Kill Sticky Keys
Dave Lum
Is there a way to uninstall StickyKeys? We need to kill this feature due to a vulnerability it has. Google-Fu I am only finding steps t disable it. On our Citrix server setting StickyKeys flag to 506 on the default user hive doesn’t seem
to completely prevent it from being launched.
Other ways of disabling it (via PS script, etc) are welcome. Some users are anonymous, if that matters.
Dave Lum (he/him)
Systems Administrator III
P: 503.546.2163
E:
lu...@ochin.org
A: 1881 SW Naito Parkway, Portland, OR 97201
Michael B. Smith
It’s hackish. But two methods:
[1] Delete the regkey HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys
[2] Delete the binary c:\windows\system32\sethc.exe
The first is easy to do in PS. And you can easily iterate through all users on a computer to do them all.
The second is easy enough to do, but has a couple of extra steps: you’ll have to take ownership of the file and then give yourself (e.g., the Administrators group) permission to the file.
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ntsysadmin+...@googlegroups.com.
To view this discussion visit
https://groups.google.com/d/msgid/ntsysadmin/SJ0PR17MB492570033E2A8F1B2F370274DDE7A%40SJ0PR17MB4925.namprd17.prod.outlook.com.
Dave Lum
DELETE THE BINARY! FFs I feel so dumb. Thank you!
Odd that 0% if what I found via Internet search said delete the key.
Again, thanks so much!
Dave Lum (he/him)
Systems Administrator III
P: 503.546.2163
E:
lu...@ochin.org
A: 1881 SW Naito Parkway, Portland, OR 97201
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
On Behalf Of Michael B. Smith
Sent: Thursday, October 2, 2025 7:09 AM
To: ntsys...@googlegroups.com
Subject: [ntsysadmin] RE: Kill Sticky Keys
CAUTION: This email originated from outside of OCHIN’s network
Do not click links or open attachments unless you recognize the sender and know the content is safe. If you suspect this email is phishing or a scam, use the report button in the Outlook toolbar to report it to Desktop Support.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/aca5bf5257344e9fa360e66b4285f4a4%40smithcons.com.
Shawn K. Hall
file in its location and remove permissions from the OS to replace it.
-S
> -----Original Message-----
> From: 'Dave Lum' via ntsysadmin [mailto:ntsys...@googlegroups.com]
> Sent: Thursday, October 2, 2025 07:15
> To: ntsys...@googlegroups.com
> Subject: [ntsysadmin] RE: Kill Sticky Keys
>
>
> Odd that 0% if what I found via Internet search said delete the key.
>
> Again, thanks so much!
>
>
>
>
> Dave Lum (he/him)
>
> Systems Administrator III
> P: 503.546.2163
> E: lu...@ochin.org
> A: 1881 SW Naito Parkway, Portland, OR 97201
>
>
> Link <https://twitter.com/ochininc> Linkedin Link
> <http://www.linkedin.com/company/ochin> www.ochin.org
> <https://www.ochin.org/>
> Link <https://twitter.com/ochininc> Linkedin Link
> <http://www.linkedin.com/company/ochin> www.ochin.org
> <https://www.ochin.org/>
>
>
>
>
>
> Attention: Information contained in this message and or
> attachments is intended only for the recipient(s) named above
> and may contain confidential and or privileged material that
> is protected under State or Federal law. If you are not the
> intended recipient, any disclosure, copying, distribution or
> action taken on it is prohibited. If you believe you have
> received this email in error, please contact the sender with
> a copy to compl...@ochin.org, delete this email and destroy
> all copies.
>
> --
> You received this message because you are subscribed to the
> Google Groups "ntsysadmin" group.
> To unsubscribe from this group and stop receiving emails from
> it, send an email to ntsysadmin+...@googlegroups.com.
> To view this discussion visit
> https://groups.google.com/d/msgid/ntsysadmin/SJ0PR17MB49257003
> 3E2A8F1B2F370274DDE7A%40SJ0PR17MB4925.namprd17.prod.outlook.co
> m
> 33E2A8F1B2F370274DDE7A%40SJ0PR17MB4925.namprd17.prod.outlook.c
> om?utm_medium=email&utm_source=footer> .
> --
> You received this message because you are subscribed to the
> Google Groups "ntsysadmin" group.
> To unsubscribe from this group and stop receiving emails from
> it, send an email to ntsysadmin+...@googlegroups.com.
> To view this discussion visit
> 360e66b4285f4a4%40smithcons.com
> <https://groups.google.com/d/msgid/ntsysadmin/aca5bf5257344e9f
> a360e66b4285f4a4%40smithcons.com?utm_medium=email&utm_source=footer> .
