Backdoor windows login by replacing utilman.exe

Forgot windows login password? Need to drop a simple backdoor on windows? Then this blog will help you. Utilman.exe is a program designed for users with some disabilities. Utilman enables accessibility features like magnification, narration, virtual keyboard, high contrast themes, etc. This can be helpful for people who have poor vision or with hearing problems. This is a security vulnerability and can be exploited by a hacker with clear idea on Windows systems.

Utilman icon can be found on the bottom left of login screen. It can be opened by pressing start+U . Even though this appears to be front door on the login screen itself, technically this is a backdoor. The main security issue is the program is executed with admin privileges. We can replace the utilman with any other programs like cmd or even something evil. This can do some serious damage to any Windows system.

How to replace utilman.exe?

Since the file is located on “windows\system32” directory we access to the filesystem. Either we need a previously logged in session with admin privilege. If you don’t have logged in session or got yourself locked out, we have two alternate methods.

1. Remove hard drive and plug it to another working system so that you may get filesystem access.

2. Use any linux live boot cd like kali linux or ubuntu or even lightweight editions.

Use any of the method as mentioned above to get access to filesystem. If you have a live boot CD that would be great, just insert the cd and select live boot option. Once it boots you will get access to the C drive. Somehow using any of the method get access to C drive and follow the steps.

1. open C:/ > Windows > system32

2. Find utilman.exe and rename to utilman.exe.backup

3. Make a copy of cmd.exe and rename it to utilman.exe

Put back the hard drive if you used method 1. Remove the boot cd and reboot if you are on live cd. If you are on a logged in system just reboot it. After the reboot click on the utilman icon or press start + U .  The command prompt window will be opened. Since its running with admin privilege we can takeover the system completely. You can reset the password by the following commands.

find out the username using the command below.

net user

Reset the password to null

net user username *

You can use this as a backdoor so that you won’t get locked out yourself or reset forgotten password. Any doubts or questions? post it on the comment section below. If you like this blog give me a like on facebook and add me on google plus. Subscribe my youtube channel for video tutorials.

susmith HCK

susmith HCK

I’m a computer enthusiast basically and i love to write blogs on tech issues and cyber security. I started penetration testing at the age of 16 and i would like to explore security vulnerabilities and latest tech news and wanna share with you. If you like all these stuffs add me on Facebook and Google plus.

Leave a Reply

Your email address will not be published. Required fields are marked *