Kon boot detection in Windows

Discussion in 'other security issues & news' started by chiraldude, Jul 28, 2010.

Thread Status:
Not open for further replies.
  1. chiraldude

    chiraldude Registered Member

    Joined:
    Jul 3, 2010
    Posts:
    157
    I couldn't find anything about this using simple internet searches, then I had an idea.

    If I create an encrypted folder somewhere then have some simple process that runs automatically which creates two files, one in the encrypted folder and one in an unencrypted location. If the system has been booted but the login bypassed, then the file write to the encrypted folder will fail.
    Now I have two pieces of info. to work with. One is a file write error and the other is the unencrypted file's timestamp.
    Any thoughts on how reliable/useful this might be to detect Kon-Boot usage?

    Of course I could just use FDE and completely block such things but disk encryption comes with it's own set of issues and there are times when it's more trouble than it's worth.
    I would like to know, for example, whether my teenage son has used kon-boot to bypass the admin password.
     
Loading...
Thread Status:
Not open for further replies.