Wednesday, 18 March 2015

Password reset accessibility hack

(Part two of Three ways to recover from a forgotten Windows password)

You've forgotten your Windows password. What now?

Windows provides accessibility tools at the login screen when the user pressing the Shift key five times. Behind the scenes at least two programs run when this happens. These are utilman.exe and sethc.exe. If we could replace either of these with the command line then we could run commands before logging in. If one of those commands was to reset a user’s password we’d gain easy access. The downside is you will not be able to access files encrypted by EFS.

You will need a Windows installation disc for this.

Boot from the installation disk and, instead of installing Windows, choose the ‘Repair your computer’ option. Use the default option of ‘Use recovery tools’ and choose ‘Command Prompt’ from the following screen.

Decide which file you want to 'hijack': utilman.exe or sethc.exe. We’ll use sethc.exe.

Type the following to back a backup of the file and replace it with the command line program:
copy c:\Windows\System32\sethc.exe c:\
copy c:\ Windows\System32\cmd.exe c:\ Windows\System32\sethc.exe
Click the Restart button on the System Recovery Options window and wait for the login screen to appear.

At this stage you have replaced one of the programs that is called by the accessibility system with a command prompt. When the login screen loads press the Shift key five times and Sticky Keys will load as expected. And so will a command prompt. The following commands will help grant you access to the system:

List users
net user

Change Fred’s password to qwerty123
net user Fred qwerty123

Add a user called Wilma and make her password asdfgh098
net user Wilma asdfgh098 /add
net localgroup Administrators Wilma /add 

You’ll need to restart if you want to log in as a newly-created user.

You may wish to restore sethc.exe. Open the command prompt and type:
copy c:\sethc.exe c:\Windows\System32\sethc.exe