Why Windows Backdoor?
Planting a windows backdoor on a computer will allow you to bypass the user password at the login screen and create new user without even first logging in to Windows, this can be done without any third-party program or any Bootable CD or USB, once you plant it any time you have physical access to the computer the game is on 😛
The only problem is that you need to have access to the target computer only the first time when you’re planting the windows backdoor, it is difficult but you can’t know a small mistake from your friend or victim leaving their Windows not locked, that’s your chance all you need is 5 min and you’re done, no CD, USB or any third-party program needed.
How Windows Backdoor Work?
On the login screen, if you press SHIFT key 5 times a software will launch, this software is called sethc.exe, located in the Windows directory, so what we are going to do is simple change its name to anything or just move it to another directory, grab a copy of cmd.exe and rename it to sethc.exe, so when Windows try to open sethc.exe it is actually opening a cmd.exe application with administrative privileges, and here comes the cool part, with cmd you can do whatever you like, create new user or remove the password for the current user.
Other than sethc.exe there is Utilman.exe, we will do the same process for it, the only thing is that Utilman.exe is triggered when you click on the Ease Of Access Button at the bottom of the screen, so in that way we have 2 Windows backdoor planted, double threat Baby 😀
Might also like: Hack Facebook Email And Password 100% Working
Lets Get Started:
As I said, you need access to the target computer the first time.
Go to C:\Windows\System32 and search for sethc.exe file, once you’ve located it, rename to sethc0.exe or anything you like just something you can recognize later, now if you got a an error File Access Denied as in below image don’t panic we will overcome that.
Click Cancel, right click on sethc.exe click on Properties, Switch to Security Tab, Click on Advanced Button at the bottom, a new window will open, switch to Owner Tab, you will see that the Current Owner is TrustedInstaller, click on Edit… button, and change the current owner, you will be presented with a list of active users on that computer so just choose the Administrator or the user you are logged in with it, check image below:
Click OK button, you will see that the current owner is changed to the user you have chosen, close that window.
Back to the Properties window, click on Edit… button, check image:
In the new window, mark the user you are logged in to, in my case Administrator, and in the permissions box below in the allow column, check the box beside Full Control and click OK, check image below:
The stupid windows will alert you that what you are doing will reduce security, of course it will, we are planting a backdoor windows duhh!!!, anyway just click OK.
Now we have permissions to rename the file, close the current window and rename sethc.exe to sethc0.exe.
Go and search for cmd.exe, when you find it apparently you don’t have permissions to rename and copy it, so simply do the above permission steps to cmd.exe, when you’re done copy and paste it in the same folder, rename the new cmd – Copy.exe to sethc.exe, and that is it the windows backdoor is planted.
For Utilman.exe do the same process we did for sethc.exe, just go over the steps again and you’re done.
Using The Backdoor To Bypass Login Window:
After we planted our backdoor, here comes the cool part: Using It.
When you encounter the login window with a locked user that you don’t know his password, just hit the SHIFT key 5 times or click on the Ease Of Access button and you will prompted with a cmd window with administrative privileges.
At this point you have 2 choices either reset the password of the current user or create another new user:
1st method – Reset Password Of Current User:
Type: Net user username password and hit enter– This command allows you to set a new password to any username without knowing the current password.
replace username with the current username of the account you want to access and password with your new password.
And Voila, now access the account with the new password you have set.
2nd method – Create A New User:
Type: Net user username password /add and hit enter– This command allows you to add a new user to the system so you can login to Windows without touching the existing user accounts.
replace username and password with a username and password of your choice, these will be your login credentials.
Now we have created a normal user to give it Administrative Privileges just enter the command:
net localgroup administrators username /add and hit enter, replace username with the username you’ve created, and that’s it.
Now you have a new user with a Administrative Privileges
This proof of concept has been around for a very long time and is not really an exploit which is why Microsoft does not intend to patch and block it. To remove the backdoor, just rename the files to the original names and remove the cmd copies you have created.