Sidestepping Windows Login Credentials

It's no secret that Windows security is akin to that of cheesecloth. As if you needed yet another reason to switch to a real operating system, let's take a look at how to get administrative access on any Windows 2000, XP, Vista, or 7 box that you can physically access, and change the boot medium on.

This hack is nothing new. I'm not reinventing the wheel. I am, however, bringing this information to the masses of followers that I have, that might not be reading the same things I do online. I do not take credit for this hack, but merely for making you (the reader) aware of it. Also, I am not responsible for any misuse of this information. All information presented here is for educational purposes only, and I do not condone the misuse of this information. With that said...

Let's get right into this hack, shall we? You're going to need some sort of linux boot media for this. I suggest Backtrack linux, but anything you can boot off of and mount an NTFS partition as read/write should do the trick. You're also going to need to be able to boot that media -- booting a CD or DVD on a netbook doesn't work so well, and some older motherboards won't boot from a pen drive, so you're going to have to choose the best method for the machine you're working on.

Boot your linux distro of choice, and mount your Windows drive locally. Make sure you have read/write access to it. In the past, this may have been more difficult, but with the current state of linux distros, it should be trivial. Once mounted, open a command prompt and navigate to the Windows\System32 directory of your Windows disk. That could be something that looks like this: /media/sda1/Windows/System32. Now, enter the following commands:

  2. $ mv Utilman.exe Utilman.old
  3. $ cp cmd.exe Utilman.exe

This will back up (important!) the Utilman.exe, and create a copy of cmd.exe in its place. Go ahead and unmount the disk, reboot the machine, and load Windows. At the login prompt, press Win+U on your keyboard, and you will be presented with a command line. Type 'whoami' to verify that you are the System account, and then type 'explorer' to launch your start menu, taskbar, system tray, and the like. Presumably, you could kill the winlogon process to remove the login screen, although I have not tested this. If someone can verify, please leave it in the comments.

There you have it. You've successfully gained administrative access on the Windows box of your choosing. Remember, when you're done, boot back in to linux, and replace the old .exe by coping Utilman.old to Utilman.exe.

Note: The post title has been changed due to input received from peer response. Thanks for the suggestions, guys.

Be Sociable, Share!

5 thoughts on “Sidestepping Windows Login Credentials”

  1. How is this different from mounting a Linux partition and changing the root password in /etc/passwd to a password of your choice? You can pretty easily root any system you have physical access to unless the drive is encrypted (and even then you could wipe and install a new OS).

    1. True. Keep in mind, if you can touch it: you can own it. Nothing is immune from being cracked, however this is a silly mistake for Microsoft to make.

  2. A much easier way to get access to a Windows box that you have access to physically.

    Any operating system can be rooted pretty easily as long as you have physical access to the unencrypted drive.

    If you encrypt your hard drive with EFS, your hack won’t work.

    1. Yes, Steve, but you need to keep in mind: this post isn’t about a third party utility to edit/change/remove your password, this is about the inherent security flaw of the Windows login process. I challenge you to find a single user who a) knows how to encrypt their drive and b) has encrypted their drive that isn’t an industry professional.

      This is not the most effective way of getting into a box, and it isn’t supposed to be a howto for hacking a computer, but rather a call to arms for Microsoft to fix some of the glaring security holes that has made their OS such a tragic example of how not to be a secure OS over the past 25 years.

Comments are closed.