HACKING WINDOWS PASSWORD

A: Bypass Windows Logons with the Utilman.exe Trick Utilman.exe is a built in Windows application that is designed to allow the user to configure Accessibility options such as the Magnifier, High Contrast Theme, Narrator and On Screen Keyboard before they log onto the system. This was designed to help people who are hard of sight, hearing or mobility to log onto Windows themselves without the need of outside help. Its a great feature for disabled people but it opens up a security hole that we can take advantage of to bypass Windows logons. 

Bypassing the Windows logon comes in handy if our clients have forgotten their logon password, their user profiles were corrupted or malware was interfering with the system before login. 

 This works because the user can trigger Utilman by pressing Windows Key + U before Windows logon. This will load up the Utilman.exe executable which resides in the Windows\System32 directory. If you swap the Utilman.exe file with something else like cmd.exe, you have access to the command prompt running SYSTEM privileges. SYSTEM is an account with the highest possible privileges on Windows which similar to the root account on Unix systems. Here are the step by step instruction on how to do this. WARNING: You can do a lot of damage to a system if you dont know what you are doing. Technibble accepts no responsibility if something goes wrong. First of all, we will need a way to access the file system to swap out Utilman.exe with something else like cmd.exe. There are a few ways to achieve this: • Remove the operating system hard drive from the target system and slave it into another system with a working operating system. From there you can swap out the files on the slave drive • Use a Boot CD like UBCD4Win and use the file management software there • Use the Windows Vista/7 /8/10 DVD In this example we will be using the Windows 7 DVD. 1. To begin, boot from your Windows 7 DVD and when you reach the first screen asking about the language, currency and keyboard format, Click Next. On the next page, down in the lower left hand side, click on the “Repair your computer” link. 2. Next, select the “Use recovery tools that can help fix problems starting Windows. Select an operating system to repair” option, choose an operating system from the list and Click Next. 3. You will now have an option to “Choose a recovery tool”. Select Command Prompt. You should now have a Command Prompt Window open. Type in the following commands: 4. Replace UTILMAN.exe With CMD.exe C:\ cd windows\system32 ren utilman.exe utilman.exe.bak copy cmd.exe utilman.exe This will navigate to the system32 directory, rename utilman.exe to utilman.exe.bak, make a copy of cmd.exe and name it utilman.exe. 5. Remove the DVD and reboot the system. Once the computer boots up normally, press the key combination Windows Key + U and you should get a Command Prompt. If the Command Prompt doesnt appear, press Alt+Tab as the Command Prompt may appear behind the Logon screen. From here, you can run many (if not all) of the commands you can normally use in Command Prompt. Resetting an Existing Users Password WARNING: If you reset a users account password. This will permanently lose access to the users encrypted files. Be sure to back these up. To reset an existing users password, we need type the text below. In this example, we will be changing JohnDoe’s password to “hunter2”. net user JohnDoe hunter2 You should be able to log in with this new password straight away. If you dont know what the username on the system actually is, you can see a list of the users by typing: net user Creating a New User Account To create a new user account in the Command Prompt (Username: NewGuy. Password: abc123), and add them to the Administrators usergroup type: net user NewGuy abc123 /add net localgroup Administrators NewGuy /add Again, you should be able to login straight away with this new account. Reverting Changes To restore utilman.exe, in the Command Prompt type in: C: cd windows\system32 del utilman.exe ren utilman.exe.bak utilman.exe Then reboot the system. To remove the new user account you just created earlier, type in: net user NewGuy /delete That’s all there is to it. B: Hack a Windows 7/8/10 Admin Account Password with Windows Magnifier This how-to on hacking Windows 7/8/10 etc. admin account passwords using Windows Magnifier is focused on adding, changing, or deleting an admin level account on a Windows 7/8/10 etc. Maybe you forgot or lost the password to your Windows Admin account, this guide will help with that. If you are trying to hack the computer lab at school then you will need a different method Disclaimer: This is for use on a PC that you own. Breaking into someone else's PC is considered a serious crime in most places. If you make a mistake or change something else, your Windows may become a non-boot. If so, just undo whatever you changed outside of the hack shown here, and it will back to normal. Need I say this is for Educational Purposes! You are responsible for your own thoughts and actions. Prerequisites: • Any Linux Live CD/DVD/USB with Live option (ex. Ubuntu Live, Linux Live, Kali, etc.). • Ability to use said Linux CD/DVD/USB. • Basic understanding of Windows file structure. i.e. can navigate. • The desire to modify user account(s) on said Windows boxen. • Physical access to said Windows box. • Ability to use BIOS if needed. • Ability to use command line and basic understanding of net user commands. Things to Note: • If you are trying to hack a coworker / boss / job / school / customer / friend / spouse's account, you are screwed because they won't be able to use the old password anymore—try explaining that. • This hack works on Windows 7, 8, 10 and basically any that have "Ease of Access". • Servers require "net user Administrator blabla /domain". • This will destroy all data encrypted with EFS on the account if it's enabled (you have to enable it first). • If you do not undo the hack after you change the password, you will get the magnifier every time you use cmd or nothing at all. • If you modify or delete any other files in Sys32, your next boot up is doomed (maybe). • Scared? You should be. Now let's get hacking. • Step 1Boot Some Flavor of Linux Live CD Insert CD/DVD into drive and reboot the machine. Start your Live DVD. You may need to go into the BIOS screen and change the boot-up order to CD/DVD drive first, HDD second. Step 2Navigate to Sys32 Use the file browser in your Linux environment, navigate to %windir%/system32/. You may have to right-click and mount the Windows partition/drive first or use the NTFS-3G command. 

Step 3Rename Magnify.exe Find and rename magnify.exe (Magnifier file) to magnify.old. 

Step 4Rename cmd.exe Find and rename cmd.exe to magnify.exe. 

Step 5Shut Down Linux & Reboot Windows Logout, remove DVD, and reboot into Windows. 

Step 6.Get CMD Prompt Modify Accounts When Windows reboots, click on the ease of access button in the bottom left corner.

 Click magnify and hit apply. Ta da. You have a system level command prompt. At this point is where we will only change the Admin password and not any of the 1000 other things that could be done at this point! Tip: You can right-click on cmd.exe and click run as administrator inside of Windows for escalated privileges. To edit files, it would never be allowed at basic admin level (caution). Image via whstatic.com (Hacked system level command prompt. 

-Cx2H) As the photo above shows, typenet user to get a list of accounts. To the point type: net user administrator * Your Options (Choose One That Applies): Change Password: net user username new_password When you do so, the password changes without prompting you again. Add an account: net user username password /add Tip: If your username has a space, like John Doe, use quotes like "John Doe". Admin that: net localgroup administrators username /add Delete that: net user username /delete Remote Desktop Users Group: (just in case) net localgroup Remote Desktop Users UserLoginName /add Net User Syntax Reference: net user commands Domain i.e. Servers: net user for domain Step 7Reboot Linux & Fix magnfiy.exe Now you should insert your Linux Live CD/DVD and rename the files back to original names or you will have issues later. 

1. Repeat Step 1

 2. Repeat Step 2

 3. Rename magnify.exe back to cmd.exe 

4. Rename magnify.old back to magnify.exe 

5. Log out, take out CD/DVD USB, reboot into Windows