Bypassing Windows 10 password with Utilman.exe trick - fixed?

  • Recently I run into a locked down laptop with Windows 10 OS (actually I guess it was updated from Windows 7 if that matters). My collegue was using this computer some time ago and lost his login and password, so now we can't log into this computer.

    Of course we are able to boot it from external drive and copy all the necesary data, so that's not a problem.

    I remembered myself about old popular trick with switching cmd.exe with Utilman.exe (or osk.exe or sethc.exe) to run cmd and change user password. But when I tried to do this (I run the cmd from system repair utilities) I actually couldn't find those files to switch them with cmd.exe. There was no utilman.exe, no osk.exe, no sethc.exe in Windows/system32/ nor other catalogs.

    I also tried this tutorial with manipulating registry with no effects.

    So I'm wondering if this Windows vulnerabilities were fixed? Or maybe these tools that show up on login screen are hidden or loaded in a different way now?

    It's not really a vulnerability - once you get write access to the storage drive it's game over. Windows could've changed how they handle the login screen so it's not as "easy" as swapping an exe file but you can still pwn it by changing the DLLs that handle the login screen.

    @AndréBorie Didn't know about changing the DLLs method, do you know which of them are responsible for login screen? Anyway in that case what was strange for me was that all the execs I mentioned above were missing from Windows directory and its subfolders even though that these tools on login screen were working normally.. May these tools be hidden somehow, changed or, I don't know, ciphered?

    @schroeder My question was not about cracking win passwords in general. As written above, I was wondering, has something changed in Windows tools, that are available from login screen, to prevent from changing user password with cmd.exe. Though other advice in general is also welcome since in few days I'll have to recover login to this computer or reinstall the system.

    I have used this method on Windows 10 successfully very recently. It hasn't been changed. At the login screen, do you see the utilman button? Can you click it and get the utilman.exe GUI?

    I remember few months ago that i could actually do that trick on windows 10, believe it was home edition

    You can always register a service by creating the necessary entries in the registry. You can have that service reset some user's password too.

    Can anyone confirm whether this still works on Windows 10 1809? I tried the relevant lower portion of the HTG guide on it here, and am positive I renamed all the right files, but on reboot, clicking Utilman.exe simply does nothing. Running in a VM with VMWare for what it's worth.

  • I don't think that this method of alternate access has been removed or altered in most versions of Windows 10. And even if those executables were naively deleted to try to prevent using them for that purpose, simply creating executables with those names that point to cmd.exe would still work without additional effort (which could then be reversed, once the attacker has direct access to the filesystem (as usual).

    I've sampled five systems: two of which were fresh installs, and three of which were upgrades (one from Windows 8.1, two from Windows 7). All of them have sethc.exe, Utilman.exe, and osk.exe in C:\Windows\system32.

    Your installation of Windows 10 appears to be non-standard in some way. I would be very interested to hear from any other users who have the same setup as yours, to try to determine what they have in common.

    UPDATE 2019-09-22: Looks like Windows Defender may have closed this family of loopholes.

    Thanks for your answer. As I remember my friend told me that it was very likely that this particular installation was altered as user had administration permissions on that system

    This is not true. I just tested the `Utilman.exe` hack and Windows Defender marked the .EXE as a Trojan and prevented it from running. Build is Win10 1803, BTW.

    You mean that it's *no longer* true. :) It looks like Windows Defender started detecting this in November 2018 (about ten months after the original question and answer above): . Interesting that they've closed the loophole! I wonder if other AV detects it now as well (since IIRC most of Windows Defender is disabled with third-party AV is active).

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM