Jump to content
Sign in to follow this  

New (but Old) Technique Hijacks User Sessions on All Windows Versions

Recommended Posts


Hijacking a session via Taks Manager


A security researcher has detailed a way to log into any account on the same computer, even without knowing its password. The trick works on all Windows versions, doesn’t require special privileges, and the researcher can’t figure out if it’s a Windows feature or security flaw.


The researcher, Alexander Korznikov, calls the attack a “privilege escalation and session hijacking.” The attack can be performed using physical access to the device, but also via an RDP session on a hacked machine, escalating the attacker’s access to other (higher-privileged) accounts.

Attackers can hijack active user/RDP sessions

The general idea behind the attack is that any user, regardless of his role, can use CLI commands built into all Windows versions to escalate his access and switch to any other active user session on the PC.


The targeted account must be logged in on the same machine, otherwise, the attack won't work.

In normal conditions, this would imply the attacker having to know the account’s password. But not in Korznikov’s attack.


The attacker, from his own account, can execute some cmd.exe commands and then select the active user session he wants to log into, no password required. This attack works with local user sessions, but also with RDP sessions.

Attacks are trivial to execute

The whole attack takes about one minute to perform and doesn’t include many steps, meaning it’s easy to memorize.

Below are three videos demoing the attacks. The first shows how to take over a Windows 7 user session via the Task Manager & cmd.exe, the second only via cmd.exe, while the third shows the hijacking of a Windows Server 2012 account via service creation.

Windows 7 via Task Manager:


Windows 7 via command line:


Windows 2012 R2 via service creation:



Below is an example of how an attacker could use this attack, as envisioned by Korznikov himself.


Some bank employee have access to billing system, and it's credentials to login.
One day, he come to work, logging in to the billing system and start to work. At lunch time he will lock his workstation, and out to lunch.
Then, system administrator gets to employee's workstation, and logs in with his administrator's account.

According to the bank's policy, administrator's account should not have access to the billing system, but with couple of built-in commands in windows, this system administrator will hijack employee's desktop which he leaved locked. From now, sysadmin can perform malicious actions in billing system as billing employee account.


Because the attack uses local built-in Windows tools, the attacker doesn’t have to download other malware on the target’s machine, an operation that sometimes triggers alarm bells on a company’s security systems.


Korznikov discovery isn’t entirely new but appears to be an expanded version of an older attack. Back in 2011, Benjamin Delpy, a security researcher for the Bank of France, detailed the very same user session hijacking technique on his blog, albeit in French.


Taking into account his blog post's age, it is highly unlikely that Microsoft didn't find out about this issue in the past six years. It's very likely that they didn't consider it a security flaw, and deemed this was how Windows was supposed to behave.


Article source


Other source: Feature or flaw? How to hijack a Windows account in less than a minute


A Microsoft spokesperson said that the purported flaw "is not a security vulnerability as it requires local admin rights on the machine."



Share this post

Link to post
Share on other sites

Even thought, according to Microsoft spokesperson, "is not a flaw" the right thing to do for Microsoft is to find a fix, since the biggest market share of users use Windows OS.

Not too long ago my bank account was hacked (just moved funds between same account) and happened the same day I requested a changed to my account. The strange thing according to an investigation was that they enter to my account with my password.


Looks to me like a hack similar to the one above.

Edited by vitorio

Share this post

Link to post
Share on other sites
32 minutes ago, virge said:

The article seems to state the flaw is in Windows 7/2012, if you use Windows 10, does the flaw exist ?


Feature or flaw? How to hijack a Windows account in less than a minute


Korznikov said he tested the bug on Windows 7, Windows 10, and Windows Server 2008 and Windows Server 2012 R2, but Beaumont said it works on every supported version of Windows.


Share this post

Link to post
Share on other sites

Another brilliant feature of Mark & Bryce's (SysInternals) tools. This "hack" has been around a long time. Using the  -s argument runs the process in the LOCAL SYSTEM context which as anyone should know has God powers. I've been using this tool for many years, but not for malicious purposes.

Share this post

Link to post
Share on other sites
4 hours ago, banned said:

Another brilliant feature of Mark & Bryce's (SysInternals) tools.

Russinovich knows Windows like only few ones do...:whistle:

Edited by pc71520

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.