Hack into Windows using UtilMan.exe or SetHC.exe

E2B v1.92+ contains some scripts in the \_ISO\docs\utilman folder. These can be used to gain access to an unencrypted Windows system.
 
1. E2B must be on a Removable USB Flash drive
2. Copy a Windows 10 Home or Professional Install ISO to the \_ISO\WINDOWS\WIN10 folder

Requirements

  • E2B must be on a Removable USB Flash drive (or E2B USB HDD + WinHelper Flash drive).
  • Optional - Standard Microsoft Windows 10 Home or Professional Install ISO in \_ISO\WINDOWS\WIN10 folder (not AIO ISO) 
  • Target Windows OS must have OS files in \Windows folder (Vista/7/8/10).
 

Method

If you do not have a bootable WinPE ISO, see the bottom of this page.
 
1. Boot to E2B - Windows Install Menu - Windows 10 - select ISO - choose 'Hack Windows (UtilMan.exe).XML'
 
 
 
 
2. After the files have been patched, boot to Windows and press WIN+U (or click on the Accessibility icon or tap the SHIFT key five times) at the Windows login screen to gain access to the command shell.
 
Then type 2 and press ENTER to create a new ADMIN account.
 
You can now reboot and login as ADMIN (password = admin) - Windows will set up a new C:\Users\ADMIN account for you.
 
Tip: To save rebooting, a quicker method is to click on 'Sleep' and then wake the computer up again.
 
Tip2: if you just want to change a user's password, instead of typing 2, type control userpasswords2
 
 
 
Now you can gain access with Administrator privileges, access files and change passwords, etc.
 
 
3. When finished, repeat step 2 but type 3 and press ENTER to remove the ADMIN account.
This may also restore the original files by running SFC (but due to Windows bugs, it does not always work!).
 
 
 
Check the size of the three files and run Step 4 if they are all the same size!
If the screen is green, then the files have been restored correctly, but you can run Step 4 to delete the C:\Users\ADMIN folder which is now unused.
 
 
4. Repeat step 1 but choose the 'UnHack Windows (remove UtilMan.exe).XML' file to remove the hack and restore the original files.
 
You can also choose to delete the old \Users\ADMIN folder too.
 
This will restore the original utilman.exe and sethc.exe files and check/repair them with System File Checker (SFC).
 
For more details, read the ReadMe.txt file in the \_ISO\docs\utilman folder and this blog post.
 
If you are UEFI-booting from a .imgPTN file, you can copy the \_ISO\docs\utilman folder to inside the image (see section below), but MBR-booting from an ISO will still apply the patch correctly.
 
If you don't usually carry a Windows 10 Installation ISO on your E2B drive, you can download a 32-bit Windows 10 Installation ISO and use an ISO editor to delete the large \Sources\Install.wim file to reduce it's size. A 32-bit ISO will patch both a 64-bit Windows OS and a 32-bit Windows OS.
 
Note: The XML files contain a Windows Home generic Product Key - if you see a 'licence error' message, copy the file and edit it so that it contains a generic product key which matches your particular Windows ISO.

 

Boot to WinPE without needing any ISO

If you have want to hack a Windows 8 or 10 system, you do not even need a WinPE payload on the E2B drive!

We can boot to the WinPE Recovery .wim file to boot to WinPE - it should already be on the Windows system disk.

1. Copy \_ISO\docs\Sample mnu files\Windows\Boot_Recovery_WIM.mnu to the \_ISO\MAINMENU folder

2. Boot to E2B and run the 'Boot to Windows Recovery' menu option. If there is more than one Windows OS, any one will do.

If the system is set to UEFI-boot only, you will need to change the BIOS settings.

3. Pick the correct Recovery option to get to the Command console (this varies depending on Windows version). 

4. Run \_ISO\docs\UtilMan\Utilman1PE_Patch.cmd from the E2B USB drive

Note that this will patch ALL Windows OS's on all disks in the system.

5. Now you can boot to Windows and use the SHIFT+F10 and run 2.cmd as detailed above

6. To undo the changes, boot to Windows and use the SHIFT+F10 and run 3.cmd as detailed above

7. Finally, boot to the Recovery WinPE console again and run \_ISO\docs\UtilMan\UtilMan4PE_Restore.cmd to tidy up.

 

Note: A Windows 8.1 or compatible version of bootmgr is needed. E2B will warn you if it is missing.

 

"The User Profile Service service failed the sign-in." "User profile can not be loaded"

If you've encountered the 'User Profile Service failed the logon' error in Windows 10, copy the 'C:\Users\Default' folder from a second, non-problematic PC over to your problem PC using a USB drive and copy it to the same location. Rename the existing folder on your problem PC to something else first, just in case you ever need to revert back for any reason. 

Tip: To access the 'Default' folder on your second PC you'll need to turn on hidden files by clicking 'View' in the folder toolbar and selecting 'Hidden items'.