Hack into any Windows User Account from a UEFI Secure Boot

A cheaper (i.e. free, but less convenient) alternative to Kon-Boot, is to use the well-known UtilMan.exe hack to create a new Admin account.

Easy2Boot contains two XML files which allow you to semi-automate the hack process which works even on Windows 10 systems. It will backup the hacked files for you and automate the creation of a new ADMIN account. By using a different XML file, it will also undo the hack.

This should work on UEFI32, UEFI64 and MBR\Legacy systems.

Since we can usually Secure UEFI64 Boot to the agFM menu system, this means we can even hack a Secure Boot-enabled system (as long as the Kaspersky efi shim is not blacklisted in the target systems DBx UEFI firmware list!).

All we need is a WinPE or Windows Install ISO. I use a standard Windows 10 Install ISO because it will have the latest chipset and USB drivers in it and I can use the same ISO to re-install or repair Windows if I need to.

Requirements

1. E2B+agFM USB drive
2. \_ISO\WINDOWS\WIN10\Windows10_x64.iso  (any WinPE\Win ISO should work)

Method

We first need to reboot the Windows target system and configure it so that it will restart in Safe Mode on the next boot.

This is for two reasons:

1. To ensure that Windows is not in a sleep (fast boot) or hibernate state.
2. To boot to Windows in Safe Mode which temporarily disables Windows Defender and so prevents it from un-doing the UtilMan.exe file hack.

This can be done without needing to log in to any Windows account on the target system.

Once the Windows target system is set to boot into Safe Mode on the next boot, then we just need to UEFI-boot to E2B+agFM and select the Windows\WinPE ISO and the Load UtilMan - Hack Windows XML file...

After the files have been patched under WinPE, you will then reboot to Windows and type [WinKey]+U after booting into Safe Mode and then type 2 quickly...

Besides creating a new Admin account, it also launches the Window Control Panel password app. to allow you to change any account password.

For full step-by-step instructions, see the UtilMan Hack page on the E2B website.

P.S. The way to avoid this hack is to set a BIOS password, do not allow USB booting in the BIOS options or/and use BitLocker.

How to UEFI64 Secure Boot to Kon-Boot and break into a Windows account without needing a password

The good thing about Kon-Boot is that is does not change any files on the target system disk - it is all done in memory.

However, the current  previous Kon-Boot licensing system restricted you  into making licensed bootable USB Flash drive of only 16GB or less. 

This 16GB limitation is apparently applied because some BIOSes will not successfully MBR-boot to grub4dos if the USB drive capacity is larger than 16GB. This was true on some very old systems about 20 years ago, but AFAIK, it is not required for systems that are in service today. So the limitation makes no practical sense to me, except to prevent more sales of Kon-Boot licences so that it can be installed onto larger USB drives including large Easy2Boot USB Flash drives and USB hard-disk drives! In fact, what is more important, is that they should create a second Primary partition on the USB drive because there are still systems about which require this for MBR\Legacy booting!

Note: later versions now have no 16gb restriction after I asked them to remove the restriction 😉

 

Since Kon-Boot v2.7 one purchased license allows user to install on one and only one selected USB pendrive. Meaning the newest version will be installed only on this one selected USB pendrive (newest Kon-Boot files will be generated only for this device and they will not be visible in the installation package). For usability purposes, older versions of Kon-Boot will be allowed to be installed on a separate USB pendrive.
In short the BIOS part version can be older, the UEFI kon-boot part gets updated and locked to the USB drive on installation.

Kon-Boot does not, per se, support Secure Boot...

However, we can make a E2B+agFM USB Flash drive which can Secure Boot and break into Windows without needing a user password (as long as they don't use a Domain account and have USB Booting enabled in the BIOS settings).

I have included full details of how to make a Secure Boot version of Kon-Boot on an E2B+agFM USB drive in version 1.4 of eBook #4. So just use your confirmation email link to download the new version of the PDF.

Tip: You know it has worked if it takes 1-2 minutes to boot to Windows after this message!

If it boots very quickly then it hasn't worked (check there were no error messages displayed).

If you get a red 'Guru meditation' text screen, then you are not using the correct USB drive that you originally licensed - see FAQ.

P.S. I find that using a hacked Windows system can sometimes cause security issues with some apps and browsers, etc. So whether I use Kon-Boot or the UtilMan XML hack in Easy2Boot, once I get into Windows the first thing I do is make a new Admin account and then reboot (and undo any hack if required). I then have full admin access on an unhacked (unmodified) Windows system. The new Admin account can be removed after I have finished fixing the system or retrieving files, etc.

agFM v1.38 is now available

If you boot on a Secure Boot UEFI64 system, you may sometimes get a Secure Boot error when booting certain ISOs - e.g. Parrot OS.

