Rumor: First install another operating system on Vista then rename the Windows\\System32\\cmd.exe of the Vista partition to Utilman.Exe and log in to Vista again Then press the 'Win+U' combination key on the login interface and the command line will appear and enter the explorer to enter the system.
Based on the analysis of the principle of this method we believe that the use of WinPE disks can also achieve the corresponding purpose. First delete the Utilman.Exe file in the System32 directory of the Vista system. Due to the unique protection measures of the Vista system here we use two deletion methods.
First use the 'violent file deletion tool (download)' launched by Super Patrol. After running the program click the 'Add File' button to select Utilman.Exe and then click the 'Violence Delete' button to complete the delete operation (Figure 1). The second is to use the WinPE disk to start the system use the WinPE system's resource manager command to find the Utilman.Exe file and delete it.
Then copy a command prompt file (CMD.exe in the folder C:\\Windows\\system32) and place it directly in C:\\Windows\\System32 The directory is renamed Utilman.exe. Restart the Vista system. After the login interface of the Vista system appears press the 'Win+U' key combination and a command prompt window will appear (Figure 2).
Now you can enter the Vista system by typing explorer in the command prompt window. At this time you have the highest control authority. Through the test we found that we can directly control the programs in the menu open various files and run various programs. In short it is similar to using the computer normally. The only difference is that it does not have storage permissions and cannot perform changes to the modified files. Save (Figure 3). However in the command prompt window you can use the net user command to create a new system administrator account and use the new administrator account to log in to the Vista desktop for all operations.
?Vista uses the Defrag command to defragment disks
vulnerability principle analysis
We can see that the whole operation is successful because the Utilman.exe file is replaced. We know that in Microsoft's system there are many functions that help people with disabilities operate such as magnifying glass sticky keys readers and other functions and UtilMan.Exe happens to be the manager program for these auxiliary tools.
These functions can be activated with special shortcut keys. When these auxiliary function files are replaced the Windows system will still activate the specified files according to the default settings so the replaced files will be successfully activation. Since these auxiliary functions can be called before the user is logged in the user can bypass the login password verification in the login interface and successfully log in to the Vista system.
Temporary solution for vulnerability prevention
How should we prevent this vulnerability? At this point we can use the image hijacking method commonly used by viruses. Hijack the Utilman.exe file directly. As long as the user uses this file or a file with this name in the future the program we specify will run.
There are many ways to operate image hijacking. In order to cater for the needs of ordinary users we can download a 'Windows image hijacking utility' from the Internet to operate (note that this program will be diagnosed as a virus by anti-virus software ). After the program runs follow the prompts of the program to enter option 1 and then you can set it according to the wizard.
After setting option 1 first enter the file name Utilman.Exe to be hijacked. Then enter the path of the image hijacking. You'd better set it to an irrelevant software. What we set here is the path of the notepad. Finally press Enter to complete the corresponding operation.
In the future when the user presses the \u0026ldquo;Win+U\u0026rdquo; key combination again it is ready to start the file named Utilman.Exe. The system will start with the file in the hijacked path instead of the Utilman.Exe file according to the settings of image hijacking. Because other programs cannot load explorer they cannot log in to the desktop of the system.
The permission barrier of the Vista system was successfully bypassed but we also saw Vista’s own security measures allowing users to only open files during illegal use without permission to store files . But the Vista system always has such low-level vulnerabilities and users can't help but feel scared. Of course for ordinary users this vulnerability is not completely useless. If the user himself forgets the password this method is a temporary solution.