Breaking into Windows 10 locally

From time to time you may find that you’re locked out of your account in Windows. Well… if you have local access to the machine running Windows (meaning you can force a reboot and a temporary boot device) then there is a convenient vulnerability still present in Windows after all these years that will allow you to break in.

Insert your installation media and reboot, following the instructions for your BIOS to choose a temporary boot device, and choosing your installation media. If using a Windows 10 installation ISO chose the Repair your computer option. Choose Troubleshoot, then Advanced Options, then Command Prompt. Then run the following commands:

diskpart
list volume

Having identified the volume that contains the Windows system (for example D:), we’re going to take advantage of the way that Windows accessibility tools can launch from the login screen, before any user has yet logged in. The accessibility tool is simply an executable in the Windows System32 directory called sethc.exe. The login screen lauches the tool by calling the executable with the name sethc.exe, so we can trick the login screen to launch any executable by setting the desired executable’s name to sethc.exe and placing it in the same path.

To start with, let’s keep a backup copy of sethc.exe in case we want to restore it later (…maybe accessibility is important to your users!)

ren D:\Windows\System32\sethc.exe sethc.exe.bak

While we can cause any executable to be launched from the login screen, likely the most versitile is cmd.exe. Make a copy and name it sethc.exe

cp D:\Windows\System32\cmd.exe D:\Windows\System32\sethc.exe

And with that you’re set to reboot and regain your access! When you’re back to the login page of your existing Windows installation, press Shift five times to trigger the launch of sethc.exe (our impersonating cmd.exe). Alternately you can launch sticky keys from the accessibility menu icon in the lower right. Doing so should present you with an elevated command window with Administrator access. From here you could enable the built-in Administrator account and set the password for it

net user Administrator [password] /active:yes

Since the built-in administrator account has local administrator permissions, and you know the password to it now (since you just set it), you can log in and take any action you need to, such as resetting the password on any user account, creating a user account, or whatever.

Linux OS Families

All Linux distributions rely on certain types of utilities for basic work, things like package managers and service managers. As distributions fork from other distributions a lineage is formed. Therefore we can rely, to some extent, on families of distributions typically using the same basic utilities as their parent. Outlined below is a non-comprehensive list of distributions and their decedents

Red Hat Family

The popular enterprise flavor of Linux, Red Hat is developed by Red Hat, Inc. It is probably the distribution with the most built in and compatible tools for managed networks. Uses the YUM and DNF package managers.

graph TD;
	B(Fedora) --> C(CentOS Stream)
	C --> A[Red Hat Enterprise Linux]
	A --> D(Rocky Linux)
	A --> E(AlmaLinux)
	A --> F(Oracle Linux)
	A --> G(ClearOS)
	click A "https://www.redhat.com"
	click B "https://getfedora.org"
	click C "https://www.centos.org"
	click D "https://rockylinux.org"
	click E "https://almalinux.org"
	click F "https://www.oracle.com/linux"
	click G "https://www.clearos.com"

Debian Family

Debian is actually less popular than its most popular descendant, Ubuntu. Uses the APT package manager.

graph TD;
	A[Debian] --> B(Ubuntu)
	A --> C(Kali Linux)
	A --> D(Linux Mint)
	A --> E(PureOS)
	click A "https://www.debian.org"
	click B "https://ubuntu.com"
	click C "https://www.kali.org"
	click D "https://linuxmint.com"
	click E "https://pureos.net"

Alpine Family

The Alpine distribution is most often used as a base for light weight container images, due to it’s minimal size and the performance benefits of its design to run entirely in RAM. Uses the apk package manager.

graph TD;
	A[Alpine Linux]
	click A "https://alpinelinux.org"

Arch Family

Created with the objective of being a minimal Linux distribution, Arch was loosely based on another minimal Linux distro called CRUX. Arch uses the pacman package manager.

graph TD;
	A[Arch Linux] --> B(Manjaro)
	A --> C(EndeavourOS)
	A --> D(Garuda Linux)
	A --> E(SteamOS)
	click A "https://archlinux.org"

Suse Family

Suse is one of the oldest Linux distributions still in active development, and is geared towards an enterprise environment. This was the OS I built my first hypervisor on back in 2013, using its built-in virtualization environment. Uses the YaST standard package management system.

graph TD;
	A[SUSE Linux Enterprise Server]
	click A "https://www.suse.com"

Slackware Family

A special mention to Slackware, another very old Linux distribution, and the first Linux OS that I installed. Extremely minimal and package stable, this distro aims to be very trimmed down. Available today with a desktop manager preinstalled it used to be command-line only. It was a fork of Softlanding Linux, back around the dawn of Linux.

graph TD;
	B(Softlanding Linux System) --> A[Slackware Linux]
	click A "http://www.slackware.com"

Read more about the history of Linux, which began with Unix, in this article from The Register: https://www.theregister.com/2024/01/27/opinion_column/

Setting Up SNMP Windows 10 Client

It used to be possible to monitor your Windows 10 client with SNMP by enabling it in Windows Features, however SNMP has been deprecated since Windows 10 version 1809. This article stands as a reminder that it is no longer supported in modern version of Windows. Microsoft offers Common Information Model (CIM) as the preferred replacement service.