This only works for local accounts, though similarly trivial techniques apply to Active Directory accounts if you have "live CD" access to a domain controller.
Just to be clear, in neither case is this a security vulnerability; under the "live CD" assumption — specifically, that you're able to make even a single arbitrary registry edit — there are far simpler ways to completely bypass Windows security that require neither tools nor understanding of the (AFAIK undocumented) HKEY_LOCAL_MACHINE\SAM registry hive.
https://learn.microsoft.com/en-us/microsoft-desktop-optimiza...
This only works for local accounts, though similarly trivial techniques apply to Active Directory accounts if you have "live CD" access to a domain controller.
Just to be clear, in neither case is this a security vulnerability; under the "live CD" assumption — specifically, that you're able to make even a single arbitrary registry edit — there are far simpler ways to completely bypass Windows security that require neither tools nor understanding of the (AFAIK undocumented) HKEY_LOCAL_MACHINE\SAM registry hive.
For example, make the registry edit given by the
command (without line breaks).Then, at any login, lock, or "Ctrl+Alt+Delete" screen, pressing the Shift key five times pops up a shell running as NT AUTHORITY\SYSTEM[1].
This has immediate effect — you don't even need to reboot or log out.
[1] https://learn.microsoft.com/en-us/windows/win32/services/loc...