Bypassing The Windows Lock Screen

Screensaver Hack

Most of us know that we should lock our computers when we step away from them. This will prevent any unauthorized users from gaining access to our files. Most companies have some sort of policy in regards to this, and many even automatically lock the screen after a set amount of time with no activity. In some cases, the computers are configured to lock and display a screen saver. In these cases, it may be possible for a local attacker to bypass the lock screen.

[Adrian] explains that the screen saver is configured via a registry key. The key contains the path to a .scr file, which will be played by the Adobe Flash Player when the screen saver is activated. When the victim locks their screen and steps away from the computer, an attacker can swoop in and defeat the lock screen with a few mouse clicks.

First the attacker will right-click anywhere on the screen. This opens a small menu. The attacker can then choose the “Global settings” menu option. From there, the attacker will click on “Advanced – Trusted Location Settings – Add – Add File”. This opens up the standard windows “Open” dialog that allows you to choose a file. All that is required at this point is to right-click on any folder and choose “Open in a new window”. This causes the folder to be opened in a normal Windows Explorer window, and from there it’s game over. This window can be used to open files and execute programs, all while the screen is still locked.

[Adrian] explains that the only remediation method he knows of is to modify the code in the .swf file to disable the right-click menu. The only other option is to completely disable the flash screen saver. This may be the safest option since the screen saver is most likely unnecessary.

Update: Thanks [Ryan] for pointing out some mistakes in our post. This exploit specifically targets screensavers that are flash-based, compiled into a .exe file, and then renamed with the .scr extension. The OP mentions these are most often used in corporate environments. The exploit doesn’t exist in the stock screensaver.

87 thoughts on “Bypassing The Windows Lock Screen

  1. No idea why you’d be using Flash for this. Not tried it in more recent Windows, but if you set the screensaver to cmd or even explorer on Windows XP it will run them as the inbuilt (slight different to normal Administrator) administrator account and you have full control.

    1. 1) why would one run cmd.exe or explorer.exe as a screen saver?
      2) To play with registry one needs administrator right at first.
      3) In interprises policies are enforced by the active directory service server and updated at regular interval. If someone get admin right to a workstation and change de policies locally these changes will be overwritten by the ADS server.

      1. You don’t need administrative rights to pull this off, if you know the screen saver they are using and where it is located on the local drive, you rename it, create a shortcut from there using the original name pointing to cmd, thus no need for reg edit.

        I used to do this on my old High School computers because they had ridiculous policies for PCs that were “wiped” daily.

        Now it is easier to accomplish this with a Linux boot disk, but if you are going that far might as well just get backtrack or kali..

      2. Where I work machines don’t have admin access unless you actually need it, and even then it’s not complete. I have a coworker who can’t run some of the apps he needs to do his job, but can edit the registry. Lol, corporate IT.

      1. No they don’t. The backlight can get defective in that case you get no display at all. Some pixels can get defunct because the driving transistor of that pixel can defect. But no Liquid Crystal doesn’t burn, you can let still image on screen for days and the screen won’t get marked as it is the case with CRT. For the Liquid Crystal to “burn” it would need a chemical alteration of the molecules. Heat can do it, don’t leave your laptop under the sun, heat not light may damage the Liquid Crystal. In normal usage heat is not a problem, neither fixed images.

        1. Tell that the hotel I stayed in a few months ago. When I entered my room, the tv was on displaying a “No Input Signal” box in the center. When I switched to a proper channel, you could still see the outline of the box and the text.

        2. A liquid crystal may not burn in, but an LCD certainly can. We saw it on the LCD screen we were using for the UI in a device I was working on a few jobs ago (about 2012). As I recall it was actually certain areas in one of the layers in the LCD screen sandwich that was discoloring due to the constant light shining on those areas. At the time our firmware kept the backlight turned on constantly. Our fix was to turn the backlight on only when the user was interacting with the UI.

        3. LCDs can and do burn in. Monitors intended to be used as digital signage come with tools built-in to prevent it (rolling bars, pixel shifts, etc).

          Check out the manual for any Samsung commercial monitor. There’s a section at the end that explains how burn-in happens in an LCD and how to avoid it.

        4. I’ve physically seen an LCD that had burn in. It was a friend’s 2004 iMac G5 with the menu bar burnt in, which was clearly visible during full screen games (Ferazel’s Wand, anyone?).

        5. We have some screens in the office which show almost all the time the same image already for years. One time we changed it, but then the old image was still visible over the new image..

    1. fully agreed even with “modern” CRTs (90’s onwards) this wasn’t a problem. must’ve been somewhere around ’87 since I saw burned in letters on a screen last time.

