2

Is there a way to secure Windows 8 against this login bypass? Basically an administrator can rename the utilman.exe (for example, to utilman.exe.bak) then copy cmd.exe to be utilman.exe, then at the login prompt someone can just do WinKey+U and get a fully working cmd prompt with Administrator privileges. How can this be stopped? Perhaps some way to change permissions so that utilman.exe cannot be renamed or modified etc?

Tamara Wijsman
  • 57,463
fpghost
  • 369
  • 1
    I think this should be addressed by mighty MS as an exploit, maybe they should check that file at launch for integrity, correct signature or checksum, whatever. – Kitet Jan 26 '13 at 23:25
  • 8
    It doesn't matter.

    If someone got onto your computer and had the rights to rename utilman.exe, you have already lost the battle for security.

     – Mark Allen Jan 27 '13 at 01:15
  • Mark said it already: someone has already compromised your computer. Why bother after that? Your question has no practical value. – Jan Doggen Jan 27 '13 at 20:43
  • @Jan Doggen Yes I take your point. What is the point of the Windows login system at all then if they give you access to an Administrative rights shell at startup by pressing a hotkey? At least things like boot from CD-ROM can normally be disabled to stop user accessing CMD that way, but in Win 8 as far as I can tell you can't get rid of F11 recovery console. – fpghost Jan 28 '13 at 19:48
  • Also how to system administrators running Windows networks with say Win 7 on get around this utilman.exe exploit? They can't password protect every computer at boot-up obviously...so what's to stop me going on to something like a university network and pulling the utilman.exe exploit? – fpghost Jan 28 '13 at 19:51
  • 3
    I'd say this isn't so much an exploit as it is simply mucking with Windows after having gained access. An exploit would grant a restricted user full rights to a machine. You can't perform this "exploit" without Administrator rights in the first place. It's a fun trick, but that's all it is. – Ben Richards Feb 07 '13 at 21:51
  • @Ben Richards your point is the same as that of Jan Doggen, and I agree with it. My question would now defer to how do I stop someone gaining Administrative access in Windows 8? (Assuming they're not going to be unscrewing the computer); seems the main roots in are through a live CD (against which one could disable boot from DVD in BIOS and passwd protect BIOS settings), or through a hotkey to recovery console which is what I don't know how to disable. The exteme method is passwd on bootup, but this isn't very practical, and surely not what is done on win 8 network in say a college. – fpghost Feb 08 '13 at 08:42
  • Another small point is that I found when dropping into the Admin shell using the recovery hotkey then doing net user NewUser mypass /add didn't work, so I couldn't change users from here; it was necessary to do the utilman.exe trick to get a command shell at login time that did allow such commands to run so perhaps the trick isn't completely pointless, otherwise there would no need to actually do it at all after dropping into Admin recovery shell, as you could add yourself as a user from there anyway. – fpghost Feb 08 '13 at 09:23
  • possible duplicate of How to secure a public computer? – Tamara Wijsman Jul 20 '13 at 10:01

3 Answers3

3

BIOS and hard drive boot passwords, and encryption (or more likely a combination of them).

Check out this other SU question: BIOS Hard Drive Password Security?

It has lots of good answers explaining the differences and advantages.

Also check into full disk encryption.

Encryption is probably the only way you're going to prevent someone from fiddling with the bits if they can get their hands on the drive.

Community
  • 1
Ƭᴇcʜιᴇ007
  • 112,807
0

There is no way that you can keep utilman from being renamed. Even if there are permissions on it that prevent Windows from renaming it, you could rename it by booting from a Linux live CD.

You could set a password in the BIOS and then set it to ask you for that password every time you start your computer. BUT that password can most likely be reset by removing the CMOS battery.

ChrisN
  • 1,049
  • 1
  • 9
  • 21
  • 1
    OK, I guess that can be perhaps combated by stopping user from modifying boot order by password protecting BIOS (assuming user won't reset it via opening up the computer). Any other way to stop this utilman security hole then? the current way I've been accessing it is via F11 recovery console allowing access to command promt on boot up, so if I can stop it being renamed from there that will probably be enough. – fpghost Jan 26 '13 at 19:12
  • Updated my answer... – ChrisN Jan 26 '13 at 19:20
  • Also i see there's more tools to reset passwords by booting from CD or USB. Install whole drive encryption then. – Kitet Jan 26 '13 at 23:42
  • You can't rename or replace utilman.exe from a linux live disk without the bitlocker password if bitlocker is enabled. – SecurityMatt Jan 30 '13 at 04:06
0

Just attach an invalid debugger to it so it does not execute

something like : cmd ( with admin privileges )

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\explorer.exe"

of course you don't actually need to replace the utilman.exe if you are an admin, you can just use

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"

jonsca
  • 4,062
Alberto
  • 1