How to Log In to Windows Without the Password

Friday, July 08, 2011

Dan Dieterle

B64e021126c832bb29ec9fa988155eaf

I covered this topic last year (Windows Backdoor: System Level Access via Hot Keys) but just ran into this again recently. How do you gain access to a Windows system that you have legitimately lost the password to?

Well, there seems to be a couple utilities out there that claim to allow you to do this. We tried a Linux Live-CD based, one that was supposed to allow you to change any Windows password. But it didn’t work.

I even tried Kon-Boot, both the CD based and USB flash drive variety. Kon-boot sounds very cool, and comes highly recommended. You boot Kon-Boot first, then after it is booted, it loads your OS.

Then you can put in any password, or hit enter and it bypasses the login and allows you into the users account. It is supposed to work on Windows and Linux systems. But unfortunately it also did not work on my systems.

What to do? Well, I figured I would give my article from last year a shot to see if it still worked.

(Okay, just a quick disclaimer. Do not do this on a system that you do not own, or have permission to modify. And messing with system files could leave your system in an unstable state, if you chose to continue, you do so at your own risk.)

So I booted into Ubuntu, went to the Windows System 32 directory, renamed utilman.exe to utilman.old, copied cmd.com to utilman.exe and rebooted.  At the Windows log in prompt I hit the “Windows”+”U” key and open pops a system level command prompt. From here you can type any windows command, add users, etc.

The funny part is you can type “explorer.exe”, hit enter and a you get a System level desktop. From here you can open Internet Explorer, and surf the web. And while you are doing all this, the Windows login screen dutifully stays in the background  protecting(?) your system.

image

I found the Utilman modification solution on Microsoft’s Technet site, but it is not the only one that works. A comment on last year’s post pointed me to another trick on Adam’s Technical Journal

Modifying the “Sethc.exe” command in the same way also allows you to bypass the Windows login screen. The “sethc” file is for the Windows Sticky Keys function. Under normal operation, if you hit the Shift key something like 5 times in a row, the sticky key dialog box will pop up.

Doing so when the sethc file has been replaced with a copy of command.com, opens up a system command prompt at the login screen, just like the utilman modification above.

This process still works on a fully patched and updated Windows 7 system. When I checked it last year, it also worked on all of Windows server products. Windows protects these system files from being modified when Windows is booted, but booting in Linux to alter them just takes a couple minutes at most.

These techniques can be a life saver if you have lost the password to an important system, but it also goes to show that strong physical security is also needed when securing your systems.

Cross-posted from Cyber Arms

Possibly Related Articles:
136011
Network Access Control
Information Security
Passwords Windows Linux Network Security Login Kon-Boot
Post Rating I Like this!
25835946972373566bd0cac34a23f7df
Carmelo I read about this a year ago. It's part of my bag of tricks now. :)

what if the drive is encrypted or has an encrypted folder.
1310219392
B64e021126c832bb29ec9fa988155eaf
Dan Dieterle Thanks for the comment Carmelo.

If the whole drive is encrypted you probably would not be able to do modify the files.

But, depending on the encryption type, the System account may have access to decrypt encrypted folders.

On a side note, some encryption types are useless against online Java based attacks though.

I wrote an article awhile back called "Drive Encryption Useless Against Some Online Attacks"

https://www.infosecisland.com/blogview/10794-Drive-Encryption-Useless-Against-Some-Online-Attacks.html

1310227936
B6f0893230292b638a6419bf566dbda6
cliff sull Nice tip- And we were promised better security with Vista or Win7? Pfffft .... I personally use UBCD and a little Admin Pw changer script which can be found readily through Google.
1310239055
4d0ac884f6fdb0c44f281653697aa2cc
Mourad Ben Lakhoua Nice post Dan but I think that here the problem not with windows operating system but on the physical access to your device, it is very important to do your due diligence in protecting physical access. Leaving your laptop alone while you go to order a coffee can risk all your virtual life regardless which operating system you are using.
1310249095
1e10d39139c8172817e64c86236374e8
Brian Lewis Another great tool for this is from Microsoft. It is called "Diagnostic and Recovery Toolset" or DART for short. It not only allows you to change any users password it has a variaty of other tools. Further it works on a Bitlocker encrypted drive as long as you have the recovery key. http://www.microsoft.com/windows/enterprise/products/mdop/dart.aspx

