Installing simple backdoor on local windows PC

3 replies [Last post]
Joined: 2015/07/17

I notice quite often people tend to overcomplicate tasks in order to achieve their goals once they get in the mindset of having to get around advanced security protections. In this post I intend on outlining a really simple way of setting up a windows backdoor on a local machine. Assuming that you have physical access to the machine, and are not concerned about leaving any trails or modifying system files.

As RaT has pointed out below a machine using full disk encryption will prevent this method.

I can confirm that this method works on windows 7 and windows 8, probably previous versions if they support accessibility options from the login screen.

things needed:
- a USB or CD with an OS you can live boot into
- physical access to target machine

1. turn off the machine so that it will accommodate booting from a USB/CD. With windows 8 machines fast boot may need to disabled, otherwise holding the power button sometimes works for me.
2. boot into preferred distro and mount the Windows disk
3. navigate to where you have mounted the windows disk and then navigate to /Windows/System32/
4. find and rename narrator.exe to narrator2.exe or if you have no intentions of restoring the computer simply delete the file
5. make a copy of cmd.exe and rename it to narrator.exe
6. reboot the PC, booting into windows
7. on the login screen (for this example I'm using windows 7) there should be a button that provides accessibility options, open the options and select the option that provides text to be read out loud (narrator). apply and click ok.

What should appear now is a command prompt at the login screen. from there you may change any permissions or passwords as a system level account using the basic windows commands. This method has the potential to execute any executable you wish from the login screen simply by moving the program to C:/Windows/System32/ and renaming the file to narrator.exe.

If after completing your nefarious deeds you wish to remove the backdoor, delete narrator.exe and rename narrator2.exe back to narrator.exe

I feel this is quite possibly too easy to mention here and that most people know about this already, however I have also noticed that this particular method doesn't often come up on these type of sites.