AHK utilman script gives file not found error

1
votes

I'm trying to create a simple backdoor for myself through utilman on my computer using autohotkey. Basically I want to have the ease of access button function normally in all cases on login screen Except when I hold down the M key, where in this case it opens cmd instead. No batch or cmd window should pop up, and one doesn't. The issue I'm having is that I get a file not found error from the script, I compiled the script into Utilman.exe and tested with a copy of the real utilman (renamed to lol.exe which is specified in the script to run normally) and this works fine in its own directory. However when I do this in the system32 folder it gives an error that lol.exe is not found, also executing lol.exe on it's own gives the exact same error, as if it reroutes to the script named Utilman yet again. Here is the script, should be short and simple:

SetWorkingDir %A_ScriptDir%
Sleep 400
GetKeyState, state, m
if state = D
    Run cmd.exe
else
    Run lol.exe
Sleep 200
ExitApp

Thanks for any pointers, alternative suggestions or ideas. This would be great to get working.

EDIT: Changing Run lol.exe to Run, "C:\Windows\System32\lol.exe" now gives instead an exe corrupted error. This also happens if I run lol.exe on it's own, I'm really not sure what's happening.

EDIT2: Running the script from a different location again gives the file not found error, rather than the exe corrupted error.

EDIT3:

SetWorkingDir %A_ScriptDir%
Sleep 400
GetKeyState, state, m
if state = D
    Run cmd.exe
else
    Run %A_WinDir%\system32\control.exe access.cpl
Sleep 200
ExitApp

This works perfectly everywhere EXCEPT the system32 folder, where it gives the exe corrupted error even when run with elevated permissions, this is frustrating.

1
autohotkey
Have you tried executing the script with elevated permissions? Does the script work if lol.exe is located in your profile folder, like my documents? - jmstoker
Yes, it appears that the Utilman exe loops back on itself somehow and gives an error.. Renaming it to lol.exe causes an exe corrupted error, the only way that the file works normally is if it's alone linking itself. Is there a specific cpl for the ease of access centre that I could have the script open in lieu of using Utilman.exe? - user2840898

1 Answers

0
votes

I suggest a slightly different approach. Replacing utilman.exe or basically anything in the system32 folder isn't a good idea, since you can't really know what the OS is doing with them in the background (e.g. checking hashsums, expecting specific output etc.).
There's a better way to replace Utilman by any executable you want without the need to manipulate any files in the Windows folder: The registry provides an option called Image File Execution Options. This basically lets you replace an exe by name. While this could be problematic with non-unique names, I believe running into trouble with utilman.exe is less likely.

1) Compile your script anywhere you want. I suggest using the following code as a basis:

Sleep, 1000
; Here's what you want to do/run instead of cmd:
Run, calc.exe
ExitApp
    
m::
   Run, % comspec
   ExitApp
return

2) In the registry, go to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

3) Add a new key called utilman.exe (in the folder view on the left), and in it, add a key called Debugger. Set its value to the path in double quotes of the exe you'd like to run instead, e.g. "C:\some\file.exe". It will look like this (sorry for the German): Registry

Your replacement will now run whenever an executable called utilman.exe is started.

4) Click the ease of access button. CMD will open when you hold down M before you click as well as when you press it just after the click. Modify the Sleep in the script above to rule how long to wait for the key press.

Update:

I get your problem now. From the lock screen, it just doesn't seem to work. Interestingly enough, you aren't even able to open the control panel or anything similar from the Windows standard functions (like opening My Computer) when you're in the lockscreen. I tried the following from cmd while locked: open explorer.exe, click on the appearing start menu, open control panel. I also opened internet explorer from the start menu and pressed F1.
After a while, there just comes a weird error message that says freely translated: "Starting the server failed".
Running ease of access can be achieved in severval ways, excluding your way I tried:

Run, control.exe /name Microsoft.EaseOfAccessCenter

and

Run rundll32.exe shell32.dll`,Control_RunDLL access.cpl

Both work while logged in, but none of them work while the screen is locked, triggering the server start error. Unfortunately, I'm at my wit's end here. Maybe someone else has an idea...