The way to avoid this is to use the F4 Settings menu and 'Install override security policy' just before you boot from the ISO...

The latest version of E2B's agFM now does this for you automatically when you select the (partnew/Easy2Boot) or (map) boot options.

Parrot OS can thus be given the .isodef file extension and it should secure boot without needing to use F4 - Install override security policy first.

Update agFM

To update to the current released version of agFM, run the .cmd file on the agFM partition:

DrWeb LiveDisk (with non-persistent updates!)

I have updated the blog for DrWeb here and also provided a downloadable .imgPTN23 image file which can be used by E2B and agFM for UEFI64 booting. It seems however that the updates are not persistent even using a flash drive made with their utility!

eBook #4 PDF on agFM has now been revised

Download the latest version using the URL in your confirmation email from Payhip.

As well as some typos, it has updated and added information to be consistent with the latest version of agFM.

agFM v1.37 available with Ukrainian language + updates and new agFM video uploaded

I have uploaded a new video demonstrating agFM v1.37 and the best way to add ISOs for AV, Windows Install, WinPE, Linux, etc.

1. Latest agFM build
2. Update languages - add Ukrainian uk_AU
3. Change bootup message
4. Add \agFM_version.txt file to hold agFM version number
5. Update the SAMPLE_startup_menu.txt file and add in new variables
6. Add .isowin type
7. Add sample .cfg files for DLCBoot and nbrt.
8. Fix UEFI not booting as drive 0 issue

Download from Alternate Downloads area for a1ive grub2 File Manager.

Don't know why, but the volume is fine before I upload it to YT, but then it's always too quiet when streaming from YT - it's very annoying!

agFM v1.35 with updated German, Spanish, Hebrew and Polish languages

agFM v1.35 has updates for German, Spanish, Hebrew and Polish translations.

To update, just extract the files to your FAT32 2nd partition and overwrite the existing files.

See previous blog post on how to easily modify any of the language strings.

Many thanks to the translators who have contributed so far.

Call for help with agFM translation - it's easy!

As you may have noticed, the a1ive grub2 File Manager supports different languages, however many words and phrases have not yet been translated. This is where you can help...

You can easily add or revise a translation using the crowdin app. This is a web-based app which allows you to simply type in the translation for each word or phrase used by the agFM menu system.

To translate

1. First create a new crowdin account. You can sign-in in a number of different ways. Don't forget to confirm your email address when the request is emailed to you (check you Spam folder if it does not appear).

Crowdin

2. Click the language you would like to translate. e.g. French

3. Click "fm.pot" and start translation. (e.g. https://crowdin.com/translate/grub2-filemanager/8/en-fr)

4. Select each word or phrase from the left-hand side and type in the translated word or phrase (1) and save it (2). Do this for each entry (there may be more than one page).

5. Once translated, the crowdin bot will create a pr automatically (https://github.com/a1ive/grub2-filemanager/pull/126)"

I will then compile a new version of agFM after a few days.

E2B eBook #4 updated

I hope you are well and have not suffered seriously from Corona.

One of my neighbours, a lovely old lady called Irene, sadly died yesterday, so please make sure you look after your vulnerable family members and friends during these difficult times.

eBook #4 on agFM and UEFI-booting

I have just updated eBook #4 to v1.2. So please use the URL you were sent to get the latest version.

You could also check that you have the latest versions of the other eBooks too.

Since you may be self-isolating now due to Corona, it might be a good time to actually read the eBooks and maybe get your multiboot USB fully working with all your payload files?

E2B eBooks

P.S. eBook #4 is still at the reduced price of $7 (RRP $10) and you can get 10% off ALL the eBooks when you purchase more than one.

E2B v2 YouTube video is up

agFM v1.34 now released

This version has a few small bugfixes...

• F1 now shows true Secure Boot status
• En-us language added to F4 Language menu
• Fix clover UEFI32 bug in \e2b\alive grub2 filemanager.mnu

To UEFI32 boot to Clover, you will need to update the alive grub2 filemanager.mnu file in your E2B \_ISO\MAINMENU folder. The previous version sometimes boots to UEFI64 instead of UEFI32!

To update. you can click on "\e2b\Update agFM\Download and update agFM.cmd" to download the latest release version and then extract it to the root of the FAT32 agFM partition #2.

Look at the date of the README.md file to see what version you have.

P.S. eBook #4 on agFM has been updated to v1.1.


P.S. This latest Bangood Special Offer made me smile...

False alarm! grubfm does not corrupt UEFI firmware.

A user reported that after UEFI64-booting grubfm, his UEFI firmware (Lenovo B40 30 laptop) was corrupted  and he could no longer get into the BIOS Setup menu system.

Since he blamed A1ive's grubfm and the UEFI Kaspersky Shim for this, I added a warning to the agFM web page on the E2B site.

