Vista - login in Windows Vista without any credential

There is a serious bug found in Windows Vista Ultimate, which allow the user
to login in to Window Vista System without providing any credential. It just
requires the attacker to access the victim system, for the first time. To
gain access to victim system, follow these steps.

1) Open System32 folder of your windows.
2) Copy Cmd.exe, Magnify.exe and paste it in two different locations, for
safety purpose.
3) Rename the cmd.exe to Magnify.exe on the backup location.
4) Copy & paste the renamed cmd.exe to system32 folder, this asks for
replacing the Magnify.exe, just continue with replacing.
5) Now restart the system.
6) After restarting the system, the login screen will come, now select the
utility manager, which is on the below left on the screen.
7) Now check the Magnify check box, to open the Magnify.exe, but now this
will open the cmd.exe.
7) In the command prompt, just type the explorer.exe, this will open the
explorer.exe, and desktop, without login in to the system. The user account
provided for login is the system account, so u can do anything with the
system.
You can also play with the windows registry, services, user account change,
and deletion of user accounts, anything you want.


I don’t understand why Microsoft is failed to look in to simple problems.
This is the simplest way to hack the windows vista, without any detailed
hacking knowledge.



----------------
This post is a suggestion for Microsoft, and Microsoft responds to the
suggestions with the most votes. To vote for this suggestion, click the "I
Agree" button in the message pane. If you do not see the button, follow this
link to open the suggestion in the Microsoft Web-based Newsreader and then
click "I Agree" in the message pane.

http://windowshelp.microsoft.com/com...vista.security

"Abhishek Choudhary" <Abhishek Choudhary@discussions.microsoft.com> wrote in
message news:84B823DA-703D-4A9A-AC36-EA623537E69F@microsoft.com...
> There is a serious bug found in Windows Vista Ultimate, which allow the
> user
> to login in to Window Vista System without providing any credential. It
> just
> requires the attacker to access the victim system, for the first time. To
> gain access to victim system, follow these steps.
>
> 1) Open System32 folder of your windows.
> 2) Copy Cmd.exe, Magnify.exe and paste it in two different locations, for
> safety purpose.
> 3) Rename the cmd.exe to Magnify.exe on the backup location.


And ... what access rights do you need to have to the system for step 4,
which writes to the system32 directory?

> 4) Copy & paste the renamed cmd.exe to system32 folder, this asks for
> replacing the Magnify.exe, just continue with replacing.

Oh, yes, that's right, it requires you have administrator access to write to
that directory.

So, if you're an administrator, you can hack the machine so that you don't
have to log on.

Brilliant.

I can do that with a couple of registry entries.

