The StickyKeys trick is one of the most, if not the most, popular means of seizing local admin privileges on a Windows machine. It uses another boot medium to replace sethc.exe with cmd.exe and then activates StickyKeys on the logon screen to produce a command prompt running as System.
Of course, physical access is total access, and I can think of all manner of other interesting ways to bust into the local machine (adding a service to run at startup and as System would be pretty easy), but for the wanna-be hackers who are reading from a script, the failure of the StickyKeys trick would be a serious roadblock.
Local Security Policy can be used to set startup scripts, which execute before the logon screen is displayed. One of these scripts could be used to launch an application that checks whether sethc.exe (and the other accessibility programs available on the logon screen) have been modified. The watching application could then either replace the modified programs with the real version or throw up a big "Surprise! Nice try."
No comments:
Post a Comment