Windows 7 at its core has a security door that allows you to log into any machine you have physical access to. While in the lock screen (winlogon.exe), the accessibility shortcuts are still available (try hitting left_alt + left_shift + print_scr). When those shortcuts are triggered, they are actually handled by a different binary sethc.exe. You may have already encountered that process when you press on a key for too long (sticky-key dialog popup). The security flaw comes from the fact that winlogon.exe will execute that file no matter what it actually contains. By replacing that file with a command prompt, the login screen will trigger the prompt when an a11y shortcut gets triggered:
- Reset the computer, hit F8 for boot options and select “Repair your computer”
- Start a Command Prompt
- Make a backup of sethc.exe:
move c:\windows\system32\sethc.exe c:\windows\system32\sethc.exe.bck
- Copy your cmd prompt:
copy c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe
- Restart computer
- At login screen, trigger the sticky keys helper (ie. sethc.exe) by hitting shift 5 times
- With the new prompt, change the password:
net user [username] [pasword] - Restore the original
sethc.exefile once you are done.