Accessibility Feature Hijack
Attackers replace or redirect accessibility binaries like sethc.exe or utilman.exe so a payload runs from the logon screen with SYSTEM privileges.
Windows ships several accessibility helpers that are reachable directly from the logon screen before any user authenticates: Sticky Keys (sethc.exe, triggered by pressing Shift five times), the Utility Manager (utilman.exe, Win+U), the On-Screen Keyboard (osk.exe), the Magnifier (magnify.exe), and the Narrator (narrator.exe). Because these run as NT AUTHORITY\SYSTEM and can be invoked without credentials, redirecting them yields a pre-authentication SYSTEM backdoor.
There are two classic approaches. The first replaces the on-disk binary in %SystemRoot%\System32 — for example, overwriting sethc.exe with a copy of cmd.exe, so the Sticky Keys shortcut opens a SYSTEM command prompt at the lock screen. The second uses Image File Execution Options to attach a Debugger value to the accessibility executable, achieving the same redirection without altering the original file. Both grant the operator a durable, credential-free foothold.
Replacing a System32 binary requires modifying a file protected by Windows Resource Protection, so attackers typically take ownership and adjust the ACL first; the IFEO variant only needs a registry write.
How it works
The IFEO variant points a Debugger value at the desired payload — often cmd.exe:
Key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe
Name: Debugger
Data: C:\Windows\System32\cmd.exeThe binary-replacement variant instead swaps the file on disk:
takeown /f C:\Windows\System32\sethc.exe
copy /y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exeTargets include sethc.exe, utilman.exe, osk.exe, magnify.exe, narrator.exe, and displayswitch.exe. The load-bearing artifacts are a Debugger value on one of these names, or an accessibility binary whose hash no longer matches the genuine OS file.
Detection & analysis
Static analysis:
- Triage a live or imaged host with Autoruns (Sysinternals): the "Image Hijacks" tab surfaces any
Debuggervalue set on an accessibility executable. Cross-check the on-disk accessibility binaries' hashes against a known-good baseline or the WinSxS store — asethc.exewhose hash matchescmd.exeis conclusive. - Offline registry forensics: parse the
SOFTWAREhive with RegRipper or Registry Explorer for...\Image File Execution Options\sethc.exe(and the other accessibility names); the subkey timestamp dates the change. - Verify file integrity with
sfc-style comparison or by checking digital signatures and version metadata of the System32 accessibility binaries.
Dynamic analysis:
- Run the suspected dropper under Procmon to capture either the
RegSetValueon anImage File Execution Options\<accessibility>.exekey or the file replacement in System32 (takeown/icaclsactivity followed by a write tosethc.exe). - Sysmon Event ID 13 records the IFEO
Debuggerwrite; Event ID 11 (FileCreate) captures overwrites of accessibility binaries; Event ID 1 flagswinlogon.exespawningcmd.exeor another shell at the logon screen.
Detection rule hint:
Alert on any Debugger value written under ...\Image File Execution Options\ for sethc.exe, utilman.exe, osk.exe, magnify.exe, narrator.exe, or displayswitch.exe, and on any file modification of those binaries in System32. A high-fidelity runtime signal is winlogon.exe as the parent of cmd.exe or another interactive shell.