Comments on: Playing with utilman.exe

By: Didier Stevens

Didier Stevens — Fri, 04 Jul 2008 17:51:08 +0000

I’ve made a movie for XP about 2 years ago: http://blog.didierstevens.com/2006/09/05/playing-with-utilmanexe-the-motion-picture/

If you replace utilman.exe on XP, you’ll see WFP in action as it replaces utilman.exewith the cached original file. This is a feature thathas been abandoned in Vista.

I wonder if my video inspired Offensive Security.

By: ZenMasterBob

ZenMasterBob — Thu, 03 Jul 2008 18:15:13 +0000

Over at Offensive Security they have a video instruction where they simply renamed utilman.exe to utilman.old, then copied cmd.exe to utilman.exe, on a Vista machine. It gives you a command prompt right from the login screen.

http://www.offensive-security.com/movies/vistahack/vistahack.html

By: Dave

Dave — Mon, 14 Apr 2008 11:59:29 +0000

Thanks for the clarification. I know that the Windows key and Sticky Keys function can be disabled. Does anyone know of any other similar backdoors for XP? I heard of the magnify.exe backdoor for Vista.

By: Didier Stevens

Didier Stevens — Mon, 14 Apr 2008 10:22:53 +0000

To avoid any confusion: this trick with utilman is not a local privilege escalation, it’s a local backdoor.

By: Dave

Dave — Sat, 12 Apr 2008 15:58:45 +0000

I came across a similar “trick” using sethc.exe but I guess that Sticky Keys can be disabled. I understand that this sort of behaviour can be seen with any file running as System but I guess that some such files might not take kindly to being messed around in this way!

Does anyone else have any tips about local privilege escalation (without prior knowledge of Admin PW) or files that run as System which can be used (safely)?

By: Didier Stevens

Didier Stevens — Fri, 04 Jan 2008 20:27:36 +0000

This is a clear indication that Windows detects a change in the sfcfiles.dll file. If you want, you can mail me the file and I’ll have a look at it.

By: drstrangelove

drstrangelove — Thu, 03 Jan 2008 15:41:09 +0000

Hi…

I’ve used XVI32 and PETools (I don’t find LORDPE) to modify sfcfiles.dll, but it hasn’t worked; my objective was to eliminate protected folders of %Program Files% (xerox, frontpage, etc). So, I searched all %Program Files% strings and changed first HEX 25 (%) to 00 (empty) as said on article, and afterthat, I rebuilt PE header with PETools; I put a copy of modified sfcfiles.dll into dllcache folder and rebooted…what was my surprise, on logon screen, winlogon said to have failed at start, I tried to logon writing my user and password, but computer restarted automaticly. What was wrong?

By: Didier Stevens

Didier Stevens — Wed, 22 Aug 2007 18:06:04 +0000

Ah yes, the famous debugger keys. Indeed, this works fine, someone mailed me a PoC using this trick.

By: jr

jr — Fri, 17 Aug 2007 21:17:26 +0000

There’s very easy way to replace utilman.exe or any other protected exe. Just create REG_SZ pointing to your custom exe on HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger. Windows will think you want to debug utilman.exe and launch program specified on Debugger registry key instead. If you want visible program you can use psexec (”psexec -s -accepteula cmd.exe” should work) or CreateProcessAsUser.exe (google for it).

By: steve

steve — Mon, 07 May 2007 19:32:44 +0000

There is another method - if you rename or delete the utilman.exe from %SystemRoot%\System32\DllCache first, then WFP will not find it to copy over the replacement.