> Attention: Information contained in this message and or
> attachments is intended only for the recipient(s) named above
> and may contain confidential and or privileged material that
> is protected under State or Federal law. If you are not the
> intended recipient, any disclosure, copying, distribution or
> action taken on it is prohibited. If you believe you have
> received this email in error, please contact the sender with
> a copy to compl...@ochin.org, delete this email and destroy
> all copies.
>
> --
> You received this message because you are subscribed to the
> Google Groups "ntsysadmin" group.
> To unsubscribe from this group and stop receiving emails from
> it, send an email to ntsysadmin+...@googlegroups.com.
> To view this discussion visit
> BABDDCB7E6789AF5DDE7A%40SJ0PR17MB4925.namprd17.prod.outlook.co
> m
> <https://groups.google.com/d/msgid/ntsysadmin/SJ0PR17MB49251C7
> FBABDDCB7E6789AF5DDE7A%40SJ0PR17MB4925.namprd17.prod.outlook.c
> om?utm_medium=email&utm_source=footer> .
>
>
Philip Elder
3: Software Restriction Policy in Group Policy to block the binary.
Philip Elder MCTS
Senior Technical Architect
Microsoft High Availability MVP
MPECS Inc.
E-mail: Phili...@mpecsinc.ca
Phone: +1 (780) 458-2028
Web: www.mpecsinc.com
Blog: blog.mpecsinc.com
Twitter: Twitter.com/MPECSInc
Teams: Phili...@MPECSInc.Cloud
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
On Behalf Of Michael B. Smith
Sent: Thursday, October 2, 2025 08:09
To: ntsys...@googlegroups.com
Subject: [ntsysadmin] RE: Kill Sticky Keys
It’s hackish. But two methods:
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/aca5bf5257344e9fa360e66b4285f4a4%40smithcons.com.
brett...@hotmail.com
Kurt Buff
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/0ff026b2-d448-40da-89a2-02d92b3a205en%40googlegroups.com.
Philip Elder
Ah, so this is the same thing as using CMD.EXE à Utilman.EXE to flip the domain admin password on a DC?
Philip Elder MCTS
Senior Technical Architect
Microsoft High Availability MVP
MPECS Inc.
E-mail: Phili...@mpecsinc.ca
Phone: +1 (780) 458-2028
Web: www.mpecsinc.com
Blog: blog.mpecsinc.com
Twitter: Twitter.com/MPECSInc
Teams: Phili...@MPECSInc.Cloud
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.
Attention: Information contained in this message and or attachments is intended only for the recipient(s) named above and may contain confidential and or privileged material that is protected under State or Federal law. If you are not the intended recipient, any disclosure, copying, distribution or action taken on it is prohibited. If you believe you have received this email in error, please contact the sender with a copy to compl...@ochin.org, delete this email and destroy all copies.
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/SJ0PR17MB492570033E2A8F1B2F370274DDE7A%40SJ0PR17MB4925.namprd17.prod.outlook.com.
Michael B. Smith
This is a new one on me.
Given that – Philip’s solution is the best.
Thanks!
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
On Behalf Of Kurt Buff
Sent: Thursday, October 2, 2025 4:37 PM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Re: Kill Sticky Keys
Probably no CVE, but MITRE covers it under a tactic and a technique: TA0004 and T1546
Attention: Information contained in this message and or attachments is intended only for the recipient(s) named above and may contain confidential and or privileged material that is protected under State or Federal law. If you are not the intended recipient, any disclosure, copying, distribution or action taken on it is prohibited. If you believe you have received this email in error, please contact the sender with a copy to compl...@ochin.org, delete this email and destroy all copies.
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/SJ0PR17MB492570033E2A8F1B2F370274DDE7A%40SJ0PR17MB4925.namprd17.prod.outlook.com.
Kurt Buff
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/4aaa3e6df92c4a0e85eef499f8c1db7c%40MPECSInc.Ca.
brett...@hotmail.com
Kurt Buff
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/abcfcaa6-ddf5-4b1d-bc51-889bba7d07a5n%40googlegroups.com.
Kurt Buff
Dave Lum
Some pen testing exposed it in our Citrix farm, and Defender alerts went bananas on it.
The SRP does look like the best solution, thanks!
Dave
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
On Behalf Of Michael B. Smith
Sent: Thursday, October 2, 2025 1:46 PM
To: ntsys...@googlegroups.com
Subject: RE: [ntsysadmin] Re: Kill Sticky Keys
CAUTION: This email originated from outside of OCHIN’s network
Do not click links or open attachments unless you recognize the sender and know the content is safe. If you suspect this email is phishing or a scam, use the report button in the Outlook toolbar to report it to Desktop Support.
This is a new one on me.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/5c9c6beb2db04bfc858ee6f7f7e464cc%40smithcons.com.
Dave Lum
It wasn’t replacing an executable, it was getting access to browse the file system, IIRC similar to using IE11 and putting a directory name in the URL field in the bad old days.
