Sethc.exe exploit in Windows XP-Present

You know when you spam the shift key in Windows you get that confirmation popup for sticky keys? Well that can be exploited to hack your computer! This tells you what it is and how to prevent getting hacked. I apologise for the bad formatting on this article, i am using Wix on a school iPad because i typed the original document on my school profile and i cant access the document at home

DISCLAIMER: THIS IS FOR EDUCATIONAL PURPOSES ONLY AND THE EXPLOIT SHOULD ONLY BE TESTED ON YOUR OWN MACHINE, I AM NOT RESPONSIBLE FOR ANY DAMAGES DONE BY USING THIS EXPLOIT

What is Sticky keys?

Sticky keys is an accessibility feature in Windows XP to present Windows that allows keys like ctrl and shift to remain active even if you're not pressing them, when you hit shift 5 times you get a prompt if you want to enable it, the program responsible for this is sethc.exe which is typically located in the system32 folder

What is the sethc.exe exploit?

The sethc.exe exploit involves replacing sethc.exe with command prompt. Because sticky keys is available when the computer is locked, a hacker can use the sethc exploit to bypass your password and access your files.

When you fo the exploit, spamming the shift key wont open the popup, it'll open command prompt. There's a hidden user called SYSTEM for things like the login screen and bootup, this is hidden and usually inaccessible, but because the system user is responsible for logging in and has administrator privileges, this can be abused by hackers to gain access to your computer and its files

How do hackers exploit sethc?

So theres two ways they can do this, the first one needs to be logged in but the other way only needs a Windows installation disk or usb, no password needed!

Heres how they do it, please dont use this to hack anyones computer as its against the law, this is for educational purposes only. I only recommend using this exploit if you cant log into a computer that YOU own

Step 1. insert your Windows installation disc or usb and shut down the computer

Step 2. On the install screen click “repair your computer”

Step 3. Select command prompt on the list of options

Step 4. I had trouble replacing sethc via command prompt so what i did was open notepad, make a copy of cmd, renamed it, deleted the original sethc then put the renamed cmd on it

Confirm that you want to overwrite the file and if successful, your device is now expoited

Step 5. Reboot your computer

Step 6. On the login screen spam the shift key until you see the command prompt

You can now use command prompt to access files and folders on your computer, without the password!

You can also type userinit to see a start menu, but its broken and is unusable as a functional desktop

How to protect yourself from the sethc.exe exploit?

Unfortunately, because sethc is a built in windows program that cannot be disabled, there's not much you can do but most antivirus software can detect and remove sethc in some cases so the best ways to protect yourself is with an updated antivirus software installed on your computer, but there is a way to prevent it from happening completely, but this only works if you have Windows 7 or later installed, and it's only Windows 8 Pro, Enterprise, or Education or Windows 10 Pro, Enterprise, or Education. On these select copies of Windows there is a software called bitlocker, this will allow you to encrypt your entire hard drive to make it inaccessible to anyone who isn't you, even if they used another boot device

To enable bitlocker go to the control panel, select system and security and then select manage bitlocker, select turn on bitlocker and follow the instructions to encrypt your drive.