Lenovo laptop and desktop may install a special driver (know as hot key driver) for controlling and using the special function keys (especially on the laptop). We all know that these are the things most people will never patch, unless you had been following and using the ThinkVantage System Update which I mentioned before in my blog:
However, if the target happens to be one of those unpatched one (usually corp laptops), then this is your lucky day. Apparently, the way this program is structure doesn't care too much for security. It relies on a flag in the registry to tell it what to run and this is conveniently available even prior to login. Yes, you probably guessed it, its as simple as changing it to run "cmd.exe" and you have a system shell. Cool? Yes, but you need to somehow still be able to press the buttons, which probably require some social engineering trick if you are attacking a laptop which you do not have physical access to. Otherwise, its just that and you have a system shell which allows you to create havoc and extract information (such as NTLM hashes). The best of all these is none of the known anti malware will actually prevent or even flag changing of the registry as dangerous.
Now, we all know other brands of computer have hot keys too... Think about it...
Below is the original exploit from packet storm: