Comments on: Playing with utilman.exe

By: Didier Stevens

Didier Stevens — Tue, 06 Oct 2009 19:06:00 +0000

And you’ve done the necessary to prevent Windows File Protection from restoring the original utilman.exe?

You can try what’s explained in comment #16 as an alternative to circumventing WFP.

By: MF

MF — Tue, 06 Oct 2009 06:13:33 +0000

Yes, I compiled the third example and replaced the “Default”-Desktop with “Winlogon”.

Still not working…

By: Didier Stevens

Didier Stevens — Mon, 05 Oct 2009 16:28:59 +0000

It only works if you compile the program and replace utilman.exe with it.

By: MF

MF — Mon, 05 Oct 2009 10:41:17 +0000

Hi all, does somebody know if MS changed the described functionality?

I cannot start a visible process on Windows XP SP3 with Win + U. Only the real utilman.exe is doing this.
If I start it normally in a user session, the message is shown just fine.

Thx, best regards

By: Didier Stevens

Didier Stevens — Fri, 04 Jul 2008 17:51:08 +0000

I’ve made a movie for XP about 2 years ago: http://blog.didierstevens.com/2006/09/05/playing-with-utilmanexe-the-motion-picture/

If you replace utilman.exe on XP, you’ll see WFP in action as it replaces utilman.exewith the cached original file. This is a feature thathas been abandoned in Vista.

I wonder if my video inspired Offensive Security.

By: ZenMasterBob

ZenMasterBob — Thu, 03 Jul 2008 18:15:13 +0000

Over at Offensive Security they have a video instruction where they simply renamed utilman.exe to utilman.old, then copied cmd.exe to utilman.exe, on a Vista machine. It gives you a command prompt right from the login screen.

http://www.offensive-security.com/movies/vistahack/vistahack.html

By: Dave

Dave — Mon, 14 Apr 2008 11:59:29 +0000

Thanks for the clarification. I know that the Windows key and Sticky Keys function can be disabled. Does anyone know of any other similar backdoors for XP? I heard of the magnify.exe backdoor for Vista.

By: Didier Stevens

Didier Stevens — Mon, 14 Apr 2008 10:22:53 +0000

To avoid any confusion: this trick with utilman is not a local privilege escalation, it’s a local backdoor.

By: Dave

Dave — Sat, 12 Apr 2008 15:58:45 +0000

I came across a similar “trick” using sethc.exe but I guess that Sticky Keys can be disabled. I understand that this sort of behaviour can be seen with any file running as System but I guess that some such files might not take kindly to being messed around in this way!

Does anyone else have any tips about local privilege escalation (without prior knowledge of Admin PW) or files that run as System which can be used (safely)?

By: Didier Stevens

Didier Stevens — Fri, 04 Jan 2008 20:27:36 +0000

This is a clear indication that Windows detects a change in the sfcfiles.dll file. If you want, you can mail me the file and I’ll have a look at it.