15

Recently I run into a locked down laptop with Windows 10 OS (actually I guess it was updated from Windows 7 if that matters). My collegue was using this computer some time ago and lost his login and password, so now we can't log into this computer.

Of course we are able to boot it from external drive and copy all the necesary data, so that's not a problem.

I remembered myself about old popular trick with switching cmd.exe with Utilman.exe (or osk.exe or sethc.exe) to run cmd and change user password. But when I tried to do this (I run the cmd from system repair utilities) I actually couldn't find those files to switch them with cmd.exe. There was no utilman.exe, no osk.exe, no sethc.exe in Windows/system32/ nor other catalogs.

I also tried this tutorial with manipulating registry with no effects.

So I'm wondering if this Windows vulnerabilities were fixed? Or maybe these tools that show up on login screen are hidden or loaded in a different way now?

schroeder
  • 125,553
  • 55
  • 289
  • 326
deevee
  • 363
  • 1
  • 3
  • 10
  • 4
    It's not really a vulnerability - once you get write access to the storage drive it's game over. Windows could've changed how they handle the login screen so it's not as "easy" as swapping an exe file but you can still pwn it by changing the DLLs that handle the login screen. – André Borie Feb 09 '17 at 15:25
  • @AndréBorie Didn't know about changing the DLLs method, do you know which of them are responsible for login screen? Anyway in that case what was strange for me was that all the execs I mentioned above were missing from Windows directory and its subfolders even though that these tools on login screen were working normally.. May these tools be hidden somehow, changed or, I don't know, ciphered? – deevee Feb 09 '17 at 16:27
  • 2
    @schroeder My question was not about cracking win passwords in general. As written above, I was wondering, has something changed in Windows tools, that are available from login screen, to prevent from changing user password with cmd.exe. Though other advice in general is also welcome since in few days I'll have to recover login to this computer or reinstall the system. – deevee Feb 11 '17 at 12:05
  • 1
    I have used this method on Windows 10 successfully very recently. It hasn't been changed. At the login screen, do you see the utilman button? Can you click it and get the utilman.exe GUI? –  Feb 16 '17 at 02:27
  • I remember few months ago that i could actually do that trick on windows 10, believe it was home edition – Tryna Learn Somethin Jan 01 '18 at 22:29
  • You can always register a service by creating the necessary entries in the registry. You can have that service reset some user's password too. – Joshua Jul 24 '18 at 19:03
  • 2
    Can anyone confirm whether this still works on Windows 10 1809? I tried the relevant lower portion of the HTG guide on it here, and am positive I renamed all the right files, but on reboot, clicking Utilman.exe simply does nothing. Running in a VM with VMWare for what it's worth. – Hashim Aziz Oct 17 '18 at 00:10
  • Not enough rep to answer so I'll post it here: Yes - apparently it has been fixed. Windows defender will flag the osk.exe (which is infact cmd.exe) as a trojan (Trojan:Win32/AccessibilityEscalation.A) and it'll attempt to quarantine the item ASAP. When I say ASAP, I means it is still possible to launch command prompt from the logon screen if you're too quick. But don't be surprised if command prompt complains about "unable to load resources" after the file is quarantined and inaccessible. Tested on Windows 10 22H2. – Salman A Jan 10 '23 at 19:38

4 Answers4

5

So I'm wondering if this Windows vulnerabilities were fixed?

It's good to know that this is not a vulnerability, even though it ostensibly is. Microsoft TechNet publishes the "Ten Immutable Laws of Security" and in this case, laws two and three apply, which state respectively:

Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.

Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.

Law #3 applies to gaining access to the command prompt, and Law #2 applies after you've done #3 (replacing sethc.exe with cmd.exe).


As for whether sethc.exe, utilman.exe, osk.exe, ..., and the Image File Execution Options trick can be used in Windows 10, I can access all four of these options in both builds 17063.1000 (Insider Preview) and 16299.125 (Creator's Update). While I am not 100% sure of the other versions, I believe there is no difference in the first version of Windows 10.

