This topic contains 1 reply, has 2 voices, and was last updated by nibbl0r 1 week, 4 days ago.
- April 7, 2021 at 1:38 pm #380881
- April 7, 2021 at 1:38 pm #380884
I’m fairly new to cybersecurity but I asked my cyber-security teacher this exact question. He explained to me that it had to do with the kernel of the operating system itself. When it comes to Windows machines in particular he explained that kon boot will replace the operating system kernel before the machine fully boots up. He further explained that this modified operating system kernel is a modified version of the Windows operating system kernel. this modified version is specifically designed so that the Sam file does not connect and interact with the winlogon.exe there for the login screen has no passwords to actually compared to the one that you entered. Now he did give me a small caveat when he explained how it worked. He told me that this is how it worked on Windows 7 machines and that he had no experience with the newer versions of kon boot. So he was unsure if it actually did the exact same procedure for Windows 10. I hope that answers something for you
edit: this is from the Wikipedia page with sources
Kon-Boot works like a bootkit (thus it also often creates false positive alerts in antivirus software). It injects (hides) itself into BIOS memory. Kon-Boot modifies the kernel code on the fly (runtime), temporarily changing the code responsible for verification user’s authorization data while the operating system loads.
In contrast to password reset tools like CHNTPW (The Offline NT Password Editor), Kon-Boot does not modify system files and SAM hive,all changes are temporary and they disappear after system reboots.
- April 7, 2021 at 1:38 pm #380883
well, if the hard drive is not encrypted anyone can access all data for reading and writing by booting any other media via usb (or cd, or unplugging the internal drive and plugging it to another pc, …).
The password, or password hash, of the admin account is just in one of those files. kon-book just changes this file. Mind: you can not read the old/lost/otherones password, just set a new one.
[http://www.chntpw.com/](http://www.chntpw.com/) is a free version that does the same, I’d bet kon-boot is using the same tools, namely [https://en.wikipedia.org/wiki/Chntpw](https://en.wikipedia.org/wiki/Chntpw)
You must be logged in to reply to this topic.