This backdoor login method has been around since Vista, I keep looking to see if
Microsoft has plugged this security breech, but incredibly when I last
looked in Windows 8 it was still possible to access the system without
providing a username or password.
Once you have finished building my little Trojan horse you can login by
clicking the 'Ease of access' icon situated at the bottom left of the main
login
screen. Amazingly, this will take you straight to the Windows\System32
folder where you are logged on as the system account. At no stage did you enter a
username, never mind a password.
We are going to exploit knowledge that the 'Ease of access' Icon is wired
to Utilman.exe. At the heart of my plan is renaming utilman.exe to
utilman_orig.exe, then creating a copy of cmd.exe and finally, renaming 'cmd copy.exe' to
utilman.exe.
One more fact you should know about our plan, we have to login as an
administrator to prepare the ground before we can subsequently make use of
this secret entrance.
Minor Setback - File Permissions Problems
Utilman.exe is found in the Window\System32 folder and this location
gives the file a measure of
protection from any renaming. However, we can outsmart Windows 8's
security by taking ownership of the file, giving ourselves full control, then
renaming it as planned.
Logon as an administrator.
Launch the Windows Explorer, navigate to the Windows\System32 folder.
Right-click the Utilman file.
Now you should see the screenshot below.
Select the Security tab,
Advanced (button), and then seek 'Change'. Our task is to replace
TrustedInstaller with your account (administrators should also work).
Recommended: Solarwinds' Permissions Analyzer - Free Active Directory Tool
I like the
Permissions Monitor because it enables me to see WHO has permissions
to do WHAT at a glance. When you launch this tool it analyzes a users effective NTFS
permissions for a specific file or folder, and takes into account network share
access, then displays the results in a nifty desktop dashboard!
Think of all the frustration that this free SolarWinds utility saves when you are
troubleshooting authorization problems for user's access to a resource.
Only when you have usurped the TrustedInstaller by taking ownership can
you change the permissions - and you will need full control to rename this
file.
Click on 'Edit' (see highlight in screenshot to the right)
Tick Allow Full control for either just your own account or all local
administrators.
Remember the plan? Time to rename Utilman to Utilman_orig (or similar).
Take a copy of cmd.exe, which is also in the Windows\System32
folder. (Right-click the file, Copy).
Paste the file; you should see 'Cmd - copy'.
Repeat the taking ownership procedure for the file 'Cmd - copy', the
technique should be
fresh in your mind from Utilman.
Now rename Cmd - copy.exe to Utilman.exe [Key point]
Once you have completed the above tasks the login is unbelievably easy; at the main login menu click the
'Ease of access icon', see arrow below.
One tiny point, you may need to press enter to get rid of the splash
screen and see this symbol at the bottom of the main login screen.
Guy Recommends: SolarWinds Engineer's Toolset v10
This Engineer's Toolset v10 provides a comprehensive console of utilities
for troubleshooting computer problems. Guy says it helps me
monitor what's occurring on the network, and each tool teaches me more about how the
underlying system operates.
At the Windows 8
Login screen, click
on 'Ease of access' icon (see right).
You should now find yourself at the Command Prompt.
Try whoami (System account).
Brush up your DOS commands!
Alternatively, try PowerShell.
Regedit is also available.
One pleasant benefit of this secret second logon is that you can logon with
a Remote Desktop Connection at the same time as using the back door login.
Regrettably, I have yet to find a way of launching the normal Windows GUI,
typing 'Explorer' does not work; still,
there is still lots you can do from the cmd or PowerShell interfaces.
And when you have finished type 'exit'.
Security Appraisal of the Back Door Logon Method
The more I think about it, the more this backdoor login is a novelty rather than a security
threat. You have to be able to logon before you can create this secret
trap-door. Whatever you make of this technique, you have to
smile at Microsoft's unintended meaning of 'Ease of access'.
As for real Microsoft operating system back doors, this is what the company
says:
"Microsoft has not and will not put 'backdoors' into Windows," a company
spokeswoman said, reacting to a Computerworld story Wednesday.
On Monday, Richard Schaeffer, the NSA's information assurance director,
told the Senate's Subcommittee on Terrorism and Homeland Security that the
agency had partnered with the developer during the creation of Windows 7 "to
enhance Microsoft's operating system security guide."
See more on backoor logins.
Guy Recommends : SolarWinds'
Free VM Monitor
The great feature of this new this new version of SolarWinds VM Monitor is that it
checks Windows Hyper-V. Naturally, it still works with virtual machines on VMware ESX Servers. VM Monitor is an nifty
desktop tool that not only tests that your server is online, but also
displays the CPU and memory utilization for each node.
It's easy to install and to configure this virtual machine monitor, all
you need the host server's IP address or hostname and the logon info.
The idea
behind this Windows 8 backdoor login is to re-program Utilman. As a
result, if you call for 'Ease of access', then you can login as the System account without the need to supply a password. One limitation,
that I have yet to overcome, is that you have a command prompt shell rather than an
Windows Explorer GUI.
If you like this page then please share it with your friends
