Hack into Windows using UtilMan.exe or SetHC.exe
Note: Since September 2018, Windows Defender now detects and removes UtilMan.exe if it has been changed. However, you can still use this method if you are quick and use Safe Mode booting!Use E2B v1.A9 or later.
- E2B must be on a Removable USB Flash drive (or E2B USB HDD + WinHelper Flash drive) or use E2B v1.A9+.
- Optional - Standard Microsoft Windows 8/10 Home or Professional Install ISO - should also work with WinPE ISOs.
- Target Windows OS must have OS files in \Windows folder (Vista/7/8/10, etc.).
- Can hack multiple Windows OS on all disks\partitions in a system
WARNING: Due to Windows Fast Startup/Fast Boot - always first boot to the Windows Login screen and then click Restart and then boot to a different OS or WinPE/E2B before changing the system files. Never try to hack a Windows system that has been 'ShutDown' by the user because it may be in a semi-hibernation mode and any file/registry changes you make offline could cause file corruption!
Note: The XML files contain a Windows Home generic Product Key - if you see a 'licence error' message, copy the file and edit it so that it contains a generic product key which matches your particular Windows ISO.
- Switch to a WinPE UEFI-bootable .imgPTN file (e.g. Strelec WinPE, ChrisRPESE, Gandalf or a Microsoft Windows Installer, etc.) - Do NOT boot to a WindowsToGo OS.
- Copy the \_ISO\docs\UtilMan folder to the USB drive - e.g. \UtilMan.
- Boot the target Windows system and click 'Restart' then UEFI-Boot to WinPE from E2B and ensure that all the OS drives that you wish to 'patch' have a drive letter assigned. Some WinPE's such as Sergie Strelec may not assign drive letters to other volumes.
If you don't want to patch some OS volumes, then 'offline' them or remove their drive letter (e.g. using diskmgmt.msc or DiskPart).
- Run \Utilman\UtilMan1PE_Patch.cmd to patch all volumes with a drive letter that have a Windows OS.
- Now remove the USB drive and boot to the Windows OS as usual.
- Follow Steps 2 and 3 in the Method section above.
- To remove the patch, UEFI-boot from the E2B USB drive again, ensure the drive(s) you wish to unpatch have a drive letter assigned.
- Run \UtilMan\UtilMan4PE_Restore.cmd to unpatch the OS.
Boot to WinPE without needing any ISO
If you want to hack a Windows 8 or 10 system, you do not even need a Windows ISO on the E2B drive!
We can boot to the system's own WinPE Recovery .wim file to boot to WinPE - it should already be on the Windows system disk.
1. Copy \_ISO\docs\Sample mnu files\Windows\Boot_Recovery_WIM.mnu to the \_ISO\MAINMENU folder
2. Boot to E2B and run the 'Boot to Windows Recovery' menu option. If there is more than one Windows OS, any one will do.
If the system is set to UEFI-boot only, you will need to change the BIOS settings to enable MBR\Legacy\CSM boot.
3. Pick the correct Recovery option to get to the Command console (this varies depending on Windows version).
4. Run \_ISO\docs\UtilMan\Utilman1PE_Patch.cmd from the E2B USB drive
Note that this will patch ALL Windows OS's on all disks in the system.
5. Now you can boot to Windows and run 2.cmd as detailed above
6. To undo the changes, boot to Windows and run 3.cmd as detailed above
7. Finally, boot to the Recovery WinPE console again and run \_ISO\docs\UtilMan\UtilMan4PE_Restore.cmd to tidy up.
Note: To boot to the Windows Recovery wim file, a Windows 8.1 or compatible version of bootmgr is needed on the E2B USB drive. E2B will warn you if it is missing.
"The User Profile Service service failed the sign-in." "User profile can not be loaded"
If you've encountered the 'User Profile Service failed the logon' error in Windows 10, copy the 'C:\Users\Default' folder from a second, non-problematic PC over to your problem PC using a USB drive and copy it to the same location. Rename the existing folder on your problem PC to something else first, just in case you ever need to revert back for any reason.
Tip: To access the 'Default' folder on your second PC you'll need to turn on hidden files by clicking 'View' in the folder toolbar and selecting 'Hidden items'.
Recommended for Easy2Boot (fastest!) - SanDisk Extreme SDCZ880-128G-G46