Hi there, let's break down your questions clearly to address your concerns:

1. Does the old sticky keys exploit still work? #

Good news—this classic exploit has been fully patched in modern Windows versions (Windows 10 1607 and later, plus all Windows 11 builds). Microsoft tightened permissions on system files tied to the login screen, like sethc.exe (the sticky keys executable). You can no longer replace it with cmd.exe to gain an admin prompt directly from the login screen.

Even if someone has physical access to your laptop, this method won't work anymore. On top of that, if you've enabled BitLocker drive encryption (which I highly recommend), they can't even access the system drive to tamper with these files in the first place—BitLocker locks the drive until valid authentication is provided.

2. Can Windows Hello PIN protect your 2FA tokens, and could an attacker bypass it to access your account/2FA app? #

First, let's clarify how Windows Hello PIN works: it's a device-specific authentication method tied directly to your laptop, not just a substitute for your Windows password. Unlike a password, it can't be used to log into your account on another device, and it's protected by hardware-level security (TPM chip, if your device has one) which makes it extremely hard to crack.

Now, to your scenario: if an attacker has physical access to your laptop, here's what they can't do easily:

• They can't reset your Windows password to log in unless they have access to your associated Microsoft account's recovery methods (like your recovery email or phone number). For local accounts, without a pre-configured password reset disk, they can't reset the password either—especially if BitLocker is enabled.
• They can't bypass Windows Hello PIN to get into your account. The PIN is validated locally via the TPM, so there's no way to brute-force it remotely or via physical tampering (unless they have specialized, expensive hardware tools, which is extremely unlikely for most threat actors).

As for your 2FA app:

• If your 2FA app (like Microsoft Authenticator) is installed on your Windows account, anyone who successfully logs into your Windows account could technically open it. But to add an extra layer of protection, most modern 2FA apps let you set an app-specific PIN or biometric lock (like Windows Hello face/fingerprint) to access the tokens themselves. Enabling this means even if someone gets into your Windows account, they still can't view your 2FA codes without that extra verification.

Key Takeaways #

• The sticky keys exploit is a thing of the past on modern Windows.
• Windows Hello PIN is a secure way to protect your Windows login, especially when paired with BitLocker.
• To fully safeguard your 2FA tokens, enable both Windows Hello for system login and the built-in lock feature in your 2FA app.

备注：内容来源于stack exchange，提问作者Quinten