      1. My mother’s Samsung Galaxy S1 has burned in letters and shapes from playing a single game over and over (for more than 5 years, 2hrs a day). U can see it clearly when you’re on the home-screen.

      2. Because after 87 everone where using screen savers. The phosphorus dots on the faceplace of CRT haven’t changed and the bombardement of these phosphorus dots by high speed electrons (25-30Kvolt at the anode of CRT) damage them at length. If some of those are bombarbed more intensely than others like in the case with fixed images they will wear out faster so the marking.

    2. I have seen several TFT displays that were running applications 24/7 over years and you could clearly see the static UI parts remain visibile (at least blurred contours) when you minimized the window…
      So maybe they don’t “burn in” but something similar.

      1. “supports Flash screensavers” != “Uses a Flash screensavers by default”

        The system would need an insecure (non-disabled right-click menus) flash Screensaver set up.

  2. This article has me confused. First, the extension is .SCR, not .SRC, and screensavers are just executable files renamed from .EXE to .SCR. Not sure where Flash is coming in here.

  3. Umm, maybe in some obscure backwater environment some poor windows administrator somewhere was told to play a flash movie as a screensaver, but in 99.9% of windows environments this wouldn’t ever be the case.
    Incidentally, if in Windows 95 or 98 you were in an environment where you could bypass the password prompt by pressing ctrl-alt-del it meant whoever setup that system had manually migrated 16 bit (i.e. Windows 3.1) screensavers over. Something specifically discouraged, it took active work by someone to make that happen. 32 bit screensavers were exempt from the Windows 9X task manager.

  4. 1.) Who uses a screen saver over built in power management?
    2.) Who uses flashplayer as a screen saver?
    3.) What person thinks a screen saver password prompt is a lock screen?
    4.) What misguided fool thinks without full disk encryption, a TPM, and a powered off computer, that you have any secuirty against someone with PHYSICAL ACCESS to the machine?

    Also, wordpress login no good for commenting or..?

    1. “4.) What misguided fool thinks without full disk encryption, a TPM, and a powered off computer, that you have any secuirty against someone with PHYSICAL ACCESS to the machine?”

      once physical access is there pretty much all bets are off.

    1. There are companies that invested a lot of money in them back when flash was “the thing” Flying logos and intricate product models and all that lot. flash consultants who make as much as lawyers, strolling in and out at all hours, smelling of fine weed. But check out the flying logo! There was a point where it was all the rage.

  5. why not just add the reg key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe” /v “Debugger” /t REG_SZ /d “C:\windows\system32\cmd.exe” /f and pressing CTRL-SHIFT ENTER when you are at the lock screen, you will get a cmd box with system privileges.

      1. I have God-like knowledge of Windows (IT Pro, 20+ years) and I didn’t know about this – Thanks! Proves you learn something new everyday. That said, the LOCAL_MACHINE part of the registry is typically read only for non-admins, so I think you’d need to have gained elevated access already before applying this.

    1. My favorite variation of this is to boot to a flash disk and swap sethc.exe with cmd.exe. Reboot and smash the shift key a few times and you get a system command prompt! Also no admin required to set the registry key, although you do need physical access and removable media needs to be set to bootable.

    2. Easier way to get command prompt with SYTEM privileges would be to grab a copy of PsExec from the Technet website and run “psexec -side cmd.exe”. No playing around with the registry, and nothing left behind after you do it. Plus the code is all Microsoft-signed. There is also a switch that would let you do it on a remote system as well (If you have admin rights on that system or know that systems’ admin password).

  6. “Some computers, mostly in corporate environments, are configured to play a flash animation as screensaver while the computer is locked.”

    From what planet does the OP come from – ZERO companies that I know use anything but the standard Windows Lock screen (i.e. windows key + L) and right click does zlich on that screen. Maybe those wacky russians should buy a new legitimate copy of windows some day and see what the rest of the world (except China/India/Russia) is using.

    1. you’re lucky enough to not have worked in such a place, they do indeed exist. generally it’s someplace that is getting along just fine with the their 10 year old windows xp systems. many companies don’t “do” computers, they really don’t know or care about registry keys or any of that lot, they sit down in the morning and they have their spreadsheet and their email and their browser and that’s all they need. the computers stagnate for decades without even software updates. it’s more common than you think.

    2. And on what planet are you where the entire western world is so stupid as to pay for the pain the beta software called windows causes?

      But yeah, who the hell uses flash for screensaver, it is an open question.

