I discovered something interesting that I wanted to be shared with the rest of the world.

Before you read any further, I want you to know that I did send an email to MSRC (Microsoft Security Response Center) about this. The answer I got was this:

<quote>«In general, MSRC does not consider issues that require physical access to be exploited as security vulnerabilities (immutable law #3 in the link below).

If the issue allows for direct code execution bypassing the logon screen of a locked computer, we may consider that a security vulnerability on a case-by-case basis.

“Definition of a Security Vulnerability”

https://msdn.microsoft.com/en-us/library/cc751383.aspx

“Ten Immutable Laws Of Security (Version 2.0)”

http://blogs.technet.com/b/rhalbheer/archive/2011/06/16/ten-immutable-laws-of-security-version-2-0.aspx

</quote>

What I discovered was that I could access the clipboard from the lock screen on Windows 10. How do I do that?

Look at this video:

In this video I, have copied a text to the clipboard prior to locking my machine and I am able to paste into the key field on the wireless connection (WHAT????).

The thing that I find strange is that every other field (username / password) is prohibited to accept paste and to me that means that Microsoft do have some thoughts on preventing access to the clipboard from the lock screen.

I guess this could be useful for an attacker doing social engineering attacks. Like going to a computer during lunch and see what is on the clipboard. And when you think about it, more and more companies are starting to use password managers that generates passwords for the user. And what happens when a generated password is not possible to remember? The user copies it to clipboard of course.

I don’t think this is a serious issue, but I would assume that it would be easy for Microsoft to prevent this with a few lines of code.

Hope you liked the blogpost and remember, sharing is caring. 🙂

Update #1 26.01.2017: It has come to my attention from Reddit that if you try to connect to an 802.1x-network you will get the unmasked username field as well. Thanks to paulanerspezi for pointing that out.

To clear your clipboard before locking your computer you could run the following command:

cmd /c “echo off | clip”

Update #2 26.01.2016: How to remove the network icon from the lock screen

To remove the network option on the lock screen you could either create a Group Policy and link it or do it locally if your computer is not a part of a domain. The settings are exactly the same.

To block it on a local machine that is not a part of a domain, you do the following:

Then you browse to this location (Computer configuration – Administrative Templates – System – Logon):



Then you change the “Do not display network selection UI” setting to enabled like this:



Thats it!

Update 27.01.2017:

A new blogpost about the same problem using Narrator – https://msitpros.com/?p=3764