Hack into Windows using UtilMan.exe or SetHC.exe

E2B contains some scripts in the \_ISO\docs\utilman folder. These can be used to gain access to an unencrypted Windows system.
 
 
This process automates and speeds-up the well-known hack of replacing the UtilMan.exe and SetHC.exe files with cmd.exe.
 
It does not work on BitLocker-encrypted volumes.
 
Note: Since September 2018, Windows Defender now detects and removes UtilMan.exe if it has been changed. However, you can still use this method if you are quick and use Safe Mode booting!
 
Use E2B v1.A9 or later.
 
1. E2B must be on a Removable USB Flash drive
2. Copy a Windows 10 Home or Professional Install ISO to the \_ISO\WINDOWS\WIN10 folder

Requirements

  • E2B must be on a Removable USB Flash drive (or E2B USB HDD + WinHelper Flash drive) or use E2B v1.A9+.
  • Optional - Standard Microsoft Windows 8/10 Home or Professional Install ISO - should also work with WinPE ISOs.
  • Target Windows OS must have OS files in \Windows folder (Vista/7/8/10, etc.).
  • Can hack multiple Windows OS on all disks\partitions in a system
WARNING: Due to Windows Fast Startup/Fast Boot - always first boot to the Windows Login screen and then click Restart and then boot to a different OS or WinPE/E2B before changing the system files. Never try to hack a Windows system that has been 'ShutDown' by the user because it may be in a semi-hibernation mode and any file/registry changes you make offline could cause file corruption!
 

Method

If you do not have a bootable Windows ISO on the E2B drive, see the bottom of this page to see how to boot to the WinRE image on the internal hard disk.
 
A Windows 10 Install ISO is recommended because it should work on any Windows XP/7/8/10 system. You could use a bootable Win8.1 or WinPE ISO such as Gandalf's PE or ChrisR's Win10PESE ISOs.
 
1. Boot to the target system's Windows OS and choose '(Power icon) - click Restart' and at the same time hold down the SHIFT KEY
then choose Troubleshoot - Advanced options - Startup settings - Restart
then reboot to E2B Menu on the USB drive - Windows Install Menu - Windows 8 or 10 - select ISO - Choose the 'Hack Windows (UtilMan.exe).XML' option (see below).
 
Note: Windows PE should automatically assign each hard disk volume a drive letter. If no Windows volumes are found, check using DiskPart that the target volume has a drive letter assigned to it.
 
If you boot to a WinPE OS, run "\_ISO\docs\UtilMan\UtilMan1PE_Patch.cmd" from the E2B USB drive to patch the files. Then reboot and goto step 3.
 
2. After the files have been patched, boot to Windows and quickly press WIN+U at the Windows login screen (or click on the Accessibility icon or tap the SHIFT key five times) to gain access to the command shell.
 
Then quickly  type 2 and press ENTER to create a new ADMIN account.
 
You may have only 30 seconds to do this...
 
 
Tip1: You may need to reboot to see the new ADMIN account - to save rebooting, a quicker method is to click on 'Sleep' and then wake the computer up again.
 
Tip2: E2B v1.A9+ will also launch control userpasswords2 to allow you to change passwords (you must tick the 'Users must enter Username and Password to use this computer' first).
 
Win8/10 2018-09 and later: The cmd shell may disappear within 30 seconds if you are not quick enough!
 
You can now reboot and login as ADMIN (password admin) - Windows will set up a new C:\Users\ADMIN account for you.
 
 
Now you can gain access with Administrator privileges, access files and change passwords, etc. by logging into the ADMIN account (password=admin).
 
 
3. When finished, repeat step 2 but type 3 and press ENTER to remove the ADMIN account.
This may also restore the original files by running SFC (but due to Windows bugs, it does not always work!).
 
 
 
Check the size of the three files and run Step 4 if they are all the same size!
If the screen is green, then the files have been restored correctly, but you can run Step 4 to delete the C:\Users\ADMIN folder which is now unused.
 
If WIN+U does not work because it has been removed bit Windows Defender, remove the ADMIN account by logging into another account which has Administrator rights and run an admin command shell and type 3 to remove the ADMIN account (it uses the command NET USER ADMIN /del).
 
Then reboot and follow Step 4 below.
 
4. Repeat step 1 (Safe mode is not required) but choose the 'UnHack Windows (remove UtilMan.exe).XML' file to remove the hack and restore the original files.
 
You can also choose to delete the old \Users\ADMIN folder too.
 
This will restore the original utilman.exe and sethc.exe files and check/repair them with System File Checker (SFC).
 
