Most windows systems (Vista, Windows 7, Window 8 etc.) allow you to access the Utilman.exe “Ease of Access” application on the login page. As the end-user has not yet logged in, Windows will start this application using NT Authority rights.
So if you are able to boot a Windows machine with for example a Kali image and no drive encryption is applied. You can easily replace the Utilman.exe with cmd.exe or your own payload and have it run with NT Authority rights by clicking on the Ease of Access icon on the logon page.
Want to know how? Just follow the steps below:
1. Boot you windows machine with for example Kali or any other Live CD.
2. Browse to the Windows System32 folder of you Windows machine and locate the Utilman.exe
3. Rename the orginal Utilman.exe to for example Utilman-old.exe
4. Browse to the Windows System32 folder of you Windows machine and locate CMD.exe
5. Make a copy of CMD.exe and rename it to Utilman.exe
6. Boot you Windows machine as normal.
7. Click on the Ease of Access button and check put the Command Prompt.