DART is a for chage product but if you have MSDN or TechNet you can get it there: How to download:
http://mythoughtsonit.com/?p=183
1310488764
B64e021126c832bb29ec9fa988155eaf
Dan Dieterle Thanks Cliff, I have not seen that one, I will have to check it out.
1310681422
B64e021126c832bb29ec9fa988155eaf
Dan Dieterle Mourad,

You are 100% correct. Many times physical security is an afterthought. It just takes a few minutes to get access to an unattended system, but only a few seconds to just walk away with it.
1310681676
B64e021126c832bb29ec9fa988155eaf
Dan Dieterle Brian, thanks for the heads up. The DART looks very useful, and not just for password recovery.
1310681864
Default-avatar
post anote I really hate overly sensationalized articles like this. They are just designed to get page hits. Congratulation, you were successful.

When a friend sent men this article, I immediately said, OMG, not again. Here we go, someone only telling part of the story.

You took a system you had full control of, that you had full knowledge of the configuration in the first place to exercise this process. That makes the process less valid.

This is nothing new or ingenious or a hack. It is an administrative recovery procedure, that you could have done with normal Windows System recovery Mode, if all you wanted was to recover the password on a system or create a new account.

You could have just as easily used an parallel OS installation (dual boot) and done the same thing.

Actually this would not work on an FDE (full drive encryption) drive; specifically FDE systems that require a PIN to even spin up the drive. FDE system s do not allow file system access until the drive is spun up.

Because you were able to spin up the drive, you already have the file system available.

The fact that you did this with a *NIX based OS has little to do with it. You could have used any OS that would allow you to boot to it from with a dual boot configuration or external media (CD /DVD/ USB).

However, if the FDE system requires you to enter credentials of any sort before the file system was accessible; your procedure would fail, unless you already knew the credentials. If you did, then the steps you define here are already moot, because you already have the startup key.

For example:
1 – Try this with your system when you have a BIOS password enabled.
Unless the administrator / attacker knew the BIOS password, you local dual boot / external OS media boot would fail.
But how many people set BIOS passwords?
OK, so the system has a BIOS password. You pop the case, shunt the BIOS, thus erasing the configuration, setting things back to factory default, then do your whole alternate boot thing.
*** Again, you knew the BIOS password, or you had long enough access to the machine to physically open the system ***
But you can open the system why mess with the BIOS at all; just pull the drive and stick into another machine an hack away. Well, that is if that drive you just pulled, was not also FDE’s and required a boot password to spin the drive up in order for the file system to be ready for you to modify anything.

2 – Try this with a FDE system with a boot-up PIN/password.
It would fail again, unless you knew the boot up PIN or knew the recovery key.
If you knew that, again the point is moot.
Now before anyone yells, “what about cold boot attacks / blue pill”, that raised so much noise a while back. This was not an FDE attack it was a physical RAM memory attack to extract keys to use on the FDE media. So, again the person knew the media key and all bets are off. Then for this whole cold boot thing to work the system would have to be in a specific state. The RAM would still have to hot (loaded with the last session data) for this to work.

Now it has already been commented that you need to control physical access to sensitive information and devices.
It’s already been commented that Microsoft provides (MDOP / MSDART) that allows administrators to do this for recovery reasons. Even if the drive was FDE’s / BitLockered, if the Administrator was the KRA (Key recover Agent) he / she could spin up the drive and reset what was necessary to restore it to a functioning mode. But again, they could have pulled the drive stuck in a running system, enter the FDE PIN and go to work on it.

So, though I can appreciate wanting to get page hits to sensationally crafted headlines, at least be prudent and thorough enough to fully validate a premise from all known perspective before slamming the model of any product pr approach. Based on the responses you have already given to the earlier posters, you did not exercise all available knowledge about the process you describe, before you deicided to post this.

