| Not only is it still possible, there's even a supported first-party tool to do so, https://learn.microsoft.com/en-us/microsoft-desktop-optimiza... This only works for local accounts, though similarly trivial techniques apply to Active Directory accounts if you have "live CD" access to a domain controller. Just to be clear, in neither case is this a security vulnerability; under the "live CD" assumption — specifically, that you're able to make even a single arbitrary registry edit — there are far simpler ways to completely bypass Windows security that require neither tools nor understanding of the (AFAIK undocumented) HKEY_LOCAL_MACHINE\SAM registry hive. For example, make the registry edit given by the reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\sethc.exe"
/v Debugger /d C:\Windows\System32\cmd.exe /f
command (without line breaks).Then, at any login, lock, or "Ctrl+Alt+Delete" screen, pressing the Shift key five times pops up a shell running as NT AUTHORITY\SYSTEM[1]. This has immediate effect — you don't even need to reboot or log out. [1] https://learn.microsoft.com/en-us/windows/win32/services/loc... |