Didier Stevens

Tuesday 5 September 2006

Playing with utilman.exe, The Motion Picture

Filed under: Hacking — Didier Stevens @ 10:00

For a demo of My second playdate with utilman.exe, go here on YouTube.


  1. I think you will find there is a good audience and a large hunger for security/admin related video demos and such. 🙂 I know I sponge them up like nothing else, and I see regular requests on mailing list and blog comments as well…and there tend to not be so many of them around. Grab a webcam or digital video camera or even just Camtasia (screen capture) and a distribution path, and you be set! IronGeek is an excellent current example, and people like me with The Broken would get revived…

    (Yes, I’ve long thought about it, but I have enough going on in life right now, that I can’t devote to it. 🙂 )

    Comment by LonerVamp — Wednesday 6 September 2006 @ 15:48

  2. I like your idea, and I’m rediscovering IronGeek.

    Comment by Didier Stevens — Friday 8 September 2006 @ 16:46

  3. I found another way of replacing the utilman.exe without doing the bartPE or the utilites from SysInternals. If you goto the folder C:\windows\system32\dllcache and replace the utilman.exe with the fake one and then replace the one in the System32 file then on startup it will prompt the user that files have been changed. But if you are using this to gain access to the desktop then as soon as you login you can ignore it and youll never see it again.

    Comment by Matt — Wednesday 29 November 2006 @ 20:49

  4. Thanks Matt, I’ll try this.

    Comment by Didier Stevens — Wednesday 29 November 2006 @ 20:56

  5. so you frst have to have administrator rights to modify the system befor you can exploit it in person for this tutorial?

    Comment by MR_FLIBBLE — Thursday 1 February 2007 @ 6:57

  6. Indeed, this is an example of a backdoor, not privilege escalation.

    Comment by Didier Stevens — Thursday 1 February 2007 @ 7:46

  7. Hi there,thank you for that trooly cool trick.
    I wanna suggest you kind of technique to backdoor the system not modifying any file.

    Here is very interesting regkey:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

    using it you could easily backdoor a system.
    just create there key named utilman.exe and string param in it named Debugger. Value of this param is the path to file you wanna launch instead of utilman.exe. so

    Finaly it’ll look like:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe]

    So notepad will be launched instead of utilman.exe.

    Best Regards, Sp00f

    Comment by sp0x0f3d_1p — Thursday 22 March 2007 @ 15:05

  8. I’ll have to try this. We use this key to debug programs, but it didn’t occur to me to use it for utilman. Your example with notepad will launch notepad on the services desktop, so you will not see it on your desktop.

    Comment by Didier Stevens — Saturday 24 March 2007 @ 7:39

  9. yeah,i know,but you have already shown how to write launcher to attach process at current desktop.so the main goal of tech i described is to run the attack without rebooting and overwiting system files…so you dont have to bypass any windos file protection…and more..if it’s impossible to get launcher on the target sys it’s possible to override the call of utilman and pass some arguments to our intercepting prog(cmd for example)and to run smth.
    But in most cases we will be able to deliver the launcher to the target system.and even more…if you patch dll or overwite util man..and after that target will check system integrity..you will be detected…and if you yo use debugger interception..nothing will break system untegrity coz using that registry key is legal from the point of view of most AV and other sec software.
    But if you still want to break WFP you could use more stealth tech.we assume that you already have Admin Rights on target system.so you could easily bypass WFP and again without modifying any dll..you just have to openprocess() winlogon and to cut its handles to c:\windows(dir) c:\windows\system32(dir) and dllcahe(dir) and now untill next reboot WFP will be blind to your activity..and after rbooting it will not detect that you changed smth.
    Waiting for your comments.
    best Regards, Sp00f.
    PS i’m gonna write small prog utilizing the tech described..could send you if you are interested.

    Comment by sp0x0f3d_1p — Monday 26 March 2007 @ 6:14

  10. Looks interesting. If you do make the prog, please send it to me.

    Comment by Didier Stevens — Tuesday 27 March 2007 @ 20:30

  11. I’ve been a regular viewer here for a little while but missed this one. What an intriguing trick!

    Like you, I’ve been thinking a little laterally. There are plenty of articles around about disabling WFP, either temporarily or permanently, but what about *adding* a file to WFP? I realise that the appropriate file will have to be put into the cache, but I foresee problems editing %systemroot%\sfcfiles.dll. When utilman.exe entries are zeroed, the length of %systemroot%\sfcfiles.dll remains the same but the CRC must be changed and I can understand that. However, if I wanted to add myfile.exe to %systemroot%\sfcfiles.dll, I’d have to add it several times and that will increase the length of %systemroot%\sfcfiles.dll. Will that matter? I don’t have a spare “lab” PC at present to play around and I don’t feel inclined to use my working PC!

    I don’t have any need for adding myfile.exe to WFP, I just put my brain into gear and let it run: “how does WFP really work?” and “what else can be done?”.



    Comment by Dave — Wednesday 27 June 2007 @ 18:30

  12. Very interesting idea. The length of sfcfiles.dll doesn’t necessarily have to increase. You see, there is a bit of spare room in PE files. The size of each section in a PE file is rounded (up to the nearest 0x100 multiple, if I remember correctly). So on average, you’ll have 128 bytes of spare room to add your file.

    Comment by Didier Stevens — Thursday 28 June 2007 @ 20:26

  13. very interesting, but I don’t agree with you

    Comment by Idetrorce — Saturday 15 December 2007 @ 10:58

  14. anyone help how to get this work with regedit?

    Comment by Thim — Monday 16 June 2008 @ 15:24

  15. I’ve revisited the utilman.exe trick and it seems that Microsoft have managed to disable it in Windows XP Pro SP3. I’ve just tried it on my fully patched PC and it doesn’t work. I wondered if it was because I had only put the new utilman.exe (i.e. renamed version of cmd.exe) into c:\windows\system32 so I tried putting a copy into just c:\windows\system32\dllcache (it didn’t automatically put a copy into c:\windows\system32, presumably because Windows realised that the “utilman.exe” wasn’t the real thing) and then I tried putting a copy into both c:\windows\system32 as well as c:\windows\system32\dllcache. Nada. I put everything back as it should be and, sure enough, I could start the Utility Manager from the Windows login screen using Windows+U.

    I don’t know if you (Didier) have any inside information from your sources about how to make the trick work again? Alternatively, I don’t know if anyone else might have any clues? I see that sp0x0f3d_1p was very active in his/her (apologies as I don’t know which is correct!) contribution to this topic so that might be another way of investigating. I know that you (Didier) will be able to access the contact e-mail address so you might just want to fire a quick message as I doubt that sp0x0f3d_1p will look at this thread routinely.

    Comment by Dave — Wednesday 28 January 2009 @ 22:09

  16. “If you want to hack windows system password all you need is to change osk.exe or magnify.exe by a winrar version compined with a cmd.exe .
    and replace this fake osk.exe by the real one in dll cache and after by the one fined in system32 so when we will press winlogon+U before accessing to the desktop we can enter to cmd.exe by clicking on on-screen-keyboard to start and we can change administrator password :
    net user
    net user administrator xxx
    and if we need to know the password we can crack it by ntlm and nt hashes by copying a file from a usb or a cd through cmd to the local drive c:/ using john the ripper you can know password or even you can let an ppsr.exe password protected system recovery while this program is launched you can know the password of the user and access it ..

    Comment by Youssef Obeid — Saturday 28 February 2009 @ 8:08

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.