# Enumerate changed lockscreen executables

{% hint style="warning" %}
You need at least local admin privilege on the remote target, use option **--local-auth** if your user is a local account
{% endhint %}

Attackers can replace accessibility executables in Windows (e.g. `utilman.exe`, `sethc.exe`) with binaries like `cmd.exe` or `powershell.exe` to spawn a SYSTEM-level shell. These backdoors can be triggered from the lock screen without authentication.

This module checks for tampered lock screen executables by comparing their FileDescription metadata against expected values:

```bash
nxc smb 10.10.10.10 -u 'Administrator' -p 'PASSWORD' -M lockscreendoors
```

The module connects to `C$\Windows\System32` and checks the following executables:

* `utilman.exe`
* `narrator.exe`
* `sethc.exe`
* `osk.exe`
* `magnify.exe`
* `EaseOfAccessDialog.exe`
* `voiceaccess.exe`
* `displayswitch.exe`
* `atbroker.exe`

If the FileDescription field of one of these executables does not match its expected value, it is flagged as suspicious. If the description matches known backdoor patterns (`Windows PowerShell` or `Windows Command Processor`), it is marked as a backdoor.

If Network Level Authentication (NLA) is not enabled, an attacker can start an unauthenticated RDP session and interact with the lock screen. In combination with a tampered accessibility executable, this allows an unauthenticated attacker to spawn a SYSTEM shell on the target host.

## Example Output

The following screenshot shows all three possibilities:

* A system with default executables (clean),
* A suspicious system with unexpected descriptions,
* A system with known backdoored files.

<figure><img src="/files/M0kvv3tS8n9R3Hx8crWq" alt=""><figcaption><p>Known backdoored executables, suspicious descriptions and a clean system</p></figcaption></figure>

{% hint style="warning" %}
This method is not bulletproof, an attacker can easily modify the FileDescription metadata resulting in false negatives
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.netexec.wiki/smb-protocol/enumeration/enumerate-lockscreen-backdoors.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.