Alun.
~~~~
--
Texas Imperial Software | Web: http://www.wftpd.com/
23921 57th Ave SE | Blog: http://msmvps.com/alunj/
Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

Yes pretty pointless. It allows you to access the computer again later. You
already have to have access. I propose a better secury leak. Go to control
panel, users profiles. Setup a second administrator account. Bam, you can
access the account later. Full access through that account. I have to
admit, the magnifier.exe thing is pretty sneaky though. This is only a
security threat if your live in a community environment and forget to lock
your computer.

Physical security is just as important as anything Microsoft can do. If you
leave your computer logged in for anyone to use, that is a security threat
that you created. The whole point of an administrator account is to have
access to everything. That same user that messes with the windows\system32
folder could also install a rootkit or spyware on your computer. A physical
person can easily bypass all the UAC prompts, do whatever they please. Heck,
they could plug in a USB key and copy all your private data straight to it,
or delete it.

--
/* * * * * * * * * * * * * * * * * *
* Robert Firth *
* Windows Vista x86 RTM *
* http://www.WinVistaInfo.org *
* * * * * * * * * * * * * * * * * */

<alun@texis.invalid> wrote in message
news:B34E9C22-B805-4F95-AEA7-94B15BB3A986@microsoft.com...
> "Abhishek Choudhary" <Abhishek Choudhary@discussions.microsoft.com> wrote
> in message news:84B823DA-703D-4A9A-AC36-EA623537E69F@microsoft.com...
>> There is a serious bug found in Windows Vista Ultimate, which allow the
>> user
>> to login in to Window Vista System without providing any credential. It
>> just
>> requires the attacker to access the victim system, for the first time. To
>> gain access to victim system, follow these steps.
>>
>> 1) Open System32 folder of your windows.
>> 2) Copy Cmd.exe, Magnify.exe and paste it in two different locations, for
>> safety purpose.
>> 3) Rename the cmd.exe to Magnify.exe on the backup location.
>
>
> And ... what access rights do you need to have to the system for step 4,
> which writes to the system32 directory?
>
>> 4) Copy & paste the renamed cmd.exe to system32 folder, this asks for
>> replacing the Magnify.exe, just continue with replacing.
>
> Oh, yes, that's right, it requires you have administrator access to write
> to that directory.
>
> So, if you're an administrator, you can hack the machine so that you don't
> have to log on.
>
> Brilliant.
>
> I can do that with a couple of registry entries.
>
> Alun.
> ~~~~
> --
> Texas Imperial Software | Web: http://www.wftpd.com/
> 23921 57th Ave SE | Blog: http://msmvps.com/alunj/
> Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
> Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
>
>

Robert Firth wrote:
> Yes pretty pointless. It allows you to access the computer again later.
> You already have to have access. I propose a better secury leak. Go to
> control panel, users profiles. Setup a second administrator account.
> Bam, you can access the account later. Full access through that
> account. I have to admit, the magnifier.exe thing is pretty sneaky
> though. This is only a security threat if your live in a community
> environment and forget to lock your computer.
>
> Physical security is just as important as anything Microsoft can do. If
> you leave your computer logged in for anyone to use, that is a security
> threat that you created. The whole point of an administrator account is
> to have access to everything. That same user that messes with the
> windows\system32 folder could also install a rootkit or spyware on your
> computer. A physical person can easily bypass all the UAC prompts, do
> whatever they please. Heck, they could plug in a USB key and copy all
> your private data straight to it, or delete it.
>

Yes, it always amuses me when people are "outraged" that Windows can be
accessed by booting with other operating systems, etc. As you have so
well explained, *any* computer running *any* operating system is
vulnerable if there is physical access by a skilled person with a bit of
time and a few tools. I can get into my Linux and OS X systems, too.


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

"Malke" <notreally@invalid.invalid> wrote in message
news:%23dvwTEnWHHA.5108@TK2MSFTNGP06.phx.gbl...
> Yes, it always amuses me when people are "outraged" that Windows can be
> accessed by booting with other operating systems, etc. As you have so well
> explained, *any* computer running *any* operating system is vulnerable if
> there is physical access by a skilled person with a bit of time and a few
> tools. I can get into my Linux and OS X systems, too.


Although...

Encryption is one protection that mitigates physical access - under one
condition. The encryption keys must be unloaded when you leave the encrypted
device alone - often, this means turning off your computer.

I like to call it "defence in death" - even if the system is stolen and can
be probed by serious hackers, they will not be able to get access to data on
an appropriately encrypted drive.

Other than that, of course, you're right - physical access to systems,
particularly while they are on and logged on, cannot be used as the starting
point for a "vulnerability", because the vulnerability is precisely that you
left the machine logged on and running.

Alun.
~~~~
--
Texas Imperial Software | Web: http://www.wftpd.com/
23921 57th Ave SE | Blog: http://msmvps.com/alunj/
Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

