Sunday 30 April 2017

Hack any Windows OS - UtilMan scripts now added to E2B v1.92f

Note: This blog post has been changed to match E2B v1.92f and later versions of E2B! v1.92f is now even easier to use than v1.92e!
For updated details, go to the Easy2Boot website page here.

As you may know, if you have not encrypted your Windows OS with BitLocker, it is quite easy to get into your OS by using the trick of replacing UtilMan.exe and\or SetHC.exe with Cmd.exe.

Once you have done this, you can hit WINKEY+U or press the SHIFT key five times to bring up a Windows cmd shell box with full admin rights! You can then create a new Admin account and log into Windows.

This is especially useful if you have a system handed in for repair and the client does not know or remember any of the Admin account passwords.

To semi-automate this process and save some typing, E2B v1.92e now contains a new \_ISO\docs\utilman folder which contains four .cmd script files.

UtilMan1PE_Patch.cmd              - replaces UtilMan.exe and Sethc.exe with Cmd.exe
UtilMan2Win_MakeAdmin.cmd (2.cmd) - creates a new 'ADMIN' user account (password 'admin')
UtilMan3Win_DelAdmin.cmd (3.cmd)  - deletes the ADMIN user account
UtilMan4PE_Restore.cmd            - restores UtilMan.exe and Sethc.exe

Here is how to use them:

Requirements


  1. Removable E2B USB Flash drive (or E2B USB HDD + WinHelper Flash drive)
  2. Windows 10 Microsoft Home or Pro ISO file at \_ISO\WINDOWS\WIN10 folder

Method

1. E2B Windows 10 Install ISO + Hack Windows XML file

Boot from a Windows Installation ISO (or any WinPE) - preferably a recent Windows 10 install ISO because it will have the most up-to-date drivers.

It is easiest to boot from a Windows 10 ISO on E2B and choose the
Hack Windows (UtilMan.exe).xml
file.

On a Removable E2B drive this automatically runs the UtilMan1PE_Patch.cmd file. Note that this will patch any version of Windows that it finds on any valid partition (as long as Windows uses the \Windows folder).

Otherwise, if booting from an E2B USB HDD, you will need to press SHIFT+F10 in WinPE and manually run the UtilMan1PE_Patch.cmd file from the USB drive using the PE command shell (or from a WinPE file browser).

Backups (.bak) are kept in the \Windows\System32 folder.
Note that UtilMan2Win_MakeAdmin.cmd will be copied to \Windows\System32\2.cmd and UtilMan3Win_DelAdmin.cmd is copied to \Windows\System32\3.cmd for later use under Windows.

2. Trick Windows into giving full admin access

Reboot to Windows and at the login screen, press WIN+U (or tap the SHIFT key five times) - you should see a Windows command prompt open up.

You can also click on the Accessibility icon to launch a command prompt.

Now just type 2 to run C:\Windows\System32\2.cmd (which is copy
of UtilMan2Win_MakeAdmin.cmd) to add a new ADMIN account.

At this point, you may need to reboot to Windows again in order to be able to log in as ADMIN, but a quicker alternative is to choose the power option of 'Sleep' (if available) and then press the physical power button to switch back on the computer and you should see the ADMIN user login choice is now offered to you.





Now you can log in as ADMIN (pwd=admin) and do whatever you want to do!


3. Delete the ADMIN account from Windows

At the Windows login screen run WIN+U and type 3 to run 3.cmd (a copy of UtilMan3Win_DelAdmin.cmd) to delete the ADMIN account that was created previously.


You will be asked if you want to delete the C:\Users\ADMIN account folder.

4. UnHack UtilMan.exe

Finally, we need to unpatch the files, by rebooting to WinPE again and running UtilMan4PE_Restore.cmd.

Do this by booting to E2B - Install Win10 ISO and choosing the
UnHack Windows (restore UtilMan.exe).xml file.

This automatically runs UtilMan4PE_Restore.cmd for you.

You should check that the files have been restored.

The backup files xxxxxx.exe.bak and 2.cmd and 3.cmd will not be deleted.




Notes

You will need Administrator privileges for the commands and .cmd scripts to work.

The four .cmd scripts can be copied and used anywhere (e.g your own boot.wim or .imgPTN files or CD\DVD\ISO).

If you want to alter the E2B Utilman .cmd files, you should do it by copying the whole \_ISO\docs\utilman folder to somewhere else (e.g. \Roger\utilman) and then rename and change the two .XML files to point to your new folder using NotePad. Do NOT just edit the original E2B files because when you update E2B, they will be overwritten by the current version again!

Let me know if you have any comments or problems.

Note: The script also attempts to create a .\ADMIN account if your system is on a Domain. I have not tested if this works and you may have to edit the commands. Let me know if they can be improved.

I have deliberately not used such powerful universal commands as:
net user administrator *
net user administrator /active:yes
in case an administrator account was already being used.

If the system already has an admin account, it may change the password to 'admin'.

If the system is on a corporate domain, the UtilMan and SetHC trick can be prevented by using Policies (see here).

If you lose the backup files or have problems restoring UtilMan.exe and SetHC.exe, then from an Administrator command prompt, type:

sfc /scanfile=\windows\system32\utilman.exe
sfc /scanfile=\windows\system32\sethc.exe

Tip: To get from a PowerShell Admin command prompt to an Admin cmd shell, type cmd and hit ENTER.

Note: Recent versions of Windows 10 have broken SFC and it is unable to restore these files!!


The latest v1.92 download is in the MS OneDrive Alternate Download Area.

No comments:

Post a Comment