Forgot the administrator password? The Sticky Keys trick

[s1k3sT]

I believe this is the original source for this info; please correct me if I'm wrong. I don't claim to have came up with the idea, just wanted to share because I thought people on Neowin would be interested in this sorta thing. I used it this morning for a x64 7 install and it worked great.

Forgot the administrator password? There are many ways to access a Windows installation if you forgot the administrator password. Today I’ll show you another procedure to reset the Windows password by replacing the Sticky Keys application. This program allows you to use the function keys SHIFT, CTRL, ALT, or the Windows key by typing one key after the other instead of pressing them simultaneously with the second key. The main advantage of this password reset method is that you don’t need third-party software; another plus is that it is easy to carry out because no Registry hack is required, as when you offline enable the built-in administrator.

Please note that resetting the password from an account other than the corresponding user account always means that the user loses the credentials stored in the Windows Vault, stored Internet Explorer passwords, and files that you encrypted with the Encrypting File System (EFS). Of course, if you have a backup of these credentials, you can restore them; likewise, if you have exported the private EFS key, you can import it again after you have reset the password.

Like with all other solutions that allow you to reset the Windows password without having an account on the corresponding computer, you have to boot from a second operating system and access the Windows installation while it is offline.

You can do this with a bootable Windows PE USB stick or by using Windows RE. You can start Windows RE by booting the Windows Vista or Windows 7 setup DVD and then selecting “Repair” instead of “Install Windows.”

By the way, you can’t use the Windows XP boot CD for this purpose because its Recovery Console will ask for a password for the offline installation. However, you can use a Vista or Windows 7 DVD to reset a forgotten Windows administrator password on Windows XP.

This works because Windows RE, which is based on Vista or Windows 7, will let you launch a command prompt with access to an offline installation without requiring a password.

If you're changing the password on a 32bit install you need a 32 bit RE, if you're changing the password on a 64bit install you need a 64bit RE.

To access Windows RE when booting from a vista or 7 install disc choose the repair computer option instead of install now at the second prompt, then select the windows install you're working on, then select command prompt. This link explains it in detail.

You can also create a system repair disc to boot into a RE, to do this Click Start, All Programs, Maintenance, Create a System Repair Disc; Insert a CD/DVD into the drive and press Create disc. More here. It should work when using a different computer, but the size of the internal register has to be the same (32bit/64bit).

To reset a forgotten administrator password, follow these steps:

1.Boot into Windows PE or Windows RE and access the command prompt. If you don't know how to do this refer this link or this link or a few lines up.

2.Find the drive letter of the partition where Windows is installed. In Vista and Windows XP, it is usually C:, in Windows 7, it is D: in most cases because the first partition contains Startup Repair. To find the drive letter, type C: (or D:, respectively) and search for the Windows folder. Note that Windows PE (RE) usually resides on X:.

3.Type the following command (replace “c:” with the correct drive letter if Windows is not located on C:):

copy c:\windows\system32\sethc.exe c:\

This creates a copy of sethc.exe to restore later.

4.Type this command to replace sethc.exe with cmd.exe:

copy /y c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe

5.Reboot your computer and start the Windows installation where you forgot the administrator password.

6.After you see the logon screen, press the SHIFT key five times.

7.You should see a command prompt where you can enter the following command to reset the Windows password (see screenshot above):

net user you_user_name new_password

If you don’t know your user name, just type net user to list the available user names.

8.You can now log on with the new password.

I recommend that you replace sethc.exe with the copy you stored in the root folder of your system drive in step 3. For this, you have to boot up again with Windows PE or RE because you can’t replace system files while the Windows installation is online. Then you have to enter this command:

copy /y c:\sethc.exe c:\windows\system32\sethc.exe

I made a pdf, in case anyone is interested.

[farmeunit]

http://pogostick.net/~pnh/ntpasswd/ - Offline NT Password & Registry Editor works well also.

