Windows – How to prevent the sethc.exe hack

Securitysystem-repair-discwindowswindows 7

There is an exploit that allows users to reset the Administrator password on Windows. It is done by booting from a repair disk, starting command prompt, and replacing C:\Windows\System32\sethc.exe with C:\Windows\System32\cmd.exe.

When the sticky key combination is pressed at the logon screen, users get access to a command prompt with Administrator privileges.

This is a huge security hole, makes the OS vulnerable to anyone with even the slightest IT knowledge. It almost makes you want to switch to Mac or Linux. How can it be prevented?

Best Answer

In order to prevent an attacker from booting from a repair disk and using that to gain access to your system, there are several steps you should take. In order of importance:

  • Use your BIOS/UEFI settings to prevent booting from removable media, or require a password to boot from external media. The procedure for this varies from motherboard to motherboard.
  • Lock up your tower. There is usually a way to reset BIOS/UEFI settings (including passwords) if an attacker gains physical access to the motherboard, so you'll want to prevent this. How far you go depends on factors such as the importance of the data you're protecting, how dedicated your attackers are, the sort of physical security leading up to your workstation (e.g. is it in an office that only co-workers can access or is it in an isolated area open to the public), and how much time a typical attacker will have to break your physical security without being seen.
  • Use some sort of disk encryption such as BitLocker or TrueCrypt. While this won't stop a dedicated attacker from reformatting your system if they can get physical access and reset your BIOS password, it will stop nearly anyone from gaining access to your system (assuming you guard your keys well and your attacker doesn't have access to any backdoors).