However, now he has confirmed that the firmware corruption was due to booting to Ubuntu and was not by agFM itself.

It was an issue with the linux kernel. If you remember during release of Ubuntu 17.10 there was an issue of bios corruption ? it was a similar issue. Though it happened with the latest linux kernel 5.3.0.40

Detailed in a bug report on Canonical's Launchpad platform, the issue is serious: Installing Ubuntu 17.10 on selected Lenovo, Acer, and Toshiba laptops can cause corruption in the UEFI firmware which presents itself as an inability to make any changes post-corruption. In serious news for systems without a built-in optical drive, the corruption also disables the ability to boot from a USB storage device.

Tracked down to the Intel Serial Peripheral Interface (SPI) kernel module, prevention is straightforward: Disabling the intel-spi-* kernel driver family prevents the corruption without any other apparent impact on the system. For those who have already had their UEFI firmwares corrupted, however, there appears to be no easy fix yet available.

So I have now removed the warning but you may need to watch out for this serious Ubuntu bug!

First YouTube video of E2B v2.00 (but in Portuguese!)

Well, it seems it took less than 24 hours after release, for someone to post a You Tube video on E2B+agFM!

Only problem is - it's in Portuguese!

I do plan to make my own YT video soon (if you want to hear about it from the horses mouth).

Meanwhile, feel free to get eBook #4 which is all about agFM and comes complete with instructions on how to add MBR+UEFI bootable AV ISOs, Linux ISOs+persistence, popular WinPE ISOs and Windows Install ISOs + unattended installs.

Easy2Boot v2.00 released

V2.00 is now released.

https://www.fosshub.com/Easy2Boot.html

The main change is that when you make a new drive, it will now download the agFM files and copy them to the second FAT32 partition (if present). This allows UEFI-booting to the agFM grub2 File Manager system. All thanks to 'a1ive' for developing his grub2 branch and agFM.

• Make_E2B.exe and Make_E2B_USB_drive.cmd - downloads agFM if 2nd FAT32 partition is made. If drive is <128Gib then 2nd FAT32 partition of approx 500MB is automatically made. Allow user to define sizes in GB of ptns1, 2 and 3 if Gear Wheel button used. If drive >128GB it always prompts user for partition 1, 2 and 3 sizes and type even if AUTO selected.
• New default wallpaper.
• .isoPE extension now updates the WinBuilder .ini files (e.g. for Gandalf ISOs) - use .isoPE extension if you get a yellow warning triangle on desktop.
• \_ISO\docs\Wincontig folder can now be copied to any volume\folder - e.g. copy to partition 3 so it will make all files on that partition contiguous.
• Update SDI_CHOCO scripts and add chocolatey.nupkg for offline install of chocolatey.
• Add support for windows ISOs on ptn3 in qrun.g4b so can have Windows Install ISOs on ptn3 or ptn2 or ptn1 and use a .mnu file, add $$Install_Win10_from_Ptn2or3.mnu sample mnu file
• Switch_E2B.exe now looks for auxiliary *. files on other volumes at \(path), then \_ISO, then \ - e.g. ptn1:\_ISO\WINDOWS\WIN10\Win10.imgptn23 and ptn3:\_ISO\WINDOWS\WIN10\Win10.
• Bugfix - Latest grldr with bugfix for non-contiguous files
• Bugfix - Fix EXTOFF variable not working in MyE2B.cfg (file extension always displayed in the menu).

Read more: https://www.easy2boot.com/download/e2b-version-history/

E2B eBook #4 on agFM is now available

The first revision v1.00 is now available here for the introductory price of $7 (RRP will be $10).

I hope to release E2B v2.00 in a few days. Please test the Beta versions of E2B v2 and agFM v.1.32 and inform me of any issues ASAP!

Please feedback any comments on the eBook and use the eBook download link that you will be emailed when you complete the purchase, to download any later revisions for free.

agFM v1.32 and Easy2Boot v2.00 Beta now available

agFM v1.32 now includes Clover boot files, so you can now UEFI-boot from the E2B Legacy menu.

Clover does have problems on some systems though, so it is of limited use!

Use the new copy of /e2b/a1ive grub2 filemanager.mnu and copy it to the \_ISO\MAINMENU folder.

The latest agFM version can be found here.

E2B is now v2.00a Beta. 

Changes (Version History) can be found under the Downloads tab on the E2B website.

https://www.easy2boot.com/download/e2b-version-history/
https://www.easy2boot.com/download/agfm-history/

P.S. The new eBook #4 on agFM is almost finished!

agFM v1.31 Beta now available

This version has some bug fixes and I have tidied up the folder structure (now has an \e2b folder).
I have found the AT keyboard scan code maps to cause issues - if you have a non-responsive keyboard then remove the terminal_input at_keyboard and keymap lines in your startup_menu.txt file!

