Friday, 3 November 2017

Add the E2B UtilMan password hack to any WinPE ISO's desktop

If your E2B USB drive contains bootable WinPE ISOs (e.g. Gandalf, Strelec, Bob Om, etc.), you can add shortcuts to the WinPE Desktops which will run the E2B UtilMan hack files. This will allow you to hack into any Windows system that is not encrypted.

1. First you need to add the PEStartup files and \TheOven_Startup.cmd to your E2B drive, as detailed in a previous blog here. For example, for a version with PortableApps already added, download and extract the PEStartup_Papps version to the E2B drive.

2. Next, boot to your WinPE ISO on the E2B USB drive (or if you prefer, you can double-click on the \AIO\Tools\PEStartup\PEStartup_x86.exe or PEStartup_x64.exe under your current Windows OS - but do not click on the 'Options - Perform' button or it will alter your Windows system!).

Some WinBuilder PEs such as Gandalf and Bob Om's PE v8 will automatically run PEStartup when WinPE boots. For other WinPEs, you will need to double-click on \TheOven_Startup.cmd to run PEStartup.

3. Now use PEStartup to add Shortcuts for \_ISO\docs\UtilMan\Utilman1PE_Patch.cmd and UtilMan4PE_Restore.cmd as shown in the screenshot below:

Note: The four .cmd files can be moved to any folder or partition, they do not have to be in the \_ISO\docs folder.

Note the two shortcuts have been added to the Gandalf WinPE Desktop...

For a 32-bit PE, you will need to boot to a 32-bit PE and add the shortcuts.
For a 64-bit PE, you will need to boot to a 64-bit PE and add the shortcuts.

Now, whenever you boot to WinPE ISOs, you should see the shortcuts on the WinPE Desktop (if not just run \TheOven_Startup.cmd).

Hacking Windows

Now you can 'hack' local Windows accounts as described here.

Basically, the steps are:

1. Boot to your WinPE ISO from the target Windows system and run the UtilMan1PE_Patch shortcut to patch the Windows OS.
2. Boot from the target system hard disk to it's Windows OS.
3. Press WinKey+U or the SHIFT key 5 times to get to a command prompt.
4. Type 2  and press ENTER to add a new ADMIN account (password=admin).
5. Login as ADMIN and do whatever you want.
6. Repeat step 3 and type 3 and press ENTER to remove the hacked files.
7. If the previous step did not fully work, repeat step 1 but run the Utilman4PE_Restore shortcut.

To avoid others hacking your Windows OS in the same way, use BitLocker to encrypt your files and set a BIOS boot password.