What's the successor of the "utilman.exe" method for a pre-logon console?

Novgorod · Mar 17, 2024

A few years ago MS "fixed" the most widely used exploit for resetting a user password by replacing any of the "ease of access" tools (utilman.exe, osk.exe, sethc.exe and so on) with a copy of cmd.exe to get a console with system privileges. Of course you already needed file system access for that, so it was never really a security issue. Now Windows Defender is (apparently) doing a signature check and won't allow any ease of access tool to run if it has been replaced.

Did the exploit "evolve" to combat the signature check or is there no more way to get a console before logon? Again, it's purely a convenience issue, not a security issue because you can still reset the password of an existing user (and/or make him admin) via that SAM tool under Linux (and at least the built-in admin account is always a local user, even if it's an AD machine).

It's a bit of a niche use case since an "offline" console (booting another OS, including the recovery environment) should be sufficient in most cases. But there are a few edge cases which require an "online" console to interact with the running system, e.g. when the boot device is restricted or the partition is Bitlocker encrypted (via the TPM).

FreeBooter · Mar 17, 2024

In this guide, you’re going to learn how to reset a forgotten local user login password on any Windows computer using Kali Linux.

Novgorod · Mar 17, 2024

I literally said that.

Bree · Mar 17, 2024

Novgorod said:
A few years ago MS "fixed" the most widely used exploit for resetting a user password....

Really? I've just tried it on a machine with the current RTM Windows 11 build 22631.3296 and it still works. I successfully created a new user to test this.

Novgorod · Mar 18, 2024

Bree said:
Really? I've just tried it on a machine with the current RTM Windows 11 build 22631.3296 and it still works. I successfully created a new user to test this.

I don't need to use it often, so I didn't test it extensively, i.e. whether that's now default out-of-the-box behavior or whether it requires specific Defender settings. I encoutered this behavior on a domain-connected laptop with a fresh Win 11 (so it might have been a group policy thing as well) and had to use the SAM method instead.

As for the "fix", people were talking about it at least since 2019 (there's also a linked blog post from 2018 stating that Defender checks for "debuggers" attached to ease of access tools via the registry, but then it will surely also check whether the exe itself is replaced). Some sources also said that Defender must be enabled for "early protection" or something like that, but I don't know if that's default behavior (apparently not?)...

Bree · Mar 18, 2024

Novgorod said:
Some sources also said that Defender must be enabled for "early protection" or something like that, but I don't know if that's default behavior (apparently not?)...

I've not modified the Windows Security behaviour on this RTM W11 Pro machine, so apparently it's not on by default. More on Early Launch Antimalware (ELAM) here:

Early Launch Antimalware (ELAM) and Microsoft Defender Antivirus

How Microsoft Defender Antivirus incorporates Early Launch Antimalware (ELAM) for preventing rootkit and drivers with malware from loading before the antivirus service and drivers are loaded.

learn.microsoft.com

Bree · Mar 18, 2024

Novgorod said:
As for the "fix", people were talking about it at least since 2019 (there's also a linked blog post from 2018 stating that Defender checks for "debuggers" attached to ease of access tools via the registry, but then it will surely also check whether the exe itself is replaced).

No, it only appear to be checking for Image File Execution Options (IFEO), not actual replacement of the .exe.

Novgorod · Mar 18, 2024

Bree said:
No, it only appear to be checking for Image File Execution Options (IFEO), not actual replacement of the .exe.

Yes, the linked blog post only talks about debuggers, but many (including myself) encountered blocked execution when the exe is replaced.

Try3 · Mar 18, 2024

Novgorod said:
A few years ago MS "fixed" the most widely used exploit for resetting a user password

What are you actually trying to achieve?
Reset a local account's password?
If so,

- Use another Admin user account to reset the problem user account's password.

Reset Password - ElevenForumTutorials

- Make sure you have at least one spare, password-protected, Admin user account on the computer that can be logged into if all day-to-day user accounts fail to allow login.

my ditty - Create two spare local, password-protected Admin accounts [post #2] in Windows 10, 11 - TenForums

or

- Enable the Built-in Admin at boot and use it to reset a local user account's password.

