1) Disable Windows File Protection for utilman.exe. Otherwise, the original will be put back in the system32 folder. Vista still protects system files, but doesn’t fix them automatically like XP does.

2) Write a little C program that starts cmd.exe on the correct Windows station (WinSta0) and desktop (Winlogon). Have to find out why you don’t need to do this on Vista.

For a tech blog that’s been around for so many eons, it’s fascinating how screwed up security-related posts can get on slashdot.

In my defense, I’d just spent an hour on Slashdot arguing about exactly this with a thousand monkeys at a thousand typewriters who thought it *was* a security hole, so I was probably predisposed to read that into your post (plus my blood was up ).

Thanks for the links!

anybody else actually try it and get it to work or just talking shizzle?

i did find this that said you had to do some dll patching

http://blog.didierstevens.com/2006/08/31/my-second-playdate-with-utilmanexe/
http://blog.didierstevens.com/2006/08/21/playing-with-utilmanexe/

First of all, thanks for mentioning that this works on 2k/XP, Marcin. I was under the impression, from the email I received about it, that it didn’t, however I just booted up an XP VM, and it seems that I can run Utilman with Windows-U before logging in on it too. It stands to reason that the same trick would work then.

And as for Simon, I reflected on your comment over my eggs and grits. You make some good points, and your facts are all straight. In the absence of good whole-disk encryption (with the disks unmounted and keys properly dealt with), physical access does mean admin access. I and most of my usual readers, have poked around in filesystems from a boot disk, reset passwords, etc.

You’re saying it’s stupid, but I think you may have gotten the wrong impression from the post. I apologize if it seemed like I was claiming it was a “surprise”, because I didn’t really intend to present it as a vulnerability or surprising result. That’s why, unlike the Slashdot article about the same video, I didn’t present it as a “vulnerability” or “security hole”, because it’s not, really.

It’s a clever trick, that I believe some practitioners who read this blog might be interested in. It’s the same thing as many pentesters are already doing with boot discs and such, only it has some desirable traits: Easy to automate a quick mount-and-replace, low impact on the system (if what you replace it with cleans up after itself by putting Utilman back).

So, I agree with you that it’s not surprising or a new vulnerability. I still think that it’s a nice trick to quickly deploy a backdoor or rootkit with physical access to the machine, despite the fact that it’s roughly equivalent to other things you might do (full-on boot cd’s and single user/safe mode).

The comments are great though: adds some value to the post and lets us expand upon it with some discussion. I hope you keep reading this ‘security’ blog, Simon

Not everything posted here is going to be groundbreaking, and I never claimed it would be. Sometimes it’s just like I said it was: a quick and easy trick that you might get some use out of.

Thanks for the comments!

Hell, you don’t even need to bother with a Linux boot disc — if you have physical access to a box, just press F8 on startup (/ on Linux, append S to the GRUB kernel line) and boot into single user mode.

The fact that Physical access -> Admin access is one of the fundamental, immutable laws of computer security. I can’t believe that this something like this was posted to a ‘security’ blog.