Edit: The real action’s going on down below here in the comments . Be sure to catch up on them after you read the post.
Jesse Varsalone, a computer forensics expert that happens to be a reader of this site, just emailed me a link to a cool video where he demonstrates a quick and easy way of obtaining SYSTEM privileges on a Vista system, given physical access to the machine. In the video, he uses BackTrack to replace Utilman.exe with a copy of cmd.exe . The nice thing about replacing Utilman.exe is that you can make it run before you’re even logged-in by pressing Windows-U. The video is available on the Offensive Security (maintainers of BackTrack) site:
If you’re into doing physical-presence penetration tests, you might want to roll your own custom CD or bootable USB drive that boots faster than BackTrack, and automatically swaps Utilman.exe out for the executable of your choice. Perhaps something that installs a nice rootkit or Core Impact agent, and then places the real Utilman.exe back into its rightful place.
Thanks Jesse! Excellent choice of soundtrack as well!