Enable or Disable Built-in Administrator Account - ElevenForumTutorials

All the best,
Denis

Novgorod · Mar 18, 2024

Try3 said:
What are you actually trying to achieve?
Reset a local account's password?

Add an admin account with only having (offline!) access to the file system.

I already achieved what I needed to achieve, I was just wondering if there's possibly an easier and/or smarter way when the utilman method is blocked.

garlin · Mar 18, 2024

Novgorod said:
Yes, the linked blog post only talks about debuggers, but many (including myself) encountered blocked execution when the exe is replaced.

There's a GitHub I found, where the suggestion for keeping the copy hack was:

1. Overwrite utilman.exe
2. Try the normal workaround from Lock Screen. Get blocked by Defender.
3. Return to normal Windows, open Protection History and allow the denied file to work.

PS - Running sfc /scannow will obviously clobber the hack, as it will restore the original executable.

Novgorod · Mar 18, 2024

garlin said:
There's a GitHub I found, where the suggestion for keeping the copy hack was:

1. Overwrite utilman.exe
2. Try the normal workaround from Lock Screen. Get blocked by Defender.
3. Return to normal Windows, open Protection History and allow the denied file to work.

PS - Running sfc /scannow will obviously clobber the hack, as it will restore the original executable.

If you already have admin access, you don't need the utilman hack...

garlin · Mar 18, 2024

Are we going in circles? Obviously if you're more technical, there's multiple ways to get back into a locked system. The utilman hack was originally given as a simple backdoor for non-technical users, in case they got locked out by messing up Windows changes.

Try3 · Mar 18, 2024

Novgorod said:
Add an admin account with only having (offline!) access to the file system.

Understood.
Two of those methods apply.

Try3 said:
- Make sure you have at least one spare, password-protected, Admin user account on the computer that can be logged into if all day-to-day user accounts fail to allow login.
my ditty - Create two spare local, password-protected Admin accounts [post #2] in Windows 10, 11 - TenForums
or
- Enable the Built-in Admin at boot and use it to reset a local user account's password.
Enable or Disable Built-in Administrator Account - ElevenForumTutorials

Personally, I create spare Admin accounts on each computer so I am fully prepared for corruption in my day-to-day user accounts.
But, if I had not prepared, I'd use the Enable the Built-in Admin at boot solution.
I'd then login & create new user accounts using whichever of those Admin accounts was available.

All the best,
Denis

Novgorod · Mar 18, 2024

Try3 said:
Two of those methods apply.

Actually only Enable the Built-in Admin at boot applies (I said only offline file system access is possible in that scenario).

However, the recovery boot console won't work with TPM-secured Bitlocker (if you don't have the recovery key). Even if you can read the Bitlocker volume master key (VMK) from the TPM (not trivial but possible), Windows has no tool to unlock/mount the volume using the VMK. Apart from forensic software, there is only a single tool in existence to decrypt Bitlocker with a VMK, which only works in Linux (dislocker). In that case you might as well use the SAM tool in Linux, which does essentially the same as the offline registry edit tutorial. But that's a very niche case, of course.

Bree · Mar 18, 2024

Try3 said:
Personally, I create spare Admin accounts on each computer so I am fully prepared for corruption in my day-to-day user accounts.

So do I. But I have used the utilman trick on another's laptop, the one that was my cousin's late husband's W8 machine. His MS account was the only user account on the machine. It was the easiest/quickest way to make a local admin account for myself so I could retrieve all his documents for the family.

LesFerch · Mar 19, 2024

Novgorod said:
A few years ago MS "fixed" the most widely used exploit for resetting a user password by replacing any of the "ease of access" tools (utilman.exe, osk.exe, sethc.exe and so on) with a copy of cmd.exe to get a console with system privileges.

A few months back I used the sethc.exe method without any problem. IIRC, I first tried utilman.exe and that didn't work for me. I don't recall doing anything special to use sethc.exe, but if you can't get it working, I can run through it again on a test machine and document my steps.

I don't use encryption, but I assume you would have mentioned it if you do, so that's probably not the issue.