Hello! This is my first post on this awesome website! I know that Windows exploits are less common than the more advanced hacks, but I found something I deem pretty cool and figured why not share it with you all. Alright, enough about me, lets begin.
Warning: This resets your password, it does NOT tell you what your old password was, making things such as the windows password based encryptions unaccessible, as this isn't changing your password, so it will not update.
This exploit takes advantage of the ease of access tool on the login page by 'tricking' windows into launching a fully privileged command prompt by selecting 'on the screen keyboard' this is done by renaming the on the screen keyboard exe to something random, and renaming the cmd.exe to on the screens previous name. It will all make since later.
Step 1: Launch Any OS That Allow Full Access to the Windows Folders
In this case, I am going to be using Kali. Although you can use many different linux distros or even a windows disk/usb, as long as you can access the terminal/command prompt your good.
Step 2: Navigate to Sys32
I'm going to infer you know basic navigation and be able to navigate to the Windows partition.
In my case, im currently writing this on my laptop rather than my desktop, so my Windows is known as BOOTCAMP, as I am on a macbook with Windows dual booted.
Once you reach this location, cd to Windows, then to System32.
Step 3: Rename osk.exe to osk.exe.old
oks.exe is the name of the ease of access 'On screen keyboard' file. Rename this using whatever your systems rename command is, in Kali the command would be: mv osk.exe osk.exe.old
Step 4: Rename cmd.exe to osk.exe
Now I'm sure you see how this works, but ill explain it anyways. Basically, when you press 'on screen keyboard' in the ease of access terminal, Windows launched osk.exe, which normally is the on screen keyboard application. But we changed it to launch cmd instead. Like magic.
Command: <system rename command> cmd.exe osk.exe
Kali: mv cmd.exe osk.exe
Step 5: Launch Windows and Select 'on Screen Keyboard' in Ease of Access Menu
I found this picture off of the interwebs, but what you normally see should be something like this. After going through all the steps above, you should instead see a command prompt.
Sorry for crappy picture, couldn't find how to take screen shot on login menu.
Step 6: Resetting the Password
Now you can type in the magical command to change the password.
The Command: net user <USERNAME in quotes> <PASSWORD>
Example: net user "Admin" temppass
If you don't know the password type in net user and locate it there.
Net User - /More Info Here
Step 7: Finished! You Can Login Now!
Viola, you can now login with whatever password you typed in. If you want to reset it simply go back to Kali and redo what you've done! Rename osk.exe to cmd.exe and rename osk.exe.old to osk.exe
Well that's it for my first post! I came across this exploit a while ago and found that it still works so I don't know how common this is or anything like that. Hopefully its not too popular and too many this article is something new! Well, Enjoy!
Just updated your iPhone? You'll find new emoji, enhanced security, podcast transcripts, Apple Cash virtual numbers, and other useful features. There are even new additions hidden within Safari. Find out what's new and changed on your iPhone with the iOS 17.4 update.
6 Comments
This is a pretty old workaround but it is indeed useful and worth mentioning. Although it is notable that not everyone runs Windows dual-booted on a Macbook, making this particular method not consistently effective. There are methods involving using an installation disk, and cutting-off power during boot — these are more conventional and widely established. Nevertheless, thanks for sharing.
Oh, and welcome to Null-Byte :)
Thank you! Well, I did not mean for it too come across as this requiring to be dual booted. I just happened to be dual booted on this computer. It can be accomplished by plugging in a USB with a live booted OS or a windows installation USB/Disk in any Windows running PC.
There is already another tutorial by @CyberHitchHiker
This is his tutorial.Link.Thanks for sharing nevertheless.
Ah. Wow. I started writing this late last night and didn't even think to check if someone else had posted it. Feel so stupid. I'll be sure to check if I write another post sometime, thanks.
Whenever I try to do it it says it's a read-only file system
Tools like hackers include the Ophcrack ,Kon-Boot and John the Ripper , any tools of them can be used to hack Windows password witout logging .
Share Your Thoughts