Computer Performance, Microsoft Windows 8

Windows 8 Backdoor Login

How to Create a Windows 8 Backdoor LoginWindows 8 Backdoor login

This backdoor login method has been around since Vista, I keep looking to see if Microsoft has plugged this security breech, but incredibly when I last looked in Windows 8 it was still possible to access the system without providing a username or password.

 ♦

The Easy Windows 8 Backdoor Login MethodWindows 8 Backdoor login

Once you have finished building my little Trojan horse you can login by clicking the 'Ease of access' icon situated at the bottom left of the main login screen.  Amazingly, this will take you straight to the Windows\System32 folder where you are logged on as the system account.  At no stage did you enter a username, never mind a password.

Windows 8 Backdoor Login Plan

We are going to exploit knowledge that the 'Ease of access' Icon is wired to Utilman.exe.  At the heart of my plan is renaming utilman.exe to utilman_orig.exe, then creating a copy of cmd.exe and finally, renaming 'cmd copy.exe' to utilman.exe.

One more fact you should know about our plan, we have to login as an administrator to prepare the ground before we can subsequently make use of this secret entrance.

Minor Setback - File Permissions Problems

Utilman.exe is found in the Window\System32 folder and this location gives the file a measure of protection from any renaming.  However, we can outsmart Windows 8's security by taking ownership of the file, giving ourselves full control, then renaming it as planned.

  • Logon as an administrator.
  • Launch the Windows Explorer, navigate to the Windows\System32 folder.
  • Right-click the Utilman file.
  • Now you should see the screenshot below. 
  • Select the Security tab, Advanced (button), and then seek 'Change'.  Our task is to replace TrustedInstaller with your account (administrators should also work).

How to Create a Windows 8 Backdoor Login

Recommended: Solarwinds' Permissions Analyzer - Free Active Directory ToolFree Permissions Analyzer for Active Directory

I like the Permissions Analyzer because it enables me to see WHO has permissions to do WHAT at a glance.  When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, and takes into account network share access, then displays the results in a nifty desktop dashboard!

Think of all the frustration that this free SolarWinds utility saves when you are troubleshooting authorization problems for user's access to a resource.  Give this permissions monitor a try - it's free!

Download SolarWinds' Free Permissions Analyser - Active Directory Tool

Take Ownership and Edit PermissionsWindows 8 Backdoor logon

Only when you have usurped the TrustedInstaller by taking ownership can you change the permissions - and you will need full control to rename this file.

  • Click on 'Edit' (see highlight in screenshot to the right)
  • Tick Allow Full control for either just your own account or all local administrators.
  • Remember the plan?  Time to rename Utilman to Utilman_orig (or similar).
  • Take a copy of cmd.exe, which is also in the Windows\System32 folder.  (Right-click the file, Copy).
  • Paste the file; you should see 'Cmd - copy'.
  • Repeat the taking ownership procedure for the file 'Cmd - copy', the technique should be fresh in your mind from Utilman.
  • Now rename Cmd - copy.exe to Utilman.exe [Key point]

How to Use Your Windows 8 Backdoor Login

Once you have completed the above tasks the login is unbelievably easy; at the main login menu click the 'Ease of access icon', see arrow below.

One tiny point, you may need to press enter to get rid of the splash screen and see this symbol at the bottom of the main login screen.

Windows 8 Backdoor logon

Guy Recommends:  SolarWinds' Log & Event Management ToolSolarwinds Log and Event Management Tool

LEM will alert you to problems such as when a key application on a particular server is unavailable.  It can also detect when services have stopped, or if there is a network latency problem.  Perhaps this log and event management tool's most interesting ability is to take corrective action, for example by restarting services, or isolating the source of a maleware attack.

Yet perhaps the killer reason why people use LEM is for its compliance capability, with a little help from you, it will ensure that your organization complies with industry standards such as CISP or FERPA.  LEM is a really smart application that can make correlations between data in different logs, then use its built-in logic to take corrective action, to restart services, or thwart potential security breaches - give LEM a whirl.

Download your FREE trial of SolarWinds Log & Event Management tool.

Test Your Windows 8 Backdoor CapabilitiesWindows 8 Backdoor login

  1. At the Windows 8 Login screen, click on 'Ease of access' icon (see right).
  2. You should now find yourself at the Command Prompt.
  3. Try whoami  (System account).
  4. Brush up your DOS commands! 
  5. Alternatively, try PowerShell.
  6. Regedit is also available.

One pleasant benefit of this secret second logon is that you can logon with a Remote Desktop Connection at the same time as using the back door login.  Regrettably, I have yet to find a way of launching the normal Windows GUI, typing 'Explorer' does not work; still, there is still lots you can do from the cmd or PowerShell interfaces.  And when you have finished type 'exit'.

Security Appraisal of the Back Door Logon Method

Naively, I used to think you had to logon before it was possible to create this secret trap-door; but then Bruce G, contacted me with techniques to rename cmd.exe to utilman.exe on a locked machines. 

Probably the easiest trick is this:

  • Boot from a Windows 8 DVD
  • Select 'Repair your computer'
  • 'Choose a recovery tool'
  • Select the command prompt.
  • Reprogram cmd.exe thus:

C:\
Cd windows\system32
Ren utilman.exe utilman.exe.old
Copy cmd.exe utilman.exeWindows 8 Backdoor login

Reboot the machine normally
and select 'Ease of Use'.

Another methods would be to remove the hard disk, make it a slave in a machine where you have access, and rename utilman.exe as above.

Whatever you make of these techniques, you have to smile at Microsoft's unintended meaning of 'Ease of access'.

As for other Microsoft operating system back doors, this is what the company says:

"Microsoft has not and will not put 'backdoors' into Windows," a company spokeswoman said, reacting to a Computerworld story Wednesday.

On Monday, Richard Schaeffer, the NSA's information assurance director, told the Senate's Subcommittee on Terrorism and Homeland Security that the agency had partnered with the developer during the creation of Windows 7 "to enhance Microsoft's operating system security guide."  See more on backdoor logins.

Summary of Windows 8 Backdoor Login

The idea behind this Windows 8 backdoor login is to re-program Utilman.  As a result, if you call for 'Ease of access', then you can login as the System account without the need to supply a password.  One limitation, that I have yet to overcome, is that you have a command prompt shell rather than an Windows Explorer GUI.

If you like this page then please share it with your friends

 


Microsoft Windows 8 Install Related Topics

How to Install Windows 8  • Windows 8 Live ID Logon  • Win 8 Install  • Windows 8.1 Install

Windows 8 Uninstall  • Windows 8 Hyper-V  • Join Windows 8 to Domain  • Windows 8 Dual Boot

Windows 8 Remote Desktop  • Windows 8 Backdoor Login  • Windows 8 RecImg - Recreate Image

 *


Custom Search

Site Home

Guy Recommends: SolarWinds' NPM - Review of Orion NPM
Network Performance Monitor

SolarWinds' performance monitor is designed for detecting network outages, making it easy to see what's working, and what needs your attention.

This utility guides you through creating network maps; it also helps identifying whether the root cause is faulty equipment, or resource overload. Give NPM a try.

Download a free trial of Network Performance Monitor

Article by: Guy Thomas Copyright © 1999-2017 Computer Performance LTD All rights reserved.

Please report any broken link, or an error to: