How to Launch Command Prompt or Other Programs Using “Ease of Access” Button at Login Screen in Windows Vista and Later?
Recently an AskVG reader “zydrius sMiLe” contacted me and asked me how can he remove or hide “Get help” button from Windows Explorer’s Command Bar (aka Folder Band or Toolbar) in Windows 7? You can see this button present at the extreme right-side of the Command Bar in Windows Vista and Windows 7 Explorer. Once you click on it, it opens Windows Help window.
I tried to find its code using my favorite Resource Hacker tool. I first tried to look into Shell32.dll file and it was the right file luckily. I found the code and removed it. I compiled and saved the file, restarted Windows and BOOM!!! Windows crashed at login screen and I couldn’t log into Desktop. Since it crashed Explorer, I also couldn’t access Task Manager. I had to enter into Recovery Console and restored the default file.
I again tried many times, I tried to modify the code but each time I restarted, it crashed Windows at login screen.
Advertisement
Anyway that’s a different story but I’m sharing it with you all because this incident gave me an interesting idea. Since I was able to reach login screen but couldn’t log into Desktop, I thought that wouldn’t it be great if we could get access to Command Prompt at login screen so that we can restore files or run other commands in case we are unable to log into Windows.
Actually it happens many times when Windows crashes at login screen due to corrupt or missing system files and the only way to fix this kind of problem is to restore system or repair or reinstall Windows.
So it would be really great if we can launch Command Prompt at login screen and then we’ll be able to restore default system files if our modified file doesn’t work properly.
I know it would be a security risk and other people can execute commands to reset password, create or remove user accounts, etc using Command Prompt at login screen but it would not be the case if you are the only user of your computer.
Now the question comes how can we access Command Prompt at login screen? Simple! By changing “Ease of Access” button action. Windows login screen contains an “Ease of Access” button present at the bottom-left corner which launches Ease of Access window to help you in making your system easier to use by enabling narrator, magnifier, etc.
Actually its target file is stored in “Windows\System32” folder with the name “utilman.exe” so if we replace this file with Command Prompt’s exe file “cmd.exe“, we can get access to Command Prompt at login screen by clicking on Ease of Access button.
Advertisement
The bonus part is that we can not only replace it with Command Prompt’s exe file but we can also replace it with any other desired EXE file such as Solitaire game’s exe file, MS Paint, Notepad, etc.
So we can replace it with Solitaire game and then it would not be a security risk at all and guest users who don’t know the password, can pass their time by playing the game until you type the correct password for them.
So if you also want to replace Ease of Access button with your favorite program or Command Prompt, please follow these simple steps:
1. Open Windows Explorer and go to C:\Windows\System32 folder. Here C: is the system drive where Windows is installed in your system. If you installed Windows in any other partition, replace C: with the appropriate drive letter.
Alternatively you can directly open “System32” folder by running system32 command in RUN dialog box.
2. Once you open System32 folder, look for a file with the name utilman.exe. Before replacing the file, you’ll need to take ownership of it.
You can take its ownership using following tutorial:
Add “Take Ownership” Option in Files and Folders Context Menu in Windows
3. After taking ownership, rename the file to some other name such as utilman_bak.exe or any other desired name.
4. Now the final step. Copy cmd.exe file from same “System32” folder and paste in same folder. Windows will create a copy of cmd.exe with the name “cmd – Copy.exe“. Rename it to utilman.exe and you have done.
5. Lock or log off and when you’ll click on Ease of Access button at login screen, you’ll get immediate access to Command Prompt.
You can replace it with any other desired program’s EXE file as mentioned above. Just copy your desired program’s EXE file from its folder and paste it in System32 folder. Following screenshot shows Solitaire game running at login screen:
You can also replace original utilman.exe file with Explorer.exe file and you’ll get access to your Desktop and all at login screen. 😉
If you want to restore action of Ease of Access button, simply delete new utilman.exe file and rename the backup file of utilman to its original name utilman.exe.
So which program would you like to run at login screen using this trick? Feel free to share your feedback about this tutorial in your comment…
UPDATE:
You can also use following Registry tweak to replace “Ease of Access” button at Login Screen with any other desired program:
[Windows Tip] Replace “Ease of Access” Button with Other Programs on Login Screen
There is also a similar trick, and can be done on a machine without knowing a user password at all, essentially using a recovery disk to change the funtion of sticky keys (pressing SHIFT 5 times in sucession) to open a command prompt. This solution allows you to reset passwirds etc at the logon screen. However, the difference in this approach is that you dont have to own the machine. Very interesting indeed.
1. Boot your computer using your Windows installation disc.
2. Wait for the setup files to load, and select your language. Click Next.
3. Click the Repair your computer link on the Install Windows screen.
4. Select the operating system to repair, and note the drive letter on which the OS is installed (it is probably C: or D:). Click Next.
5. Click Command Prompt at the bottom of the list of recovery tools.
Now you need to overwrite the Sticky Keys executable with the Command Prompt executable. Sticky Keys is an accessibility feature that allows a user to tap the Shift, Ctrl, Alt, or Windows key once to achieve the same effect as holding the key down. Ordinarily, tapping Shift five times activates Sticky Keys–but with this trick, you are going to make tapping Shift five times activate the Windows Command Prompt instead.
1. In the Command Prompt window, type copy c:\windows\system32\sethc.exe c:\ and press Enter.
2. Type copy /y c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe and press Enter.
3. Exit the Command Prompt and reboot the computer. At the login screen, tap Shift five times. The Command Prompt will pop up.
4. Type net user username password, replacing username with your username and password with a new password.
5. Exit the Command Prompt, and log in using your new password.
To prevent another user from exploiting the same trick to reset your password, you can restore Sticky Keys as follows:
1. Step through the instructions above to boot the PC using your Windows installation disc, open the recovery tools, and launch the Command Prompt.
2. Type copy /y c:\sethc.exe c:\windows\system32\sethc.exe and press Enter.
3. Exit the Command Prompt and reboot the computer. Pressing Shift five times will now activate Sticky Keys instead of the Command Prompt. Store your Windows installation disc in a secure location.
Even easier, you can use a Linux Live USB and just do a copy-paste, then the computer is yours… I was always under the impression that Windows passwords were pretty useless anyway…
In which user context/account runs the program utilsman.exe or the substitute? SYSTEM account, Guest, …? Hope that it is an account with low rights…..
Hi, I have developed a sw using Matlab that access the webcam. I want to run the program at the start up and i can use it my face as a password. How can i do this?
@Fer: Strongly not recommended. In addition to open/save dialogs, Internet browsers are working with potentially malicious code, and the process would be running as SYSTEM with full access to the entire system.
@Andreas: Yes, the process runs as SYSTEM, the highest privileged account in the system, even more privileged than Administrator.
Neat trick! This is very helpful for resetting logon passwords by temporarily connecting the system drive that needs the password reset into a functioning system and doing this tweak (replacing utilman.exe with cmd.exe), and then booting the system up and running a program from cmd.exe to create a new administrative account or change the password on an existing account. On the logon screen, you basically have full control of the computer from cmd.exe.
As far as security goes, I will point out that a seemingly innocent program like a simple game would pose a huge security risk if it has an Open or Save dialog. All the user has to do is call up the dialog (by clicking, say, “Save game”) and when the dialog opens, you have a mini-explorer window that you can browse the contents of all the disks in the system, send files to a USB stick, delete files, and launch other programs from. So beware. 🙂
I tried to replace the utilman.exe with WMP’s exe file, but it not working because the WMP components is stored in the original WMP folder. If you still want to change the ease of acess icon with your installed program, you can do following trick:
1. Run cmd as Administrator
2. Write this script:
regwrite “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger”,”(path of your installed program)”
3. Press enter.
4. Now try to lock your computer and click on the ease of access logo. Now you’ve got an access to open your installed program.
It is a security risk. But if you locked yourself out of your home computer it works well. If you are worried about security risks don’t run windows.
So I did this same trick with sticky keys, so when I’m in the login screen I turn on sticky keys, hit shift a bunch and cmd pops up. Then I type explorer.exe and I’m in the system account, only thing is it closes after about 5 min and all I see is the original login screen and I have to repeat the steps to get back there. Is there a way to extend the time I can stay in explorer.exe so I can stay as long as I want
@James Baxter, I have the same problem, after 3 minutes the action center pops up, and 2 min later everything closes and I have to redo all the steps you mentioned. VG PLEASE HELP
I tried it, but when I click the Ease of Access button, nothing happens.