[s1k3sT]

http://pogostick.net/~pnh/ntpasswd/ - Offline NT Password & Registry Editor works well also.

That was my first pick, but when I couldn't figure it out (or it wasn't working; probably the former) I decided to examine my other options and found this.

[s1k3sT]

BTW, the computer I used this on wasn't set to use ctrl+alt+del to logon; so it works with the default logon too.

The computer I used this on was set to automatically logon so I could still use it anyway. As soon I finished clicking the reboot button after disabling autologon (needed to get to logon screen) I realized what I would have to do if this didn't work...

Guess I could have logged out now that I think about it.

[boogerjones]

Very disappointed to find out that the "Sticky Keys Trick" involves booting a second operating system and modifying system files. Thumbs down.

[s1k3sT]

Very disappointed to find out that the "Sticky Keys Trick" involves booting a second operating system and modifying system files. Thumbs down.

All that's used is the windows 7 install disc; not really a "second operating system" imo...

After booting from a windows vista or 7 disc there is an option (I think it's the second one, right after language) that says "Install Now"; below it and to the left is an option that says something about repair, choose that then select your windows install, then choose command prompt. This link explains it in detail; in fact I will probably add it here so it's more comprehensive. There's also the possibility of using a already working copy of windows (has to have the same internal register size as the target windows install;32bit/64bit) to create a system repair disc that does the same thing.

"Modifying system files"? Which file is modified during this process?

[Angel Blue01]

Hmm, good ideas here. There's a system at work where someone set the administrator password but forgot what it was and never told IT. Thanks!

[farmeunit]

KonBoot is another option, but it isn't free. Not real expensive though. I have never been able to get v1.0 to boot right though. Haven't tried v1.1.

[Holey]

Ophcrack live CD - very easy to use and will tell you what the password is

[B0ws3r]

That was my first pick, but when I couldn't figure it out (or it wasn't working; probably the former) I decided to examine my other options and found this.

You have to double-check to make sure you get the right release. Older releases couldn't read passwords on Vista and 7 systems due to differences in how passwords were hashed in comparison to XP.

[s1k3sT]

You have to double-check to make sure you get the right release. Older releases couldn't read passwords on Vista and 7 systems due to differences in how passwords were hashed in comparison to XP.

I'm pretty sure I used the latest version, unless I downloaded the wrong one somehow...

Either way, I think this method is awesome because all it requires is a working install of vista/7 or a vista/7 install disc; no third party tools needed.

[Alise]

I think you need Windows Password Key. It has solved 100000 users of that problem in one year.Hope it can help you.

[Raa]

KonBoot is another option, but it isn't free. Not real expensive though. I have never been able to get v1.0 to boot right though. Haven't tried v1.1.

It's still free last I checked?

[farmeunit]

It's still free last I checked?

Kryptos Logic took it over and they charge $14.99 for 1.1.

1.0 is still available for free.

There is a link to the new version on the original site, but the archive is password protected.

[Andrew Lyle Global Moderator]

I like that there is an alternative method to do this, but a simple bootable CD that removes the password does the trick for me :)

[humble3d]

Many Thanks... I do need to learn this... :yes:

[+Warwagon MVC]

http://pogostick.net/~pnh/ntpasswd/ - Offline NT Password & Registry Editor works well also.

Yep, Just burn a copy and keep it in your collection. if you know to use the software you can have a windows password cleared out in about 20 - 30 seconds.

[Mando]

Yep, Just burn a copy and keep it in your collection. if you know to use the software you can have a windows password cleared out in about 20 - 30 seconds.

+1 to Offline NT Password & reg editor, used it on local admin accounts on W2k server,w2k3 server (+R2) 2kpro, XP, Win vista and Win7 with great success. kept as an ISO on my rescue USB stick. Also have it as a boot CD in the firesafe in the server room (for times when we need to wipe local admin due to external companies not disclosing it when refurbs come in)