Kon-Boot

Kon-Boot was originally designed as a proof of concept, freeware security tool, mostly for people who tend to forget their passwords. The main idea was to allow users to login to the target computer without knowing the correct password and without making any persistent changes to system on which it is executed.

First Kon-Boot release was announced in 2008 on DailyDave mailing list.^[6] Version 1.0 (freeware) allowed users to login into Linux based operating systems and to bypass the authentication process (allowing access to the system without knowing the password).

In 2009 author of this software announced Kon-Boot for Linux and 32-bit Microsoft Windows systems.^[7] This release provided additional support for bypassing Windows systems passwords on any Windows operating system starting from Windows Server 2008 to Windows 7. This version is still available as freeware^[8]

Newest Kon-Boot releases are available only as commercial products^[1][9] and are still maintained.

Current version is able to bypass passwords on the following operating systems:

Kon-Boot works like a bootkit^[13][14] (thus it also often creates false positive^[15][16][17] alerts in antivirus software). It injects (hides) itself into BIOS memory. Kon-Boot modifies the kernel code on the fly (runtime), temporarily changing the code responsible for verification user's authorization data while the operating system loads.

In contrast to password reset tools like CHNTPW (The Offline NT Password Editor), Kon-Boot does not modify system files and SAM hive,^[18] all changes are temporary and they disappear after system reboots.

While by default Kon-Boot bypasses Windows passwords it also includes some additional features that are worth noting:

• Kon-Boot can change Windows passwords due to embedded Sticky-Keys^[19] feature. For example after successful Windows boot with Kon-Boot user can tap SHIFT key 5 times and Kon-Boot will open a Windows console window running with local system privileges. Fully working console can be used for a variety of purposes. For example in case of changing Windows password following command can be used:^[20] net user [username] [newpassword](selected user can be later added as new Windows administrator by typing: net localgroup administrators [username] /add). Similarly following command:^[21] net user [username] * will erase current Windows password for selected user. Obviously many other actions are available since the Windows console is running with system privileges.

• 

  In the commercial Kon-Boot editions it is possible to use Automatic PowerShell Script Execution feature ^[22] which automatically executes (after Windows boot) given PowerShell script with full system privileges. This feature can be used to automatize various tasks for example performing forensics data gathering task etc. To use this feature Windows needs to be installed in UEFI mode.

Users concerned about tools like Kon-Boot should use disk encryption^[23] (FileVault, Bitlocker, Veracrypt etc.) software as Kon-Boot is not able to bypass disk encryption.^[24] BIOS password and enabled SecureBoot^[25][26] feature is also a good prevention measure. However Kon-Boot since version 3.5 is able to bypass SecureBoot feature.^[27] Kon-Boot does not support virtualization and instructs users to turn it off in the bios.^[28] Kon-Boot does not support ARM devices such as Apple's M1 chip (newest Apple ARM devices does not support booting from 3rd party media).