This is pissing me off because i keep looking for this but the only reason i want the command prompt box to show up is because i want to change my admin password but i dont remember it so i have to do it from guest but its not possible.
hi VG, i remember reading something similar that involved replacing the ease of access button but it was replaced with something that could let me take a screenshot of the login screen (printscreen). i cannot seem to find the article, i think i read about it in here but i could be mistaken. if it was from here please link me to it, thank you.
^^ No. I have not shared such thing in past. Sorry. But you can try Virtual Box or similar virtualization software to take screenshots of any screen.
i see. i will look around then. thanks for the quick response and for the tip.
Hey VG any idea how this can be done on windows 2003 server?
I just wanted to say thanks …. Thanks to your “tip” , my logon screen looks now like this:
oi61.tinypic.com/zskeup.jpg
Thanks once again and keep up the good work ! Cheers .
In RH in system32/authUI.dll goto Bitmap/12213 for the E.O.A. icon, and around Bitmap/12266 for the button underneath.
i can replace it with chorme but how can i start internet processes??
it is giving error on chorme ,how can i run internet with this pls pls help
If you really think that being the only user means this isn’t a security risk, then why even bother having a login at all? You might as well have the computer skip the login screen and boot straight to the desktop.
hi VG could you till me how to CMD on login screen when the computer is locked and this trick is not applied to that computer. My desktop is locked and I can’t access my file and windows app store games which are very dear to me and don’t want to loose them so could you till me a way to unlock it. Thanks
^^ You’ll need to boot using Windows setup disc and enter into Recovery Console/Command Prompt to access those files.
Is there any way to launch CMD as administrator in Windows 8.1 or windows 10 Lock screen?
Windows 8.1 x64
Thanks in Advance
^^ I dont think unless you develop an EXE to launch CMD as Administrator. You can also try to activate built-in Administrator account and use that:
https://www.askvg.com/how-to-enable-activate-hidden-administrator-account-in-windows-vista/
Is there a way to set it to command prompt and rejoin a computer if you can only login as a domain end user without local admin rights? I’m always running into instances where the local admin account will become locked.. However the group policy settings for lock is set to 5min.. but we can login on cached credentials with admin rights.
Hey, im using windows 10 and i can’t find the ultiman.exe file. I just only find utilman.exe.mui version of it. What do i do now ?
I have a simple registry trick to change the EOA button command without breaking any system files.
1. Open regedit.
2. Go to key HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
3. Make a new key under it “utilman.exe”
4. In utilman.exe key, create a string value “Debugger”
5. Set the value as the path of your file. It can be any file type.
For those of you whom are prone to calling windows an insecure option. These tricks are used to allow in most cases administrators the ability to run other commands on forgotten laptops. We have all drives encrypted with a enterprise deployed bitlocker and also have directaccess enabled. All laptops are protected with bios password and secure boot enabled to prevent anything else other then the assigned drive to boot. Only IT director has the password. This affords us to use these tricks on a stagnant laptop that has not been used for sometime and its trust relationship with the domain has been compromised. The laptop’s data is secure unless they knows the proper reverse decrypt key and as a failsafe all laptops in my environment can be remotely wiped thanks to directaccess, I consider a properly designed windows environment more secure then anything out there.
Boom!
please solve my problem when i click the ease of access icon to launch the command prompt like this -administratorc:\windows\system32\utilman.exe
Hello VG,
I’ve been periodically trying to diagnose a black screen with mouse cursor (BEFORE login, and also the same in all safe modes) probelm and replaced Sticky Keys with the command prompt. It was working nicely to allow me access to various Windows tools to toggle without having to log in (which is impossible because the login window has multiple accounts and is black. Ufortunately I activated Diagnostic Startup via MSConfig. Now Sticky Keys no longer works and I can’t revert the setting. It looks like Ease of Action is disabled for Diagnostic Startup, thus hitting Shift 5x or WinKey+U is useless. Do you have any idea how I can reset MSConfig to Normal Startup, possibly via a regedit in the Recovery Environment? I’m comfortable doing so but have no idea which keys to edit.
^^ Are you not able to launch msconfig again?