Let’s say you have a Windows (virtual) machine, for which you’ve forgotten your login info, but you want to enter it anyway, because of… reasons. 😀
How can you do it?
Note – if the disk/VM is encrypted, you’ll need the decryption key, of course (if you don’t have it, well… I’m sorry, the following won’t really help you).
Ok, if it’s a virtual machine and you only need to grab some data from it, it’s relatively easy – you’ll just mount the virtual disk, extract the data needed and done.
If you need access to the OS instead, you can maybe use the old trick with replacing the Utilman.exe with cmd.exe, which essentially gives you command prompt with local system permissions, which then gives you… well, everything you need.
One minor obstacle with doing this “hack” would be the fact that the owner of Utilman.exe is actually the TrustedInstaller, so your workflow would be like this:
- (e.g. turn off the VM, mount the disk, …)
- replace the owner of Utilman.exe
- add yourself the needed permissions
- replace the Utilman.exe with cmd.exe
- do what you need (e.g. change the local Administrator’s password, set this account as active, …)
- cleanup (replace the replaced Utilman.exe with the original one)
And we can do this with PowerShell:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
$file = "D:\Windows\System32\Utilman.exe" $user = New-Object System.Security.Principal.NtAccount("tomica") # replace the owner of Utilman.exe $acl = Get-Acl -Path $file $acl.SetOwner($user) $acl | Set-Acl -Path $file # add yourself the needed permissions $acl = Get-Acl -Path $file $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($user,"Full","Allow") $acl.SetAccessRule($rule) $acl | Set-Acl -Path $file (Get-Acl -Path $file).Access | Format-Table IdentityReference,AccessControlType,FileSystemRights -AutoSize # replace the Utilman.exe with cmd.exe (and move Utilman.exe to Utilman.exe.bak) Move-Item -Path $file -Destination "$file.bak" Copy-Item -Path "D:\Windows\System32\cmd.exe" -Destination "D:\Windows\System32\Utilman.exe" # unmount disk, start the VM, use Accesibility Wizard icon on logon screen to start up the system/admin command prompt # change password, enable local Administrator account net user Administrator MyNewestPass123! net user Administrator /active:yes |
And now you can login as local Administrator again and do the work you wanted to do in the first place. 😊
To leave things in (somewhat) the way we found them, we can use the following PowerShell:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
# replace the owner of Utilman.exe $file = "C:\Windows\System32\Utilman.exe" $user = New-Object System.Security.Principal.NtAccount("Administrator") # remove fake Utilman.exe Remove-Item -Path $file # replace the owner of Utilman.exe.bak (we are now under a different user) $acl = Get-Acl -Path "$file.bak" $acl.SetOwner($user) $acl | Set-Acl -Path "$file.bak" # add permissions $acl = Get-Acl -Path "$file.bak" $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($user,"Full","Allow") $acl.SetAccessRule($rule) $acl | Set-Acl -Path "$file.bak" (Get-Acl -Path $file).Access | Format-Table IdentityReference,AccessControlType,FileSystemRights -AutoSize # bring back the Utilman.exe Move-Item -Path "$file.bak" -Destination "$file.exe" |
Cheers!