Lost the administrator password? Break into Windows

Alex Mags

2015-01-20

If you come across a machine that has disconnected from the domain, and you don’t have a system to recover the local administrator password, you’ll need to break in. If you have physical access to the machine, and can access the OS files from another OS (disk is not encrypted), then you can make offline changes to Windows. Boot into your Windows Preinstallation Environment (WinPE), typically used for OS deployment. See Microsoft Deployment Toolkit. Your OS deployment WinPE will have the required hardware drivers for your storage controller so you can access the OS files on disk. In WinPE, break out to a command prompt (usually F8, unless this was disabled when building the WinPE image). From here you can recover any data you need to get from the machine, or use one of the following tricks to reset the local administrator password. For Windows 7 swap the sticky keys accessibility tool for cmd.exe:```

copy c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe /y

Boot to Windows and bash SHIFT a few times. Instead of the sticky keys tool you get a command prompt running as SYSTEM. From here you can reset the local administrator password

net user administrator NewPassword!

Undo this change using Windows System File Checker which will detect the change a repair it

sfc.exe /scannow

This not a new trick. This is why we have physical security (servers locked in server rooms), we’re manage administrative access to VMs and the virtual disks on filers.

You can protect against offline attacks using using disk encryption like Windows BitLocker (essential on laptops that get left in taxis).

Here’s something similar for Windows Server 2012: Deployment Research > Research - Reset the Domain Admin password in Windows Server 2012 R2.

Find more IT Infrastructure tips at blog.alexmags.com