What’s the successor of the “utilman.exe” method for a pre-logon console?
A few years ago MS “fixed” the most widely used exploit for resetting a user password by replacing any of the “ease of access” tools (utilman.exe, osk.exe, sethc.exe and so on) with a copy of cmd.exe to get a console with system privileges. Of course you already needed file system access for that, so it was never really a security issue. Now Windows Defender is (apparently) doing a signature check and won’t allow any ease of access tool to run if it has been replaced.
Did the exploit “evolve” to combat the signature check or is there no more way to get a console before logon? Again, it’s purely a convenience issue, not a security issue because you can still reset the password of an existing user (and/or make him admin) via that SAM tool under Linux (and at least the built-in admin account is always a local user, even if it’s an AD machine).
It’s a bit of a niche use case since an “offline” console (booting another OS, including the recovery environment) should be sufficient in most cases. But there are a few edge cases which require an “online” console to interact with the running system, e.g. when the boot device is restricted or the partition is Bitlocker encrypted (via the TPM).
A few years ago MS “fixed” the most widely used exploit for resetting a user password by replacing any of the “ease of access” tools (utilman.exe, osk.exe, sethc.exe and so on) with a copy of cmd.exe to get a console with system privileges. Of course you already needed file system access for that, so it was never really a security issue. Now Windows Defender is (apparently) doing a signature check and won’t allow any ease of access tool to run if it has been replaced. Did the exploit “evolve” to combat the signature check or is there no more way to get a console before logon? Again, it’s purely a convenience issue, not a security issue because you can still reset the password of an existing user (and/or make him admin) via that SAM tool under Linux (and at least the built-in admin account is always a local user, even if it’s an AD machine). It’s a bit of a niche use case since an “offline” console (booting another OS, including the recovery environment) should be sufficient in most cases. But there are a few edge cases which require an “online” console to interact with the running system, e.g. when the boot device is restricted or the partition is Bitlocker encrypted (via the TPM). Read More
