Windows Backdoor: System Level Access via Hot Keys

 

You hear it all the time in the support forums, “I lost my administrator password, what do I do?” Honestly, it makes you wonder how many times the request is really legit.

But, what if you were having a really bad day and you forgot your password. I mean the world ran out of coffee and your car radio got stuck on a country station on the way in to work. Yes, that kind of bad day. You arrive late to your office; well you did stop at every coffee place on the way in to make sure they were out, what did you expect? You rush to your desk, sit down at your keyboard to login and… nothing. It’s gone, you can’t remember it. You wrote your password on a sticky note on your monitor (of course), but wouldn’t you know, this was the day the cleaning crew actually visited your office, and threw it away. You could call IT support, but that would be you. What do you do? Better yet, how much time would you need? 

60 Seconds. This is how long it takes (minus boot times) to get a command prompt in the latest version of Windows, from the main login screen, with all of the security patches updated and an anti-virus program installed. That is, if you have physical access to the system and can reboot it. And this is not any old command prompt; this is a command prompt as the user “System”. If you know windows security, then you know that the “System” user is the highest level of authority that you can have. The operating system thinks you are the internal “system”. 

This hack requires physical access to the system and access to a DVD or USB drive. It is obtained by the manipulation of the Windows Hot-Keys “utilman.exe” file. This hack has been around (and known) since Windows XP and still works in the latest release of Windows 7. Because it is a manipulation of a windows service, it has never been patched. And actually, it is used as a solution, with instructions, on Microsoft’s Technet forum. 

After manipulation, once the hotkey is pressed, it instantly opens a command prompt window as the user “System” at the login screen. Typing “explorer.exe” in the command prompt gives you a desktop with the password prompt still visible in the background (See picture). From here, many of the features of windows are functional. In the following picture you can see the open “Start Bar” & “Internet Explorer” window, along with the login prompt in the background:

 

Amazingly, this works in Windows Server products as well. If someone had access to your computer and manipulated the hot-keys, they could get system level access to your server at a later date via the hot-key without rebooting your system. Therefore, it is imperative to keep physical security as a top concern in your business. Make sure that your server is in an area that is not available to public traffic and preferably in a locked room. Take extra care with your laptops. Do not leave them in areas that are unattended. 

It is always a good idea to disable services that are not needed. Also, disable booting to external devices and using boot passwords helps. Unfortunately, disabling the Windows hot-keys is not well documented. With Windows 7, Microsoft recommends a third-party program to tweak these settings. Supposedly you can also do this with a Windows policy edit, but I have not seen this documented either. I have also seen some sites recommend renaming the “utilman.exe” file to something else if not needed. But the best defense is strong physical security.

About these ads

~ by D. Dieterle on July 16, 2010.

25 Responses to “Windows Backdoor: System Level Access via Hot Keys”

  1. [...] Windows Backdoor: System Level Access via Hot Keys « CYBER ARMS … [...]

  2. [...] This post was mentioned on Twitter by Jason Wilson, Cyber Arms. Cyber Arms said: Windows Backdoor: System Level Access via Hot Keys – http://bit.ly/bIQggs [...]

  3. Don’t forget “sethc.exe” too

    http://aplawson.wordpress.com/2009/04/22/pentest-sticky-keys-sethcexe-vulnerability-in-2003-xp-vista/

  4. 60 seconds.LOL
    I’ll have to quize the IT Admin I’m interning with about that when he comes back from lunch.

    Reminds me of when I was given a combo house safe, and locked the com paper inside the first night I had it. The result? A safe in the basement I need a torch to open…. Their foruns were not as helpful as MS are apparently…

    • I thought you would get a kick out of this Philo. :)

      Yeah, it is a very painless process if you have the Backtrack 4 Live distro on DVD. Boot from it, copy/ rename the files, and then boot the server. Then when the login screen comes up, just hit the “Windows” and the “U” key and that’s all she wrote.

      Makes you feel all warm and fuzzy about Windows security.

  5. This was first released by ColdZero, his Backdoor works on all windows versions. You can install that .exe backdoor without doing all that stuff and it will rename utilman.exe so you have an original backup. Cheers!

