In Windows 10, the Windows Recovery Environment (WinRE) can be launched by repeatedly cutting power to the computer during the boot sequence. This allows an attacker with physical access to a desktop machine to gain administrative command-line access, at which point they can view and modify files, reset the administrative password using various techniques, and so on.
(Note that if you launch WinRE directly, you must provide a local administrative password before it will give you command line access; this does not apply if you launch WinRE by repeatedly interrupting the boot sequence. Microsoft have confirmed that they do not consider this to be a security vulnerability.)
In most scenarios this doesn't matter, because an attacker with unrestricted physical access to the machine can usually reset the BIOS password and gain administrative access by booting from removable media. However, for kiosk machines, in teaching labs, and so on, measures are usually taken to restrict physical access by, e.g., padlocking and/or alarming the machines. It would be very inconvenient to have to also try to block user access to both the power button and the wall socket. Supervision (either in person or via surveillance cameras) might be more effective, but someone using this technique would still be far less obvious than, e.g., someone attempting to open the computer case.
How can the system administrator prevent WinRE from being used as a back door?
Addendum: if you are using BitLocker, you are already partially protected from this technique; the attacker will not be able to read or modify files on the encrypted drive. It would still be possible for the attacker to wipe the disk and install a new operating system, or to use a more sophisticated technique such as a firmware attack. (As far as I am aware firmware attack tools are not yet widely available to casual attackers, so this is probably not an immediate concern.)
You can use
reagentcto disable WinRE:See the Microsoft documentation for additional command-line options.
When WinRE is disabled in this way, the startup menus are still available, but the only option that is available is the Startup Settings menu, equivalent to the old F8 startup options.
If you are carrying out unattended installations of Windows 10, and want WinRE to be disabled automatically during installation, delete the following file from the install image:
The WinRE infrastructure is still in place (and can be re-enabled later using a copy of
winre.wimand thereagentccommand line tool) but will be disabled.Note that the
Microsoft-Windows-WinRE-RecoveryAgentsetting inunattend.xmldoes not appear to have any effect in Windows 10. (However, this might depend on which version of Windows 10 you are installing; I have only tested it on the LTSB branch of version 1607.)Use BitLocker, or any other hard drive encryption. It's the only reliable and truly secure way to achieve what you want.
Bit Locker also works in the case when someone steals your hard drive and use this as his secondary drive in his Pc so that Pc boot with his OS and secondary hard drive as a drive only it does not require any password and if it is not being protected by BitLocker any one can easily explore its contents, Please be carefull trying this because repeating this behaviour cause serious corruption of data.
Always use encryption to prevent this kind of problems. Please read this for further information about disk encryption.
Disk Encryption
run the following command to disable Recovery Environment due to shutdown failures (which includes intentionally yanking the power cord):
bcdedit /set {current} bootstatuspolicy ignoreallfailures
Also add this to disable the Recovery Environment:
bcdedit /set {current} recoveryenabled no
both are under Windows Boot Loader section of the BCD store.