I’m writing a paper on vulnerabilities in Windows 10. Does anyone know the mechanism of kon-boot? – Digitalmunition


Home Forums I’m writing a paper on vulnerabilities in Windows 10. Does anyone know the mechanism of kon-boot?

This topic contains 1 reply, has 2 voices, and was last updated by  nibbl0r 1 week, 4 days ago.

  • Author
  • #380881


    I can’t seem to find any resources as to how Kon-boot actually works.


  • #380884


    I’m fairly new to cybersecurity but I asked my cyber-security teacher this exact question. He explained to me that it had to do with the kernel of the operating system itself. When it comes to Windows machines in particular he explained that kon boot will replace the operating system kernel before the machine fully boots up. He further explained that this modified operating system kernel is a modified version of the Windows operating system kernel. this modified version is specifically designed so that the Sam file does not connect and interact with the winlogon.exe there for the login screen has no passwords to actually compared to the one that you entered. Now he did give me a small caveat when he explained how it worked. He told me that this is how it worked on Windows 7 machines and that he had no experience with the newer versions of kon boot. So he was unsure if it actually did the exact same procedure for Windows 10. I hope that answers something for you

    edit: this is from the Wikipedia page with sources

    Kon-Boot works like a bootkit (thus it also often creates false positive alerts in antivirus software). It injects (hides) itself into BIOS memory. Kon-Boot modifies the kernel code on the fly (runtime), temporarily changing the code responsible for verification user’s authorization data while the operating system loads.
    In contrast to password reset tools like CHNTPW (The Offline NT Password Editor), Kon-Boot does not modify system files and SAM hive,all changes are temporary and they disappear after system reboots.

  • #380883


    well, if the hard drive is not encrypted anyone can access all data for reading and writing by booting any other media via usb (or cd, or unplugging the internal drive and plugging it to another pc, …).

    The password, or password hash, of the admin account is just in one of those files. kon-book just changes this file. Mind: you can not read the old/lost/otherones password, just set a new one.

    [http://www.chntpw.com/](http://www.chntpw.com/) is a free version that does the same, I’d bet kon-boot is using the same tools, namely [https://en.wikipedia.org/wiki/Chntpw](https://en.wikipedia.org/wiki/Chntpw)

You must be logged in to reply to this topic.