Impossible to modify Windows 10 drives from other OSs

4

3

I'm here to describe an interesting issue I've been facing today, in order to get some hints or solutions.

My goal : access and modify one of my computer's Windows (10) system hard drive in order to run the "utilman bypass" scenario under this fresh new version of M$.

For those who do not know the Utilman bypass : http://fred151.net/en/bypass-windows-logons-with-utilman.exe-trick-and-solution/id/48 (basically replacing the accessibility exe by cmd so we can have admin-access at logon screen).

Well nothing very complicated so far, but here comes the unexpected :

I boot a recent Kali Live on the computer, mount the system hard drive and when I run the outcome is simply cp utilman.exe utilman.exe.bak : Unsupported operation...

Well time for ls -la which gives out "utilman.exe -> unsupported reparse point"

After some web crawling I am left perplex and upgrade ntfs-3g for the very last version which comes up with some kind of "Input/output error" instead of the previous error message.

Time to try ntfsfix and chkdsk /R from the Windows session : everything runs OK and no change of my situation.

I decided to give a final try from Windows installation CD via the rescue prompt and face a the system cannot access file when I try to ren C:\Windows\System32\Utilman.exe C:\Windows\System32\Utilman.exe.bak.

Seems to me like a funny situation and I wonder if it could be some new security feature introduced with recent windows 10 or if there is some kind of filesystem trick to put in motion.

PS: Please let me know if I should crosspost or move to a different section, thought it has its best place here though because of the pentest aspect.

PS2: The Windows system is not damaged at all, boots and runs smoothly.

paftiem

Posted 2016-05-16T20:55:54.237

Reputation: 51

Windows 10 have a weird 'quick boot' feature which carries the same problems as hibernating. Aka You cannot access drives, without a certain command that people just seem to 'know' (Cant help you there :P) that removes the quickboot file so you can access the harddrive. – f3rn0s – 2016-05-18T23:22:38.527

I'm looking into it, I think you're right, I'll try some workarounds tonight – paftiem – 2016-05-19T07:04:27.653

NTFS-3g doesn't support all kinds of reparse points: https://sourceforge.net/p/ntfs-3g/mailman/message/34585312/ http://serverfault.com/questions/742197/determine-target-of-ntfs-reparse-point ; I bumped into this trying to copy some fonts over to my Linux partition.

– arielCo – 2016-07-26T00:39:05.403

Interesting article, for people who followed the topic the previous solution (disabling quickboot) did not work for this investigation. I'll push the researches because it is something definitely introduced by Windows 10 and seems quite annoying when dealing with system cmds. Fun fact : I could modify the files on an UNPATCHED Windows 10 but not on any other up-to-date Win10. – paftiem – 2016-07-28T08:44:27.557

Answers

0

In Ubuntu, (and Linux in general), Windows NTFS file systems are handled by the ntfs-3g driver.

In Windows 10, Microsoft introduced new kinds of "reparse points", which that driver cannot process.

I would recommend reading this: https://jp-andre.pagesperso-orange.fr/advanced-ntfs-3g.html

and installing the "system compression" and the "deduplicated files" plugins.

It's interesting - please tell us whether it helped.

Helen Craigman

Posted 2016-05-16T20:55:54.237

Reputation: 143