sethc.exe Possible Backdoor

This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.

Synopsis :

A possible backdoor exists on the remote host.

Description :

The copy of 'sethc.exe' in the Windows 'System32' directory on the
remote host appears to have been modified, perhaps for use as a
backdoor. Either or both of the 'InternalName' or 'OriginalFilename'
file attributes no longer match the original file.

This file is part of the Windows 'Sticky Keys' functionality and is
launched with SYSTEM privileges from a login screen when a Shift key
is pressed several times. After replacing the original file with, for
example, cmd.exe, an attacker with access to the host can bypass
authentication and gain a command shell and, in turn, complete control
of the host.

See also :

Solution :

Verify the contents of the 'sethc.exe' file and, if appropriate,
whether the system has been compromised.

Risk factor :

Critical / CVSS Base Score : 10.0

Family: Windows

Nessus Plugin ID: 73026 ()

Bugtraq ID:


Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now