alun@texis.invalid wrote:
> "Malke" <notreally@invalid.invalid> wrote in message
> news:%23dvwTEnWHHA.5108@TK2MSFTNGP06.phx.gbl...
>> Yes, it always amuses me when people are "outraged" that Windows can be
>> accessed by booting with other operating systems, etc. As you have so well
>> explained, *any* computer running *any* operating system is vulnerable if
>> there is physical access by a skilled person with a bit of time and a few
>> tools. I can get into my Linux and OS X systems, too.
>
>
> Although...
>
> Encryption is one protection that mitigates physical access - under one
> condition. The encryption keys must be unloaded when you leave the encrypted
> device alone - often, this means turning off your computer.
>
> I like to call it "defence in death" - even if the system is stolen and can
> be probed by serious hackers, they will not be able to get access to data on
> an appropriately encrypted drive.
>
> Other than that, of course, you're right - physical access to systems,
> particularly while they are on and logged on, cannot be used as the starting
> point for a "vulnerability", because the vulnerability is precisely that you
> left the machine logged on and running.
>
> Alun.
> ~~~~

True, true. Thanks for mentioning the encryption. Since my client base
is made of home users and small businesses, I usually don't think of
encryption since in that client base encryption often equals "I
encrypted my data and [fill-in-blank] so now I can't get my data.
Certainly BitLocker on corporate laptops is A Good Thing.


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

Abhishek Choudhary wrote:
> There is a serious bug found in Windows Vista Ultimate, which allow
> the user to login in to Window Vista System without providing any
> credential..

Priceless. Just priceless. Had to blog this one...
http://robertmoir.com/blogs/someone_...or-access.aspx

You are correct, but what if the Administrator delete the account, which you
have created, because it display all the account name at the time of login,
so victim can see that a new account has beed created, and he will know that
there is some hacking activity is done on his machine.

"Robert Firth" wrote:

> Yes pretty pointless. It allows you to access the computer again later. You
> already have to have access. I propose a better secury leak. Go to control
> panel, users profiles. Setup a second administrator account. Bam, you can
> access the account later. Full access through that account. I have to
> admit, the magnifier.exe thing is pretty sneaky though. This is only a
> security threat if your live in a community environment and forget to lock
> your computer.
>
> Physical security is just as important as anything Microsoft can do. If you
> leave your computer logged in for anyone to use, that is a security threat
> that you created. The whole point of an administrator account is to have
> access to everything. That same user that messes with the windows\system32
> folder could also install a rootkit or spyware on your computer. A physical
> person can easily bypass all the UAC prompts, do whatever they please. Heck,
> they could plug in a USB key and copy all your private data straight to it,
> or delete it.
>
> --
> /* * * * * * * * * * * * * * * * * *
> * Robert Firth *
> * Windows Vista x86 RTM *
> * http://www.WinVistaInfo.org *
> * * * * * * * * * * * * * * * * * */
>
> <alun@texis.invalid> wrote in message
> news:B34E9C22-B805-4F95-AEA7-94B15BB3A986@microsoft.com...
> > "Abhishek Choudhary" <Abhishek Choudhary@discussions.microsoft.com> wrote
> > in message news:84B823DA-703D-4A9A-AC36-EA623537E69F@microsoft.com...
> >> There is a serious bug found in Windows Vista Ultimate, which allow the
> >> user
> >> to login in to Window Vista System without providing any credential. It
> >> just
> >> requires the attacker to access the victim system, for the first time. To
> >> gain access to victim system, follow these steps.
> >>
> >> 1) Open System32 folder of your windows.
> >> 2) Copy Cmd.exe, Magnify.exe and paste it in two different locations, for
> >> safety purpose.
> >> 3) Rename the cmd.exe to Magnify.exe on the backup location.
> >
> >
> > And ... what access rights do you need to have to the system for step 4,
> > which writes to the system32 directory?
> >
> >> 4) Copy & paste the renamed cmd.exe to system32 folder, this asks for
> >> replacing the Magnify.exe, just continue with replacing.
> >
> > Oh, yes, that's right, it requires you have administrator access to write
> > to that directory.
> >
> > So, if you're an administrator, you can hack the machine so that you don't
> > have to log on.
> >
> > Brilliant.
> >
> > I can do that with a couple of registry entries.
> >
> > Alun.
> > ~~~~
> > --
> > Texas Imperial Software | Web: http://www.wftpd.com/
> > 23921 57th Ave SE | Blog: http://msmvps.com/alunj/
> > Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
> > Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
> >
> >
>
>

A similar procedure can be done in XP using a Computer GP script that runs
cmd. As Roberts says the only use of this is to emphasize how important
physical security is.

