At the sign-in screen, select “I have forgotten my password.”
Bypass the lock and enable autoplay of removable drives.
Insert a USB stick with my .exe and a junction folder.
Run executable.
From there launch narrator, that will execute a DLL payload planted earlier.
Now a user account is added called hax with password “hax” with membership in Administrators. To update the list with accounts to log into, click
I forgot my password and then return to the main screen.
First, we select the “I have forgotten my password/PIN” option. This option launches an additional session, with an account that gets created/deleted as needed; the user profile service calls it a default-account. It will have the first available name of defaultuser1, defaultuser100000, defaultuser100001, etc.