Unlock For Us

Hidden Backdoor in Windows 7/Vista Welcome Screen

Ok, This is fun. Anyone of you watch the famous 1995 movie "The Net" by Sandra Bullock? The Famous Praetorian PI was used as a backdoor to access password-protected sites. Can we create a vista backdoor, something like that in Windows Vista or 7? Yes you Can! How?

The Clue: The Ease of Access Program

thePi

Where? The 624kb Utilman.exe is the key located at System Folder.

Steps:

Open the Folder Windows\System32\ and check the Properties of Utilman.exe

UtilmanProperties

Problem... My current Logon Username Lawrence and Administrators has no Permission no modify the file. Thus, If you try to rename the file, it will give you the message:

Destination Folder Access is Denied You need permission to perform this action

accessisdenied

Normally, Winbubble Context Menu "Take the Ownership of this file" can add the permission but this time, you can't. (The Next Version can do it easily).

default

Also, Most of the Buttons are Disabled.

How to Add the permission

Prevention is better than Cure: To easily recover your system from any problems, Create a Restore Point First using the Context Menu that can be created by WinBubbles, Read here or you can do it manually: Win+R > rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,4 > Create Button > Enter the name

1. Take the Ownership Of the File using the LONG METHOD, Click here and Right-Click the file > Properties > Go to Security Tab > To change Permission Click Edit Button > Click Administrator > Click to Check Allow Setting of Full Control option box

Another Way because I understand that your a Geek:

Open Command Prompt as Administrator, Start Search > type CMD > Press CTRL+ALT+Enter > Enter the Following commands:

a. takeown /f "Directory\File"

e.g. takeown /f "c:\windows\system32\Utilman.exe"

b. icacls "Directory\File" /grant administrators:F

e.g.

icacls "c:\windows\system32\Utilman.exe" /grant administrators:F

If you didn't open CMD.exe as administrator, you'll get this message:

takeown

ERROR: The current logged on user does not have ownership privileges on the file (or folder) "c:\windows\system32\Utilman.exe" 

2. Rename Utilman.exe to any for backup example: Utilman_old.exe

rename

3. Create a copy of cmd.exe (CTRL+Drag)

copycmd

4. Rename the Copy - cmd to Utilman

 changenameofCmd

That's It!

Go to your Welcome Screen: Start Menu > At the Bottom, Click the Right Arrow > Switch User

5. Click the Blue Magic Button pointed by the arrow as shown in the first Picture above.

backdoor

You have now successfully launch a Command Prompt in Administrator mode with UAC disabled...

Doesn't Work? Possible Mistake: In your Folder Option Window > View Tab > "If Hide extensions for known file types" is checked, Don't rename it to "Utilman.exe", use "Utilman" ONLY.

NEW! Using the newest version of WinBubble, you can easily get this functionality in just few clicks!

Click the Windows 7/Utilities Tab, Logon Tools option

logontool

Click Yes and Restart your PC. Works great in Windows 7 32/64 bit version!

NOTE: You need to re-open again the program after restarting your computer and repeat the procedure again to be able to activate the feature.

SWEET!!! Start Hacking your own computer :)

Now, it's fine for me to forget my password without creating a password reset disk or by hacking and clearing Vista Password using a Linux OS. Create a Backdoor instead! Is this bad? Of course, this is bad if you'll use it that way.

Net user [Username] [NewPassword]

For more Information, Read Here

Is this legal? Yes, it is... My steps needs the Administrator login to create a backdoor and If you do this by using another OS like Linux to another computer. That's the time it will became Illegal.

Type: whoami /all |more

whoami

Now we can see that System logon is the one running when you input Username and Password in the Welcome Screen.

Try typing taskmgr.exe (Browse Button let's you run a mini-windows explorer), Notepad and even Explorer.exe!

In my observations:

  • Windows Firewall is ON (Great!)
  • Spyware and other Malware Protection is ON (Great!)
  • User Account Control is OFF
  • You can browse the Internet
  • The Location of Desktop: c:\Windows\System32\config\systemprofile\Desktop
  • Launch Windows Media Player, Windows Calendar, Windows Mail and many more

Note: There is a possibility that the guide above will work in latest build (RC version) of Windows 7. Due to License and some legal concerns I can't reveal any data. Tell me?

ENJOY LEARNING WINDOWS!!! 

6 Comments:

vince said...

nice hack, but won't that just defeat the purpose of the welcome screen?, why not just forget your password for your username all together and boot directly to the desktop :)

Anonymous said...

Wait, are you saying that you have Windows 7 Beta? Just wondering... Or can you not tell us that either?

Anonymous said...

It works! I have Windows 7 Build 6801 leaked from torrents and it worked perfectly! I am waiting to download "The Net (1995)"... I am curious... ;)

Nura M. said...

Hi!
I have forgotten that movie(The Net) you were talking about. I do not know if I may be opportuned to have a look at it(refer me to site ), so that I can answer the question.
I WISH TO HAVE MORE OF YOUR EDUCATING INFORMATION.
Thanks!
Nura

Anonymous said...

This wouldn't be illegal as long as you do it to your own computer.

It also makes a Command shell available to anyone that goes to log into your computer

My sugestion would be to replace the utility file name with a batch file name that is looking for a key press or some other hidden signal, if you don't provide the key press or signal it requires then it loads the utility like normal, this would hide the command line option from anyone that doesn't also know the safty key press to get in.

I can see it useful if you are taking care of relatives computers that might loose there passwords or delete accounts or something, then you have a way in.

I might have to think of this more!!

Anonymous said...

It's working on Win 7 final... yess!!!

 

© UnlockForUs 2007-2012| Blogger| Google.com | License Agreement