  7. Huh, is this crap infosec-a-day? Not only is the subject lame, the write up was terrible. This is something I’d expect to see on slashdot.

    Really hackaday, you’re better than this.

  8. I can’t say I’ve ever seen or used a Flash-based screensaver. Lacking one to test with, I used a Flash-based game. Right clicked. Small menu appears, with “Global Settings”, which I clicked. But it merely opens a web page in the default browser, that says:

    “Beginning with Flash Player 10.3, the Local Settings Manager supersedes this Online Settings Manager for managing global settings on Windows, Mac, and Linux computers. The Local Settings Manager can be accessed in the Control Panel on Windows and in System Preferences on Mac.

    If the Flash player was running as a screensaver, the browser instance would presumably appear underneath the topmost screensaver window and not receive input focus, so clicking “Global Settings” would likely have no immediate effect… leaving only an extra browser tab as a clue to the computer owner when they return, that someone had attempted to tamper with it.

    My Flash version is 16.0. So it looks like for this to be a usable vulnerability, the target would not only have to be running a Flash screensaver, but also disallowed Flash to update itself for many years!

    1. A Flash screensaver would be a Windows Projector file, which is an exe file where the flash player is included, no browser involved. I just created such a projector file with Adober Flash CS6, and it is possible to right click and open the windows file explorer as described.

      To the author of the article: screensavers are *.scr, not *.src files and of course, usually they are not Flash animations or Flash projector files, and not played by the Adobe Flash player.

  9. I think the article text should be updated to denote that this only affects flash-based screensavers and not screensavers in general, as the article would have you believe.

    1. QUOTE: ‘[Adrian] explains that the screen saver is configured via a registry key. The key contains the path to a .src file, which will be played by the Adobe Flash Player when the screen saver is activated’
      the screensaver will be played by Adobe Flash, only if the screensaver is flash-based…

  10. Just replace the program that loads upon the shift lock accessibility shortcut with the command prompt and when they log, you come along press shift a few times, type explorer and hit enter.
    If the administrator locked off access to the root directory /windows /program files extra, just remember they usually leave creating a shortcut to that location as a simple backdoor.

    1. You need access first, but people lock their system with screensavers it seems.

      Personally I use another method and switch off blanking so my monitor goes in standby. Pointless to have a monitor on when you aren’t there. Sorry for not doing my bit in destroying the atmosphere though, I’m selfish that way.

    1. You can have really good hardware design, that is fairly secure … all broken because of bad software implementation. (you can’t have one without the other, and security of both is vital …which is why you find both on hackaday)

    1. You press WIN+L to lock the computer (or it gets locked after a certain amount of time).
      But, once, that is done … you will get the screen telling you to press CTRL+ALT+DEL to log back in.
      This hack it saying (when the screensaver is active) that you don’t even need to unlock thje computer, to access files, etc (if a flash-based screensaver is used)

  11. Since when did HAD turn into Slashdot? Seriously this is a horrible article and an even more sensationalist headline.

    “Poorly configuring your system leads to exploits – news at 11!”

  12. I’ve never left a comment here before, but today is the day that I leave this site. Flash does not run your screensaver, and a .scr does not open in adobe flash. That’s absolutely preposterous

    A .scr is a renamed .exe, and the screensaver is as secure as the .exe is. This exploit is specific to a .exe compilation of a .swf which hasn’t had the right click menu disabled or altered. That’s pretty specific and these generalizations that Windows relies on Adobe Flash, on a system that doesn’t come with it preinstalled, to run screensavers makes me really sad.

    Goodbye Hackaday, I’m really disappointed in you.

  13. Came here to say this – there are certainly a number of new ‘writers’ posting HaD articles that need to seriously go. Disappear.
    You’re one of them Rick.
    This is the suckiest article I have EVER read and I’ve been coming here for many years.
    Just go. Pack up your stuff and go.
    70+ criticism comments and counting.
    Srsly.

  14. 1) possible to set a flash file as screensaver?
    ONLY IN THE NEWEST AND BROKENEST WINDOWS !!!
    (insert win7 calc rant here)

    2) anybody dumb enough to SABATOGE theyr company with such poisn
    (flash screensaver? srsly?) is a crazy loose-cannon and should be fired
    (no pun intended) with-cause and sued for rekless something-or-other

    3) winXP does not include such garbage and will probably end up being the longest-lived operating system next to D.O.S.

    4) made a screensaver that launches the real (default) screensaver but allows a secret-click to launch (something), but the results werent as fun or noteworthy as hoped… maybe this was because the program it tried to open was a GUI program, hmm… now i need to see if a hidden program can be launched instead, might be fun

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.