnerable, haven't been successful mitigating either. 
    Sunday, January 28, 2018 2:11 AM
  • Just encrypt the damn hard drive, this way you are preventing all executable replacement by booting up external OS as the hard drive will be unaccessible without the proper keys.

    I can't believe people are still complaining about this, enable Bitlocker or any 3rd party full disk encryption. For server systems just enforce AD policy to disable all of those featuress that are launched on the logon screen. Don't forget to secure physical access to the servers (keep the server racks locked). Basic level IT security....

    Sunday, September 23, 2018 1:24 PM
  • That sounds lika a good idea, until you realise that you will export/import the computer to another country that restricts encryptions and TPM (PTT) (no, our HW does not have the china approved chip installed), like China (and other countries). I have tested this vulnerability this week on a fresh Windows 10 IoT Enterprise LTSC (1809) and it still works, it only takes a couple of minutes to bypass the Windows login security. I have to admit, I am very surprised that this huge flaw in security of Windows hasn't been fixed, this has been known since XP and now, more that 10 years later, the "trick" still works. As you probably can guess, this is computer is not a Server that is installed in a lockable server rack and in a controlled/monitored server room, it's a IPC that is installed in a (customer owned) industrial environment with no or very small ways to control the physical access (3:ed party service companies etc.).

    Also note that this does not only apply to the Sticky Key, you can replace any .exe file that is related to the "Ease of Access" like the magnifier etc...

    As I see it, if you are operating globally the only viable option to "solve" this issue is to restrict the physical access (encryption is not an option in certain countries), put your IPC/Computer in a locked (with a key) cabinet.

    If Microsoft reads this: Please fix!

    Tuesday, May 7, 2019 9:37 PM