Password reset accessibility hack

password

You’ve forgotten your Windows password. What now?

(Part two of Three ways to recover from a forgotten Windows password.)

Hack to reset your password(s)…

Cyber Security DE:CODED podcast
Listen to the Cyber Security DE:CODED podcast.

Windows provides accessibility tools at the login screen when the user pressing the Shift key five times. Behind the scenes at least two programs run when this happens. These are utilman.exe and sethc.exe. If we could replace either of these with the command line then we could run commands before logging in. If one of those commands was to reset a user’s password we’d gain easy access. The downside is you will not be able to access files encrypted by EFS.

Hack to reset your password

You will need a Windows installation disc for this.

Boot from the installation disk and, instead of installing Windows, choose the ‘Repair your computer’ option. Use the default option of ‘Use recovery tools’ and choose ‘Command Prompt’ from the following screen.

Decide which file you want to ‘hijack’: utilman.exe or sethc.exe. We’ll use sethc.exe.

Type the following to back a backup of the file and replace it with the command line program:

copy c:\Windows\System32\sethc.exe c:\
copy c:\ Windows\System32\cmd.exe c:\ Windows\System32\sethc.exe

Click the Restart button on the System Recovery Options window and wait for the login screen to appear.

At this stage you have replaced one of the programs that is called by the accessibility system with a command prompt. When the login screen loads press the Shift key five times and Sticky Keys will load as expected. And so will a command prompt. The following commands will help grant you access to the system:

List users

net user

Change Fred’s password to qwerty123

net user Fred qwerty123

Add a user called Wilma and make her password asdfgh098

net user Wilma asdfgh098 /add
net localgroup Administrators Wilma /add

You’ll need to restart if you want to log in as a newly-created user.

You may wish to restore sethc.exe. Open the command prompt and type:

copy c:\sethc.exe c:\Windows\System32\sethc.exe

Leave a Reply