TrackSomebody.com

october27thgroup.com pentesting, pci, red team

illmob.org

Change your password with sticky keys

August 18th, 2010 by admin in Privilege Escalation, windows

Forgot the administrator password? There are many ways to access a Windows installation if you forgot the administrator password. Today I’ll show you another procedure to reset the Windows password by replacing the Sticky Keys application. This program allows you to use the function keys SHIFT, CTRL, ALT, or the Windows key by typing one key after the other instead of pressing them simultaneously with the second key. The main advantage of this password reset method is that you don’t need third-party software; another plus is that it is easy to carry out because no Registry hack is required, as when you offline enable the built-in administrator.

Please note that resetting the password from an account other than the corresponding user account always means that the user loses the credentials stored in the Windows Vault, stored Internet Explorer passwords, and files that you encrypted with the Encrypting File System (EFS). Of course, if you have a backup of these credentials, you can restore them; likewise, if you have exported the private EFS key, you can import it again after you have reset the password.

Like with all other solutions that allow you to reset the Windows password without having an account on the corresponding computer, you have to boot from a second operating system and access the Windows installation while it is offline.

You can do this with a bootable Windows PE USB stick or by using Windows RE. You can start Windows RE by booting the Windows Vista or Windows 7 setup DVD and then selecting “Repair” instead of “Install Windows.”

By the way, you can’t use the Windows XP boot CD for this purpose because its Recovery Console will ask for a password for the offline installation. However, you can use a Vista or Windows 7 DVD to reset a forgotten Windows administrator password on Windows XP.

This works because Windows RE, which is based on Vista or Windows 7, will let you launch a command prompt with access to an offline installation without requiring a password.

To reset a forgotten administrator password, follow these steps:

  1. Boot from Windows PE or Windows RE and access the command prompt.
  2. Find the drive letter of the partition where Windows is installed. In Vista and Windows XP, it is usually C:, in Windows 7, it is D: in most cases because the first partition contains Startup Repair. To find the drive letter, type C: (or D:, respectively) and search for the Windows folder. Note that Windows PE (RE) usually resides on X:.
  3. Type the following command (replace “c:” with the correct drive letter if Windows is not located on C:):
    copy c:\windows\system32\sethc.exe c:\
    This creates a copy of sethc.exe to restore later.
  4. Type this command to replace sethc.exe with cmd.exe:
    copy /y c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe
  5. Reboot your computer and start the Windows installation where you forgot the administrator password.
  6. After you see the logon screen, press the SHIFT key five times.
  7. You should see a command prompt where you can enter the following command to reset the Windows password (see screenshot above):
    net user you_user_name new_password
    If you don’t know your user name, just type net user to list the available user names.
  8. You can now log on with the new password.

I recommend that you replace sethc.exe with the copy you stored in the root folder of your system drive in step 3. For this, you have to boot up again with Windows PE or RE because you can’t replace system files while the Windows installation is online.

Via: 4sysops.com

4 Responses to ' Change your password with sticky keys '

Subscribe to comments with RSS or TrackBack to ' Change your password with sticky keys '.

  1. Simon said,

    on September 13th, 2010 at 6:34 am

    Very nice!

  2. jas said,

    on September 16th, 2010 at 5:21 am

    Oh yeah! i never had luck with a bootable cd or usb, sticky keys trick worked in minutes.

  3. raman said,

    on October 7th, 2011 at 11:16 am

    can u teel me how to hack a windows admin passord when we have these conditions
    1.only one standard account 2.no cd for boot 3.no permissions for copy paste 4.no built in admin account 5.no permissions to insatll

  4. jason said,

    on June 23rd, 2012 at 2:02 am

    When I try to replace the sethc.exe file, it says “Access Denied”. Please Help… 🙁

Leave a reply