Bypassing Windows 10 password with Utilman.exe trick - fixed?

So I'm wondering if this Windows vulnerabilities were fixed?

It's good to know that this is not a vulnerability, even though it ostensibly is. Microsoft TechNet publishes the "Ten Immutable Laws of Security" and in this case, laws two and three apply, which state respectively:

Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.

Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.

Law #3 applies to gaining access to the command prompt, and Law #2 applies after you've done #3 (replacing sethc.exe with cmd.exe).


As for whether sethc.exe, utilman.exe, osk.exe, ..., and the Image File Execution Options trick can be used in Windows 10, I can access all four of these options in both builds 17063.1000 (Insider Preview) and 16299.125 (Creator's Update). While I am not 100% sure of the other versions, I believe there is no difference in the first version of Windows 10.

It is possible that you accessed the wrong drive. Often times when booting into the installation environment, the hard disks are assigned a different letter (I've normally gotten D:).


I don't think that this method of alternate access has been removed or altered in most versions of Windows 10. And even if those executables were naively deleted to try to prevent using them for that purpose, simply creating executables with those names that point to cmd.exe would still work without additional effort (which could then be reversed, once the attacker has direct access to the filesystem (as usual).

I've sampled five systems: two of which were fresh installs, and three of which were upgrades (one from Windows 8.1, two from Windows 7). All of them have sethc.exe, Utilman.exe, and osk.exe in C:\Windows\system32.

Your installation of Windows 10 appears to be non-standard in some way. I would be very interested to hear from any other users who have the same setup as yours, to try to determine what they have in common.

UPDATE 2019-09-22: Looks like Windows Defender may have closed this family of loopholes.


There is nothing "fixed" since there is nothing broken. This is no vulnerability. If you leave your drive unencrypted, it is prone to manipulation. However, there has been a change: the utilman trick does no longer work on Win10 machines that use windows defender as their AV solution, since Microsoft has recently begun to detect this method. Since September 2018, you need to use other ways. However, there is still a chance to use the old method if you are a quick typist: Start your machine in safe mode (keep shift pressed while clicking on restart and select advanced startup options, then F4 for safe mode). In safe mode, defender is starting a little later, which allows you to use the method for about 30 seconds. Just use this one liner, when on the command prompt: net user administrator /active newpass Afterwards, you can logon with the account administrator and the password newpass.

Reference is my thread over here: https://www.administrator.de/contentid/391076