PuTTy in Citrix has similar issues if anon access is used…(we’re killing anon but it’s slow because, reasons)
Dave
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
On Behalf Of brett...@hotmail.com
Sent: Thursday, October 2, 2025 1:58 PM
To: ntsysadmin <ntsys...@googlegroups.com>
Subject: Re: [ntsysadmin] Re: Kill Sticky Keys
CAUTION: This email originated from outside of OCHIN’s network
Do not click links or open attachments unless you recognize the sender and know the content is safe. If you suspect this email is phishing or a scam, use the report button in the Outlook toolbar to report it to Desktop Support.
No CVE? So lets not call it a vulnerability then :)
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/abcfcaa6-ddf5-4b1d-bc51-889bba7d07a5n%40googlegroups.com.
Lee Wilbur
There are more vectors than sticky keys.
|
Executable |
Feature |
Trigger at Login |
|
utilman.exe |
Ease of Access Center |
Accessibility Button |
|
sethc.exe |
Sticky Keys |
Press Shift 5 times |
|
osk.exe |
On-Screen Keyboard |
Ease of Access, keyboard |
|
Magnify.exe |
Magnifier |
Ease of Access, magnifier |
|
Narrator.exe |
Narrator (screen reader) |
Win+Ctrl+Enter |
|
displayswitch.exe |
Display Switcher |
Win+P |
|
atbroker.exe |
App Switcher |
Accessibility |
I remembered Microsoft did something several years ago to make this trick much less effective. Here’s the response from Perplexity when I asked about what mitigations currently exist:
Microsoft has implemented several mitigations in recent years to reduce the effectiveness of the Utilman.exe, Sticky Keys, and similar accessibility feature exploits, but the method is not entirely blocked on all Windows systems.
Current Mitigation Measures
BitLocker/Drive Encryption: If BitLocker is enabled and the disk is encrypted, attackers must provide the recovery key before they can access or modify system files, which effectively prevents this exploit from working.
System File Protection & Digital Signatures: Modern Windows versions (especially x64) only allow executables that are properly signed and protected by system file integrity, making it harder to replace them with cmd.exe or other tools without Windows detecting the change.
Windows Defender Detection: Since 2018, Windows Defender can detect suspicious attempts to hijack or replace accessibility executables with other programs and may attempt to automatically restore or block changes.
Additional Authentication in Recovery: Starting with Windows 10, and more consistently in Windows 11, some recovery environment operations prompt for extra credentials or make access to the system drive more difficult.
Residual Risk and Legacy Systems
The exploit can still work on systems without BitLocker, Secure Boot, or with outdated Windows versions.
If physical access to the device is possible and protections are not enabled, the exploit potentially remains viable.
-Lee
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
On Behalf Of Kurt Buff
Sent: Thursday, October 2, 2025 4:37 PM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Re: Kill Sticky Keys
Probably no CVE, but MITRE covers it under a tactic and a technique: TA0004 and T1546
Attention: Information contained in this message and or attachments is intended only for the recipient(s) named above and may contain confidential and or privileged material that is protected under State or Federal law. If you are not the intended recipient, any disclosure, copying, distribution or action taken on it is prohibited. If you believe you have received this email in error, please contact the sender with a copy to compl...@ochin.org, delete this email and destroy all copies.
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/SJ0PR17MB492570033E2A8F1B2F370274DDE7A%40SJ0PR17MB4925.namprd17.prod.outlook.com.
Philip Elder
CrowdStrike gave us a glimpse into bypassing BitLocker. It’s actually quite easy surprisingly.
There’s a way to circumvent Windows Defender as well.
Suffice it to say, physical access is always a win no matter what. 😉
Philip Elder MCTS
Senior Technical Architect
Microsoft High Availability MVP
MPECS Inc.
E-mail: Phili...@mpecsinc.ca
Phone: +1 (780) 458-2028
Web: www.mpecsinc.com
Blog: blog.mpecsinc.com
Twitter: Twitter.com/MPECSInc
Teams: Phili...@MPECSInc.Cloud
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/41a7886b224140ca9265805123ef07fb%40multiverseit.com.
Dave Lum
Thank you for this!
Dave Lum (he/him)
Systems Administrator III
P: 503.546.2163
E:
lu...@ochin.org
A: 1881 SW Naito Parkway, Portland, OR 97201
Sent: Thursday, October 2, 2025 5:15 PM
To: ntsys...@googlegroups.com
Subject: RE: [ntsysadmin] Re: Kill Sticky Keys
CAUTION: This email originated from outside of OCHIN’s network
Do not click links or open attachments unless you recognize the sender and know the content is safe. If you suspect this email is phishing or a scam, use the report button in the Outlook toolbar to report it to Desktop Support.
There are more vectors than sticky keys.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/41a7886b224140ca9265805123ef07fb%40multiverseit.com.