{"id":1197,"date":"2007-04-19T14:51:08","date_gmt":"2007-04-19T13:51:08","guid":{"rendered":"http:\/\/www.darrenstraight.com\/blog\/2007\/04\/19\/windows-vista-ease-of-access-backdoor-logon\/"},"modified":"2007-04-19T14:51:08","modified_gmt":"2007-04-19T13:51:08","slug":"windows-vista-ease-of-access-backdoor-logon","status":"publish","type":"post","link":"https:\/\/www.darrenstraight.com\/blog\/2007\/04\/19\/windows-vista-ease-of-access-backdoor-logon\/","title":{"rendered":"Windows Vista &#8216;Ease of Access&#8217; Backdoor Logon"},"content":{"rendered":"<p>Follwing <a href=\"http:\/\/www.darrenstraight.com\/blog\/2007\/04\/19\/disabling-ease-of-access-on-the-windows-vista-login-screen\/\">my recent post<\/a> about removing or disabling the Ease of Access Icon, located in the lower left hand corner of the Windows Vista login screen. I just found an article titled &#8220;<a href=\"http:\/\/www.computerperformance.co.uk\/vista\/vista_backdoor_logon.htm\">Windows Vista &#8211; Backdoor Logon<\/a>&#8221; which exlains to you a method which you can use to\u00a0exploit the &#8216;Ease of Access&#8217; menu at the bottom of a regular Windows Vista Logon.<\/p>\n<p>Normally, if you click the Icon then you get a choice of help from Narrator, Magnifier and High Contrast.\u00a0 The trick is to replace the file called Magnify.exe, with a file which is really cmd.exe.<\/p>\n<p>Once you make the change, then when you select Magnifier from the Ease of Access dialog box, you enter the operating system at the command prompt.\u00a0 The result is you can logon as the System account, without the need of a password.\u00a0 However one of the\u00a0limitations that exsist\u00a0is that your shell program is cmd.exe rather than explorer.\u00a0 Though\u00a0a more serious limitation is that in order to enter via this backdoor, you would need to install a Trojan horse program.\u00a0 Another possibility is that you have logged on previously, and manually made the changes as\u00a0described below.<\/p>\n<blockquote><p><strong>Preliminary Step &#8211; Deal with Permissions<\/strong><\/p>\n<p><strong>Problem:<\/strong> You cannot rename or delete the original Magnify.exe in Windows \\system32.\u00a0 Even though you are an administrator, even though UAC is enabled, all you get is this message:<\/p>\n<p>&#8216;You need permission to perform this action&#8217;<\/p>\n<p><strong>Solution:<\/strong> Take ownership of the file Magnify.exe, then change the permission for the Administrator&#8217;s group to Full control.\u00a0 Then rename Maginify.exe to MagnifyOld.exe.<\/p>\n<p><strong>Main Step &#8211; Create the Impostor Magnify.exe<\/strong><\/p>\n<ol>\n<li>Create a new folder called Ease<\/li>\n<li>Copy CMD.exe &#8212;&gt; \\Ease \\cmd.exe<\/li>\n<li>Rename \\Ease \\cmd.exe &#8212;&gt; Magnify.exe<\/li>\n<li>Copy \\Ease \\Magnify.exe &#8212;&gt; Windows \\system32\\Magnify.exe<\/li>\n<\/ol>\n<p>What you have achieved is that the old, relatively harmless, &#8216;Magnify&#8217; becomes the more versatile cmd.exe.<\/p><\/blockquote>\n<blockquote><p><strong>Test Your &#8216;Ease of access&#8217; Backdoor Method<\/strong><\/p>\n<ol>\n<li>At the Vista Logon screen, click on Ease of access<\/li>\n<li>Check the box next to: Make Items on the screen Larger (Magnifier)<\/li>\n<li>Click &#8216;OK&#8217;<\/li>\n<li>You should now find yourself at the Command Prompt<\/li>\n<li>Try whoami<\/li>\n<li>Try regedit<\/li>\n<li>Feel the power!<\/li>\n<\/ol>\n<\/blockquote>\n<p><img decoding=\"async\" src=\"http:\/\/www.darrenstraight.com\/blog\/images\/2007\/04\/backdoor.jpg\" \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Follwing my recent post about removing or disabling the Ease of Access Icon, located in the lower left hand corner of the Windows Vista login screen. I just found an article titled &#8220;Windows Vista &#8211; Backdoor Logon&#8221; which exlains to you a method which you can use to\u00a0exploit the &#8216;Ease of Access&#8217; menu at the bottom of a regular Windows<\/p>\n<div class=\"clearfix\"><\/div>\n<div class=\"pull-left padding-top-25\"><a href=\"https:\/\/www.darrenstraight.com\/blog\/2007\/04\/19\/windows-vista-ease-of-access-backdoor-logon\/\" class=\"btn btn-theme\">Continue reading<span class=\"screen-reader-text\"> &#8220;Windows Vista &#8216;Ease of Access&#8217; Backdoor Logon&#8221;<\/span> <i class=\"fa fa-fw fa-long-arrow-right\"><\/i> <\/a>  <\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-1197","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/www.darrenstraight.com\/blog\/wp-json\/wp\/v2\/posts\/1197","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.darrenstraight.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.darrenstraight.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.darrenstraight.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.darrenstraight.com\/blog\/wp-json\/wp\/v2\/comments?post=1197"}],"version-history":[{"count":0,"href":"https:\/\/www.darrenstraight.com\/blog\/wp-json\/wp\/v2\/posts\/1197\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.darrenstraight.com\/blog\/wp-json\/wp\/v2\/media?parent=1197"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.darrenstraight.com\/blog\/wp-json\/wp\/v2\/categories?post=1197"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.darrenstraight.com\/blog\/wp-json\/wp\/v2\/tags?post=1197"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}