"Abhishek Choudhary" <AbhishekChoudhary@discussions.microsoft.com> wrote in
message news:742F5AAE-D467-45EE-8966-8991390B2D3E@microsoft.com...
> You are correct, but what if the Administrator delete the account, which
> you
> have created, because it display all the account name at the time of
> login,
> so victim can see that a new account has beed created, and he will know
> that
> there is some hacking activity is done on his machine.
>
> "Robert Firth" wrote:
>
>> Yes pretty pointless. It allows you to access the computer again later.
>> You
>> already have to have access. I propose a better secury leak. Go to
>> control
>> panel, users profiles. Setup a second administrator account. Bam, you can
>> access the account later. Full access through that account. I have to
>> admit, the magnifier.exe thing is pretty sneaky though. This is only a
>> security threat if your live in a community environment and forget to
>> lock
>> your computer.
>>
>> Physical security is just as important as anything Microsoft can do. If
>> you
>> leave your computer logged in for anyone to use, that is a security
>> threat
>> that you created. The whole point of an administrator account is to have
>> access to everything. That same user that messes with the
>> windows\system32
>> folder could also install a rootkit or spyware on your computer. A
>> physical
>> person can easily bypass all the UAC prompts, do whatever they please.
>> Heck,
>> they could plug in a USB key and copy all your private data straight to
>> it,
>> or delete it.
>>
>> --
>> /* * * * * * * * * * * * * * * * * *
>> * Robert Firth *
>> * Windows Vista x86 RTM *
>> * http://www.WinVistaInfo.org *
>> * * * * * * * * * * * * * * * * * */
>>
>> <alun@texis.invalid> wrote in message
>> news:B34E9C22-B805-4F95-AEA7-94B15BB3A986@microsoft.com...
>> > "Abhishek Choudhary" <Abhishek Choudhary@discussions.microsoft.com>
>> > wrote
>> > in message news:84B823DA-703D-4A9A-AC36-EA623537E69F@microsoft.com...
>> >> There is a serious bug found in Windows Vista Ultimate, which allow
>> >> the
>> >> user
>> >> to login in to Window Vista System without providing any credential.
>> >> It
>> >> just
>> >> requires the attacker to access the victim system, for the first time.
>> >> To
>> >> gain access to victim system, follow these steps.
>> >>
>> >> 1) Open System32 folder of your windows.
>> >> 2) Copy Cmd.exe, Magnify.exe and paste it in two different locations,
>> >> for
>> >> safety purpose.
>> >> 3) Rename the cmd.exe to Magnify.exe on the backup location.
>> >
>> >
>> > And ... what access rights do you need to have to the system for step
>> > 4,
>> > which writes to the system32 directory?
>> >
>> >> 4) Copy & paste the renamed cmd.exe to system32 folder, this asks for
>> >> replacing the Magnify.exe, just continue with replacing.
>> >
>> > Oh, yes, that's right, it requires you have administrator access to
>> > write
>> > to that directory.
>> >
>> > So, if you're an administrator, you can hack the machine so that you
>> > don't
>> > have to log on.
>> >
>> > Brilliant.
>> >
>> > I can do that with a couple of registry entries.
>> >
>> > Alun.
>> > ~~~~
>> > --
>> > Texas Imperial Software | Web: http://www.wftpd.com/
>> > 23921 57th Ave SE | Blog: http://msmvps.com/alunj/
>> > Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
>> > Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD
>> > Explorer.
>> >
>> >
>>
>>