Windows Backdoor: System Level Access via Hot Keys


You hear it all the time in the support forums, “I lost my administrator password, what do I do?” Honestly, it makes you wonder how many times the request is really legit.

But, what if you were having a really bad day and you forgot your password. I mean the world ran out of coffee and your car radio got stuck on a country station on the way in to work. Yes, that kind of bad day. You arrive late to your office; well you did stop at every coffee place on the way in to make sure they were out, what did you expect? You rush to your desk, sit down at your keyboard to login and… nothing. It’s gone, you can’t remember it. You wrote your password on a sticky note on your monitor (of course), but wouldn’t you know, this was the day the cleaning crew actually visited your office, and threw it away. You could call IT support, but that would be you. What do you do? Better yet, how much time would you need? 

60 Seconds. This is how long it takes (minus boot times) to get a command prompt in the latest version of Windows, from the main login screen, with all of the security patches updated and an anti-virus program installed. That is, if you have physical access to the system and can reboot it. And this is not any old command prompt; this is a command prompt as the user “System”. If you know windows security, then you know that the “System” user is the highest level of authority that you can have. The operating system thinks you are the internal “system”. 

This hack requires physical access to the system and access to a DVD or USB drive. It is obtained by the manipulation of the Windows Hot-Keys “utilman.exe” file. This hack has been around (and known) since Windows XP and still works in the latest release of Windows 7. Because it is a manipulation of a windows service, it has never been patched. And actually, it is used as a solution, with instructions, on Microsoft’s Technet forum. 

After manipulation, once the hotkey is pressed, it instantly opens a command prompt window as the user “System” at the login screen. Typing “explorer.exe” in the command prompt gives you a desktop with the password prompt still visible in the background (See picture). From here, many of the features of windows are functional. In the following picture you can see the open “Start Bar” & “Internet Explorer” window, along with the login prompt in the background:


Amazingly, this works in Windows Server products as well. If someone had access to your computer and manipulated the hot-keys, they could get system level access to your server at a later date via the hot-key without rebooting your system. Therefore, it is imperative to keep physical security as a top concern in your business. Make sure that your server is in an area that is not available to public traffic and preferably in a locked room. Take extra care with your laptops. Do not leave them in areas that are unattended. 

It is always a good idea to disable services that are not needed. Also, disable booting to external devices and using boot passwords helps. Unfortunately, disabling the Windows hot-keys is not well documented. With Windows 7, Microsoft recommends a third-party program to tweak these settings. Supposedly you can also do this with a Windows policy edit, but I have not seen this documented either. I have also seen some sites recommend renaming the “utilman.exe” file to something else if not needed. But the best defense is strong physical security.