You may need to modify your startup_menu.cfg file for the new folder structure.

I have included a sample submenu for the use Startup menu to show you how you can add more submenus to the first Startup menu.

I have also included a new example .cfg file for installing 64-bit Windows 10 ISO.

WIN10_64_INSTALL_Choose_UNAME_PCNAME_PRODUCTKEY_XML_AgFM.cfg

The sample file should be copied to any folder on the E2B drive (same partition as the ISO) and can be renamed. When run, it will ask you to choose a product key (Edition), an XML file, a user name and a PC name.

It will modify a copy of the chosen XML file  (in memory) for you.

Many thanks to Phong for reporting an issue and providing a sample .cfg file which I based this version on.

If you want the username and PC name and Product Key substitution to work, all the XML files that you include in your menu choices will need to include UNAME, PCNAME and ASKME-ASKME-ASKME-ASKME-ASKME in the relevant fields.

This could be used with Win10_Pro_US_UNAME_PCNAME_SDI_CHOCO_ASKME.xml for instance. Using this with a modified .cfg file, you will choose the Edition (Home/pro, etc), Computer Name and User Name. You will then create and format the install partitions manually on the target system using the standard Setup dialogue. The installation will then proceed unattended and if you have set up your SDI_CHOCO config and SNAPPY driver folders correctly, it will install all missing drivers and install your desired apps automatically (internet Ethernet connection required if using online app choco installs). You can use the same process for MBR\Legacy or UEFI installs.

If you use an XML which also wipes and creates partitions, the process can be fully automated but you will need one XML for UEFI GPT partitions and a different XML for MBR\Legacy partitions.

More details on XML files can be found in eBook #3.

agFM v1.29 Beta available with keyboard selection

I have added keyboard map files to agFM so that you can use AZERTY and QWERTZ and other keyboards.

The latest agFM version can be found here.

P.S. Using the console set to at_keyboard seems to stop the keyboard from working on some systems! I suggest you don't use this unless you have to!

agFM v1.28 Beta available

This version fixes a bug where the UEFI agFM menu is left on the screen and the Windows Setup form is displayed on the wrong screen so you cannot see it.

The Windows ISO appears to boot correctly and then you just see a blank agFM menu...

The Windows Setup is actually running but it is displayed on an alternate screen. In the case of my IdeaPad 300, this issue occurred randomly about 1 in every 2,3,4 or 5 boots to the Windows Install ISO!

I have now added a 'known issues' list to the end of the agFM page on the E2B website.
Please let me know if you find any more.

Windows could not update the computer's boot configuration

P.S. If you ever see this issue when installing Windows to a clean hard disk, please let me know:

I think this issue may be caused by Windows Setup not liking the BCD file on the FAT32 partition of the USB hard drive you are installing from!

I have noticed that the date&time stamp of the \EFI\Microsoft\Boot\bcd file on the USB drive has changed after Windows Setup stage 1 runs if you UEFI-boot from an E2B USB Hard drive. Setup seems to load the USB drive's bcd to see if it is the 'system' bcd??? It does not seem to change it's contents. My guess is that if it cannot load and parse it successfully the install will fail with this error message.

I started to get this error very consistently at the end of the file copy phase in Windows Setup, when installing to a blank disk in a VM and a real system (UEFI install). I tried for hours to find out what was causing it and then the error magically disappeared - probably after I used BootIce to look at the BCD file on the USB drive's FAT32 partition - but I can't be sure. This error seems to have stumped a number of people on the internet who had the same problem but I could not find anyone who had reliably identified the cause...

Latest Easy2Boot v.1.B9 and agFM Betas - call for feedback

I am thinking of releasing the next version of E2B soon.

I will rename Beta E2B v1,B9m and agFM v1.27 as Easy2Boot v2.00.

The Make_E2B utility will prompt the user to add the agFM files after downloading them.

Please can you send me a quick email with any feedback on E2B+agFM (latest versions).

In particular, I would like to know:

1. Type of E2B USB used: Removable or Fixed/HDD
2. Version tested: E2B and agFM
3. Windows Install tests: UEFI64 Windows install from ISO works OK? XML files work?  WipeDisk+SDI_CHOCO.xml files work?
4. Any issues with any particular payloads? Please give details on how I can reproduce the issue.
5. Any other feedback welcome.

Please email me at steve @ easy2boot.com  with your observations.

Note that Make_E2B.exe will only make the second agFM partition + files if you are using Windows 10 OR you are using any Windows OS plus a Fixed-disk USB drive.  i.e. If you are using Windows 7 or Windows 8 AND a Removable USB drive, then the agFM partition will not be made (because those versions of Windows cannot access a 2nd partition on Removable flash drives).

The more feedback I get, the sooner it can be released.
Thanks
Steve