TL;DR
- Manipulate HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\magnifier – StartExe to run other binary when pressing WinKey and plus to zoom.
- Can load binary from Webdav and also start webbrowser and browse to desired link
- Runs command as system during UAC prompt and logon screen
I have thought a while about this blogpost and finally had some time to write it down. This blogpost covers old news and it is already explained, but I wanted this on my blog since I use the blog as an archive, so nothing new and exciting in this post.
A while back I did some digging around the Assistive Technology (ATs). ATs are things like magnifier, sticky keys and more. All of these are registered in registry under the following registry location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs
This topic has already had some research around it before by @hexacorn here.
One interesting thing about these ATs is that they run in the Secure Desktop as well. For instance when you are at the logon screen or the UAC prompt you can press Winkey and the plus key to start the magnifier, or you can press Winkey, CTRL and Enter to start the Narrator. These processes will then start as the SYSTEM account.
Okay, so how do we change this so that for instance the magnifier launches something else instead? That is pretty straight forward as explained in @hexacorn’s blog mentioned above. You just go into the correct registry path and change the StartExe Reg_Expand_SZ to something else.
(Note: that in order for you to change this key you need to take ownership and set the correct ACL. To do this with commands I would use Powershell.)
There is one thing that is a problem, and that is that you cannot have a command with arguments since it does not allow space. For instance “ping 127.0.0.1” or “rundll32 dllfile.dll” would not work. I also tried to create a custom variable and call that from StartExe, but still it would not allow spaces.
This is how it looks like before and after the change:
Everytime you now press winkey and plus key you will start a cmd process. The cool thing is that if you now go to the logon screen and press the keys it will spawn a cmd as SYSTEM (explained here). Also if you try to elevate and you trigger the UAC prompt you can now press the keys to start a cmd as SYSTEM.
A quick gif showing it here:
This is perfect if you want to “hide” a way to escalate privileges, after you have added these keys a normal user can do this as well. This can also be useful if you want to run something as system and need a quick way to spawn a system shell (maybe to stop a service or something).
This technique will also probably work over RDP (if NLA is turned off) at the logon screen.
Another interesting thing I noticed while digging into this is that it allows to load files from Webdav and HTTP as well.
As you understand by reading this you must already have local admin rights to manipulate on the ATs registry keys, so this is not a technique for gaining more access, but a way to manipulate the system.
Oddvar Moe's Blog 
4 thoughts on “Another way to get to a system shell – Assistive Technology”