It is possible that you accessed the wrong drive. Often times when booting into the installation environment, the hard disks are assigned a different letter (I've normally gotten D:).

Justine Krejcha
  • 223
  • 2
  • 10
  • 2
    Thanks for this detailed answer. It appeared that system installation was simply modified by user. Creating copy of cmd.exe with new name sethc.exe and placing it in proper folder actually did the trick – deevee Jan 02 '18 at 11:19
  • You're misinterpreting law 2. There are ways to help ensure the operating system has not been altered at runtime, specifically code signing, secure boot and HVCI. Changing files easily results in a detectable alteration. Or put another way, a working security system would make the OP alter everything in the boot chain from disabling secure boot, tampering with the bootloader, kernel, SMSS, etc. – user71659 Mar 14 '19 at 04:54
4

There is nothing "fixed" since there is nothing broken. This is no vulnerability. If you leave your drive unencrypted, it is prone to manipulation. However, there has been a change: the utilman trick does no longer work on Win10 machines that use windows defender as their AV solution, since Microsoft has recently begun to detect this method. Since September 2018, you need to use other ways. However, there is still a chance to use the old method if you are a quick typist: Start your machine in safe mode (keep shift pressed while clicking on restart and select advanced startup options, then F4 for safe mode). In safe mode, defender is starting a little later, which allows you to use the method for about 30 seconds. Just use this one liner, when on the command prompt: net user administrator /active newpass Afterwards, you can logon with the account administrator and the password newpass.

Reference is my thread over here: https://www.administrator.de/contentid/391076

Hans Hase
  • 51
  • 1
3

I don't think that this method of alternate access has been removed or altered in most versions of Windows 10. And even if those executables were naively deleted to try to prevent using them for that purpose, simply creating executables with those names that point to cmd.exe would still work without additional effort (which could then be reversed, once the attacker has direct access to the filesystem (as usual).

I've sampled five systems: two of which were fresh installs, and three of which were upgrades (one from Windows 8.1, two from Windows 7). All of them have sethc.exe, Utilman.exe, and osk.exe in C:\Windows\system32.

Your installation of Windows 10 appears to be non-standard in some way. I would be very interested to hear from any other users who have the same setup as yours, to try to determine what they have in common.

UPDATE 2019-09-22: Looks like Windows Defender may have closed this family of loopholes.

UPDATE 2021-10-14 "sfc /scannow" and "DISM /Online /Cleanup-Image /RestoreHealth", Windows updates, and Windows Defender and probably other AV will repair/replace any fake utilman.exe, sethc.exe, osk.exe. In order for these backdoors to remain permanent and immune to self-healing aspects of Windows 10/11 you just need to remove all permissions from the files in question, especially System. You can test it by using the above two tools.

Royce Williams
  • 9,318
  • 1
  • 32
  • 55
  • 1
    Thanks for your answer. As I remember my friend told me that it was very likely that this particular installation was altered as user had administration permissions on that system – deevee Jan 02 '18 at 11:15
  • This is not true. I just tested the `Utilman.exe` hack and Windows Defender marked the .EXE as a Trojan and prevented it from running. Build is Win10 1803, BTW. – SamAndrew81 Sep 22 '19 at 19:05
  • You mean that it's *no longer* true. :) It looks like Windows Defender started detecting this in November 2018 (about ten months after the original question and answer above): https://www.bleepingcomputer.com/news/security/windows-defender-can-detect-accessibility-tool-backdoors/ . Interesting that they've closed the loophole! I wonder if other AV detects it now as well (since IIRC most of Windows Defender is disabled with third-party AV is active). – Royce Williams Sep 22 '19 at 23:35
2

I came across the same issue the other day and found out that this vulnerability was fixed at least on the latest Windows 10 build.

After digging out from a few search results, I found out it is much easier to reset the password by editing the SAM database. There is no password required on the login screen after a reset. One of the free utilitues to do this is Offline Windows Password & Registry Editor by Pogostick.

S.L. Barth
  • 5,504
  • 8
  • 39
  • 47