I love creativity and I love folks who are into it, but not folks who only go half way.

1310768387
B64e021126c832bb29ec9fa988155eaf
Dan Dieterle @post, I am glad you enjoyed my article.

Actually we knew nothing about the systems that were dropped off in our department other than the old users were gone and no one knew the passwords.

We could not get standard procedures to work on them, they were odd Windows Tablet PCs, so I dusted off an old technique and it worked very well.
1310769318
Default-avatar
post anote Cool enough but, you still are doing it on systems in your possession that were never appropriately secured in the first place.
So, basically of the shelf generically OEM builds, or unsecured corporate master builds.

So, for all intents and purposes, your depiction is specifically not a security issues with Windows, as some of the commenter’s reacted to the context, but simply, an administrative approach to recover a system and make it usable again.

Like with the legacy Windows NT resource Kits (often called the Windows Hackers Toolkit by many in the past); any administrative tool or granted actions can be used for good or bad, OS notwithstanding. You have always had the ability to do this to any system that you understood and had access to. I just wished it was prefaced that way.

Administrators, recovery specialists need to be able to get their companies’ / customers systems working for them again, and you should use whatever tool that works. Your posts language though is one that comes off as you hacking the OS to get elevated access (many have taken it that way), and that is simply not the case.

Specifically your statement:

/quote
The funny part is you can type “explorer.exe”, hit enter and a you get a System level desktop. From here you can open Internet Explorer, and surf the web. And while you are doing all this, the Windows login screen dutifully stays in the background protecting(?) your system.
/quote

A more appropriate title would have been:
“Administrative Tip: - I can boot the computer normally, but I don’t have the credentials, what to do. Here’s an option. ”
Then highlight in you post that this will only work on systems where you already have full boot access to the OS / file system.

Like I said, you could have just removed the drive hooked up a USB cable, plugged into a run system and done the same thing or leveraged another tool, like what was mentioned by the commenter’s.

But that title probably would have not gotten you the hits you were after. ;-)

Again what you demo is not new / news has been demo’d by many others on Windows and other systems, where you can get your tool(s) of choice / use your tool of choice on a box in your possession.

What you do highlight, but not call out, is the reason for more efforts by corporations and administrator to make sure they are doing all the right things for their environment, and understand what can happen if they do not.

Had the customer used controls that prevent Alternate OS booting (or other points below), what you demo’d would not work.

From the ground up:
Consider the user experience you want your users to have.
Conveniences will always over rule security, hence the reasons for the Comnumerzation of IT.
1. Consider a BIOS boot password
2. Consider an FDE PIN based system
3. Consider 2FA for interactive logon
4. With Windows consider domain auth (no cached credentials) for interactive logons
5. With Windows consider do not store LANMAN Hash
6. With Windows consider protect the SAM DB using SYSKEY
7. Consider Require Smartcard for interactive logon.
8. Or a combination of the above.

Just remember turning that security dial to high, is not going to make your users happy.
Turning that security dial to high without a proper recover (fully –regularly tested) program, you are just asking for trouble.
1310776955
Default-avatar
roman czapli The sticky keys trick works perfectly. I also prefer to use PCUnlocker Live CD.
1378190616
Default-avatar
jeba raj dude no need for external device to find the password.
once you have the command prompt
do following steps
1.type net users(to find the user name)
2.then type net users "username" *(cahange desired password)
simple thats it dont follow external device or pc unlocker thats not cool

if the administrator restricts the new password you can also add a new user using command prompt and giving it administrator rights.
for more contact
jeba1794@gmail.com
1379344428
Default-avatar
Justiny Green Actually I lost my Windows 7 password and hope to remove it, so that I can login without password. Finally I use SmartKey Windows Password Recovery to remove the password. Then I can login Windows 7 without typing the password. You can Google Search "login windows 7 without password smartkey" to know more about it. What do you think of it?
1414054130
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.