Friday 10 April 2020

Hack into any Windows User Account from a UEFI Secure Boot

A cheaper (i.e. free, but less convenient) alternative to Kon-Boot, is to use the well-known UtilMan.exe hack to create a new Admin account.

Easy2Boot contains two XML files which allow you to semi-automate the hack process which works even on Windows 10 systems. It will backup the hacked files for you and automate the creation of a new ADMIN account. By using a different XML file, it will also undo the hack.

This should work on UEFI32, UEFI64 and MBR\Legacy systems.

Since we can usually Secure UEFI64 Boot to the agFM menu system, this means we can even hack a Secure Boot-enabled system (as long as the Kaspersky efi shim is not blacklisted in the target systems DBx UEFI firmware list!).

All we need is a WinPE or Windows Install ISO. I use a standard Windows 10 Install ISO because it will have the latest chipset and USB drivers in it and I can use the same ISO to re-install or repair Windows if I need to.

Requirements

  1. E2B+agFM USB drive
  2. \_ISO\WINDOWS\WIN10\Windows10_x64.iso  (any WinPE\Win ISO should work)

Method

We first need to reboot the Windows target system and configure it so that it will restart in Safe Mode on the next boot.

This is for two reasons:
  1. To ensure that Windows is not in a sleep (fast boot) or hibernate state.
  2. To boot to Windows in Safe Mode which temporarily disables Windows Defender and so prevents it from un-doing the UtilMan.exe file hack.
This can be done without needing to log in to any Windows account on the target system.

Once the Windows target system is set to boot into Safe Mode on the next boot, then we just need to UEFI-boot to E2B+agFM and select the Windows\WinPE ISO and the Load UtilMan - Hack Windows XML file...


After the files have been patched under WinPE, you will then reboot to Windows and type [WinKey]+U after booting into Safe Mode and then type 2 quickly...


Besides creating a new Admin account, it also launches the Window Control Panel password app. to allow you to change any account password.

For full step-by-step instructions, see the UtilMan Hack page on the E2B website.

P.S. The way to avoid this hack is to set a BIOS password, do not allow USB booting in the BIOS options or/and use BitLocker.

No comments:

Post a Comment