  6. Thanks EagleRaptor, ColdZero Backdoor works. It does all that stuff directly from windows without booting to a CD or DVD.
    I suggest strong physical security and yes “D. Dieterle”
    Makes you feel all warm and fuzzy about Windows security.

  7. I am not sure who originally found this, I have never heard of ColdZero. I known the manual method has been around since XP.

    I don’t have a lot of trust in automated tools and don’t recommend them lightly. It always makes me wonder what else they do that you don’t want them to do.

    You can’t beat step by step instructions on a Microsoft site though! :)

  8. My prof. told me he has scripts on his flash for this in case that happens, but wouldn’t elaborate. This is an internship with a branch of the government, so I didn’t push the issue. LOL

    I’ll tell you something though, these guys no their stuff…

  9. [...] Windows Backdoor: System Level Access via Hot Keys « CYBER ARMS … [...]

  10. Hey guys, this good wook!

  11. [...] covered this topic last year (Windows Backdoor: System Level Access via Hot Keys) but just ran into this again recently. How do you gain access to a Windows system that you have [...]

  12. [...] covered this topic last year (Windows Backdoor: System Level Access via Hot Keys) but just ran into this again recently. How do you gain access to a Windows system that you have [...]

  13. [...] covered this topic last year (Windows Backdoor: System Level Access via Hot Keys) but just ran into this again recently. How do you gain access to a Windows system that you have [...]

  14. [...] covered this topic last year (Windows Backdoor: System Level Access via Hot Keys) but just ran into this again recently. How do you gain access to a Windows system that you have [...]

  15. [...] covered this topic last year (Windows Backdoor: System Level Access via Hot Keys) but just ran into this again recently. How do you gain access to a Windows system that you have [...]

  16. Hmm it seems like your website ate my first comment (it was super long) so I guess I’ll just sum it up what I had written and say, I’m thoroughly enjoying your blog. I too am an aspiring blog blogger but I’m still new to the whole thing. Do you have any tips for novice blog writers? I’d certainly appreciate it.

  17. [...] More on Daniel Dieterle’s Blog [...]

  18. Nice topic guys…. workin on a solution because “I LOST MY PASSWORD” lmfao!!! Goin to try some of this and post back… \might even write up a tut if i get to it. :D

  19. WORKS A CHARM
    Not a prob!!!!

    here is a quick guide I’LL UPLOAD ONE WITH SCREENSHOTS AND ALL when im no so tired.

    : (ALL EXAMPLES ARE IN BRACKETS)
    1 boot from cd, launch repair my computer. select the command prompt.

    2. find your windows drive most likely c: or d: if you know where your os is installed go to that drive (type c:) then the promt should change to c:

    3.Change directories to the windows system32 directory (TYPE cd windows\system32) Then the prompt should read c:windows/system32>

    4 now rename the utilman.exe file, (TYPE ren utilman.exe utilman.bak)

    5 now to make the backdoor!!! copy command.com to be your new utilman.exe file ( TYPE copy command.com utilman.exe)

    6 Exit the command prompt (Type exit) then REBOOT.

    7 After the reboot load windows as normal and when you get to the logon screen remeber a user and simply hold your windows key and press U alternately click on the ease of access symbol bottom left of screen.

    8 If all went well this should bring up the command prompt again but this time you have privileges!!! now to change a users password!!! pick a user or admin acc. , for example my username is 1 for ease and (TYPE net user 1 *) where 1 is replace it with the username as for the star* its simply a wild card you can type you password there or leave the * and you will be prompted for a new password!! re type it and….

    There you go!!! you should be in!! once you have your access change utilman.exe back to its original.
    use command prompt or windows to do this BUT DO IT RIGHT!!! (ren utilman.bak utilman.exe and over write it) if left open this same exploit can be used over a terminal session via a third party pc so i have been told :D

    Pretty sure this is accurate i’ll re read it and confirm, (tired as hell) i have used this method several times, it should work if you follow my directions

    ***** ALL Information included in this post is only educational, please consider losing your ifo and pc before attempting this!!!!!! AS NO ONE IS RESPONSIBLE BUT YOU!!!! ;P ********

  20. how can i copy the sethc.exe file into the system32 if i dont have administrator privileges and i m a guest user

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

Join 246 other followers

%d bloggers like this: