Utilman.exe command prompt hack prevention?

Question

This trick to hack windows and reset passwords(or create new logins)has been around for ages and still works on windows 7 and windows 8. Is there any way to disable the key combination that brings up the 'Ease of access' dialogue box WindowsKey+U?

I've got other safeguards in place like full disk encryption and a locked down BIOS so people can't boot CD so easily, but those are possible to circumvent with relative ease, especially if I leave my computer turned on and running unattended for long periods of time.

Answer 1

You're very wrong in your last assumption; full disk encryption is not "possible to circumvent with relative ease". It is especially not "possible to circumvent with relative ease" to reach the goal of this workaround IF you're behaving securely.

As you've probably figured out by now, this is a physical-access problem. If somebody has physical access to your machine, they don't really need the utilman.exe trick. They can simply modify your SAM file. In this case, they went with a less technical method. Nevertheless, they're both possible through the same vulnerability - unauthorized physical access.

Assuming you're using full-disk encryption solutions like TrueCrypt, let's examine the two possible scenarios:

• You left your computer turned off and unattended for ages: The attacker won't be able to do anything to modify the structure of your files (copy cmd.exe as utilman.exe) or modify your SAM file.

• You left your computer locked: A determined adversary can eventually (although not easily) recover your encryption keys and access/modify your system, including but not limited to the trick you mentioned and modifying the SAM file.

As you can see, any unauthorized full access will lead to the, expected, compromise of your system. The utilman.exe is not your problem. You're looking into the wrong corner.

Answer 2

Application specific group policies or local policies might be your answer.

See this link for details.