For more details, read the ReadMe.txt file in the \_ISO\docs\utilman folder and this blog post.
 
If you are UEFI-booting from a .imgPTN file, you can copy the \_ISO\docs\utilman folder to inside the image (see section below), but MBR-booting from an ISO will also apply the patch correctly.
 
If you don't usually carry a Windows 8/10 Installation ISO on your E2B drive or a suitable WinPE ISO, you can download a 32-bit Windows 10 Installation ISO and use an ISO editor to delete the large \Sources\Install.wim file to reduce it's size. A 32-bit ISO will patch both a 64-bit Windows OS and a 32-bit Windows OS.
 
Note: The XML files contain a Windows Home generic Product Key - if you see a 'licence error' message, copy the file and edit it so that it contains a generic product key which matches your particular Windows ISO.

 

UEFI-booting

 
If you can boot from an ISO in MBR-mode, you should be able to patch any MBR or UEFI Windows OS.
 
If your target system can ONLY UEFI-boot...
 
  1. Switch to a WinPE UEFI-bootable .imgPTN file (e.g. Strelec WinPE, ChrisRPESE, Gandalf or a Microsoft Windows Installer, etc.) - Do NOT boot to a WindowsToGo OS.
  2. Copy the \_ISO\docs\UtilMan folder to the USB drive - e.g.  \UtilMan.
  3. Boot the target Windows system and click 'Restart' then UEFI-Boot to WinPE from E2B and ensure that all the OS drives that you wish to 'patch' have a drive letter assigned. Some WinPE's such as Sergie Strelec may not assign drive letters to other volumes.
    If you don't want to patch some OS volumes, then 'offline' them or remove their drive letter (e.g. using diskmgmt.msc or DiskPart).
  4. Run \Utilman\UtilMan1PE_Patch.cmd to patch all volumes with a drive letter that have a Windows OS.
  5. Now remove the USB drive and boot to the Windows OS as usual.
  6. Follow Steps 2 and 3 in the Method section above.
  7. To remove the patch, UEFI-boot from the E2B USB drive again, ensure the drive(s) you wish to unpatch have a drive letter assigned.
  8. Run \UtilMan\UtilMan4PE_Restore.cmd to unpatch the OS.
 
Tip: If your E2B USB drive is a Removable type, you could add a suitable \Unattend.XML file to the root of the image inside the .imgPTN file so that it automatically runs \Utilman\UtilMan1PE_Patch.cmd. If the USB drive is a Fixed-disk type, you will need to add the XML file into the \sources\boot.wim file. I cannot give exact instructions because it depends on what WinPE image you are using.
 
 

Boot to WinPE without needing any ISO

If you want to hack a Windows 8 or 10 system, you do not even need a Windows ISO on the E2B drive!

We can boot to the system's own WinPE Recovery .wim file to boot to WinPE - it should already be on the Windows system disk.

1. Copy \_ISO\docs\Sample mnu files\Windows\Boot_Recovery_WIM.mnu to the \_ISO\MAINMENU folder

2. Boot to E2B and run the 'Boot to Windows Recovery' menu option. If there is more than one Windows OS, any one will do.

If the system is set to UEFI-boot only, you will need to change the BIOS settings to enable MBR\Legacy\CSM boot.

3. Pick the correct Recovery option to get to the Command console (this varies depending on Windows version). 

4. Run \_ISO\docs\UtilMan\Utilman1PE_Patch.cmd from the E2B USB drive

   Note that this will patch ALL Windows OS's on all disks in the system.

5. Now you can boot to Windows and run 2.cmd as detailed above

6. To undo the changes, boot to Windows and run 3.cmd as detailed above

7. Finally, boot to the Recovery WinPE console again and run \_ISO\docs\UtilMan\UtilMan4PE_Restore.cmd to tidy up.

Note: To boot to the Windows Recovery wim file, a Windows 8.1 or compatible version of bootmgr is needed on the E2B USB drive. E2B will warn you if it is missing.

 

"The User Profile Service service failed the sign-in." "User profile can not be loaded"

If you've encountered the 'User Profile Service failed the logon' error in Windows 10, copy the 'C:\Users\Default' folder from a second, non-problematic PC over to your problem PC using a USB drive and copy it to the same location. Rename the existing folder on your problem PC to something else first, just in case you ever need to revert back for any reason. 

Tip: To access the 'Default' folder on your second PC you'll need to turn on hidden files by clicking 'View' in the folder toolbar and selecting 'Hidden items'.