Have you ever ran into a situation where you didn’t know the local administrator account name or password on a Windows machine? If you work in an enterprise environment the answer is probably yes. As much as we try to manage the local administrator account there will always be room for error. Whether it’s a failed group policy setting, account locked out or the password was manually changed, this is something that all system administrators will eventually encounter.
Here is a easy hack that allows you to find and reset the local administrator account password, or simply create a new local account, on Windows 7/2008 R2 machines. This will not require any special software or tools. As long as you can come up with bootable Windows media you will be able to perform this hack.
What if you are an admin who wants to prevent this hack? That is a great question! I will address this at the end of this post.
Disclaimer: If done incorrectly this hack could leave your machine in an unstable state. Only test on lab or other non-production machines.
How to Hack Windows
- Power down the workstation or server.
- Insert USB bootable Windows 8.1 OEM media. If you are working on a virtual machine attach the ISO.
Note: This will work with any USB or CD/DVD bootable Windows 7/2008 R2 or greater media.
- Power up and boot to your USB boot media.
- On the Windows 8 setup screen, click Next.
Note: Steps 4-8 could also be completed by using the Shift + F10 keyboard shortcut.
- Click Repair your computer.
- Click Troubleshoot.
- Click Advanced options.
- Click Command Prompt.
Note: This will open a command prompt with no permissions.
- Type in regedit and click Enter to bring up the Registry Editor.
- Click on HKEY_LOCAL_MACHINE, then from the menu click File, Load Hive.
- Browse to system drive and navigate to Windows\System32\config (drive letter may vary).
- Select Software and click Open. This will open the Software hive from your Windows media.
- Enter a name for this hive (name it anything that you will remember), then click Ok.
- Navigate to HLKM\<hive name you entered in previous step>\Microsoft\Windows NT\Current Version\Image File Execution Options
- Create a new Registry Key called utilman.exe
- Inside the utilman.exe Key, create a new String named debugger. Give it a value of cmd.exe
Note: The utilman.exe is the Windows Ease of Access utility. When the above registry key and string value is created, launching the Ease of Access utility will call debugger and open cmd.exe.
- Exit the Registry Editor and shut down the machine.
- Power up and let the machine boot normally.
- On the Windows logon, click the Ease of Access button (WindowsKey + U) in the lower left corner.
- This will bring up a command prompt.
- Type in whoami and notice you are running as system.
Change an existing user account password
- Enter the following command to get a list of all local user accounts.
- Enter the following command to reset the administrator account password to p@ssw0rd
net user administrator p@ssw0rd
Create a new administrator user account
- Enter the following command to create a new user account called johnyfive with a password of P@ssw0rd
net user johnyfive p@ssw0rd /add
- Enter the following command to add the user johnyfive to the local administrators group
net localgroup Administrators johnyfive /add
Note: for other net user commands please see TechNet’s net user page.
How to prevent this hack on your workstations or servers
Here are some steps you can take to better safeguard your workstations and servers from this sort of Windows hack. I wont go into detail as each of these steps are pretty straightforward.
- Restrict physical access to the machine
- Encrypt the system drive
- Configure a BIOS password