Old loophole makes it easy to hack and reset the Windows 10 user password

[Batu69]

 

Users that forgot the password they used for logging into Windows 10 can easily regain access to the operating system. Obviously the method can also be easily abused for less innocuous reasons. An easy to abuse loophole that already existed in earlier versions of Windows, still works in Windows 10.

 

The loophole works by gaining filesystem access on the disk where Windows 10 is installed and replacing the onscreen keyboard with the command prompt. The onscreen keyboard is part of the Windows 10 accessibility options and allows to use a pointer device, like a mouse, to enter text while no keyboard is available.  The onscreen keyboard can be used to enter a password or pin at the Windows 10 login screen.

 

Filesystem access to Windows 10 is easily obtained by e.g. using an USB drive with a Live Linux version installed, Apple’s Boot Camp or simply by using the ‘Repair computer’ feature of Windows 10. The latter allows access to the command prompt in its Advanced Troubleshooting section and is the easiest solution.

 

No matter how an attacker gains access to the Windows 10 file system, once he has access he can simply navigate to C:\Windows\System32,  rename osk.exe (the onscreen keyboard) to osk.old (placeholder name). The next step is renaming cmd.exe to osk.exe which replaces the onscreen keyboard functionality with the command prompt. The onscreen keyboard can then be selected in the accessibility option in the Windows 10 login screen.

 

When the files are properly renamed the onscreen keyboard will no longer show, instead, the command prompt is shown. By simply using the command  ‘net user <USERNAME in quotes> <PASSWORD>’ he can change the password of any Windows 10 user on the system.

 

 

For a trained attacker this takes only a few minutes. Although the attacker requires physical access to the computer, it’s a great trick for students to gain access to their teacher’s computer or for unprivileged users to gain access to computers with confidential data.

 

It’s strange that such an easy to abuse loophole still hasn’t been fixed by Microsoft, a quick Google learns that the trick exists at least since Windows Vista.

 

News source

[Karabasas]

Recently, colleagues laptop had to be formatted, due to all (none tested) tools, that worked on w7 etc did work on w10 x64, as he had admittedly changed password and completely forgotten...

 

Hope this works (obviously, would need non encrypted filesystem), but I might try it sometimes.

[straycat19]

Quote

Users that forgot the password they used for logging into Windows 10 can easily regain access to the operating system. Obviously the method can also be easily abused for less innocuous reasons. An easy to abuse loophole that already existed in earlier versions of Windows, still works in Windows 10.

 

 

Surely you jest.  You are not talking about the SECUREST (a lot of authors and Microsoft's word, not mine) version of Windows ever released?  You think that is the only hole, we found one that goes back to Windows 3.1 that allows the computer to be taken over by anyone (and we aren't telling).

[vibranium]

A normal Windows logon screen security can be cracked in 2 minutes, whether 7 or 8 or 10

[masterupc]

5 hours ago, vibranium said:

A normal Windows logon screen security can be cracked in 2 minutes, whether 7 or 8 or 10

 2 minutes? that much?

lol

[vibranium]

2 minutes, give or take. You forgot the boot-time......

[Karabasas]

Mind sharing any of those tools?

[vibranium]

You could search for Kon-Boot for example. There are more. I wouldn't use it to hack anyone's computer though. But I've helped a couple of friends get out of a pickle when they forgot their passwords.