Cracking to Windows with System Recovery – and no warning from Redmond

There was an interesting press meeting here in Finland today. Mr. Kimmo Rousku presented the Command Prompt feature of Vista’s System Recovery – i.e. how to crack to Vista/XP/2003 computer using only Vista installation media and System Recovery option.

This is a short version of summary described at Web page of Mr. Rousku:

This problematic security feature exists because Windows Vista Repair Computer / System Recovery program enables the use of command prompt without any user authentication with highest possible – system-level – priviledges.

Cracking Windows operating systems has been possible by using cracking software found from various web pages. This is the first time when cracking Windows operating systems is really easy and needs no deeper technical knowledge.

The report shows in a very detailed way how it’s possible to use Takeown and Icacls command to take ownership of ACL-protected files or folders too.
Mr. Kimmo Bergius, the Chief Security Advisor of Microsoft Finland confirmed today in the press meeting mentioned that there is not an update coming. Additionally, Mr. Bergius states that there is a documentation advising the use of HD encryption and BIOS password, BUT this documentation doesn’t mention this security problem in any way.

Yes, this is not the first time when this problem was disclosed. But where is the missing KB document, instructions related to bootup order and the benefit of encryption when switching to Vista.

The most important part comes here.

* How to protect:

1. Change BIOS boot order to disable booting from other media than hard disk
2. Then, set BIOS password to prevent bad guys to change this setting
3. Encrypt files with EFS
4. When using laptops, you have no reasons not to use HD encryption!

Mr. Rousku is well-known non-fiction writer. He works as CIO of Finnish National Research and Development Centre for Welfare and Health (aka Stakes).

Update: Pictures from the press meeting:

Mr. Rousku
Mr. Bergius
A screenshot of System Recovery / Command Prompt menu

  • Moike

    One important additional step has been omitted:

    5. Use SysKey Level 2 or 3 boot protection.

    Without step 5, recovering the windows login from the LSA via rainbow tables is straightforward. That would subsequently lead to complete access to all EFS files.

  • daMage

    The news value of this is null!

    If the attacker has a physical access to any computer with non-crypted hard drives are vulnerable! If the boot from CD is disabled from bios and the bios is protected with password, one could:
    a) reset the bios (jumper settings etc)
    b) remove the HD and set it as a secondary HD on another machine..
    This has been (and still is) possible with any operating system…

  • Hoh

    Why this even came news?
    This is valid on almost every OS. Ever heard booting *nix into single user mode?
    For Moike; those SysKey stuff would be useful only on your own box, if having multiple boxes to administer, especially remote location – not good.
    Also using Vbootkit and TPMkit the issue comes more interesting than some copy of 20-30 year old method “found” on Vista now.

  • bongoman

    haha lol yeah fresh stuff. great job juha-matti

  • Freshe Bakked

    Is Kimmo Rousku the new Paris Hilton? It appears that either Kimmo Rousku or SecuriTeam (that name even sounds like a comic book team – “SecuriTeam Powers ACTIVATE!” – let’s just hope that they all don’t run around in blue & purple leotards!) just love to see their names in print – how many times have they trumpeted their “discovery” of something that has been a part of the Windows OS since Windowns 2000 & XP? Does the name “BartPE” mean anything.

    Maybe I should claim that I am the discoverer of a force in my office that causes my hair to move on it’s own and cause the papers on my desk to move as well – I’ll call it “Air”