• JVH Consulting
• August 29, 2018
• 0

Resetting local Admin password for any Windows machine.

It’s kinda crazy how easy it is to crack a user’s workstation without ever logging onto the machine.  It really means we should keep track of our local Admin passwords on our workstations and servers and after that lock down the BIOS so no one can re-arrange the boot order to be able to boot off a USB stick.  When I worked at Microsoft, we developed a secured workstation that severely locked down the BIOS such that only the hard drive could boot – the key here was putting a password in the BIOS to prevent unauthorized changes.

However, there is at times a need to crack/reset the local Admin account password.  This happened to me this week when I took over a client from another colleague of mine but the passwords for the Admin accounts were lost and since the users were just users (not admins) they couldn’t install anything nor make any system changes.

This procedure is out on the web too but thought I’d add my two cents.

Prerequisites:
1.  Bootable USB stick – with Windows OS install or something else that will at least get you to a cmd prompt.
2.  Access to BIOS to change boot order and allow USB to boot first prior to Operating System.

Setup BIOS to boot from USB first:
1.  Boot up computer/server and use whatever Function keys to access the Bios.
2.  Change menu option till you select BOOT.  Then use keys to move USB boot to top of the line.
3.  Save and reboot computer.

Change SETHC application to open cmd.exe application:
1.  Insert bootable USB tool into port in computer.
2.  System should select USB to boot first – if it didn’t try again and if still not, recheck BIOS settings to ensure Boot order has right USB set at top.
3.  When setup screen comes up from USB, hit Shift+F10 to open cmd.exe prompt.
4.  Locate the Drive C: or whichever drive letter has the operating system on it.
5.  Change directories to get to c:\windows\system32 directory.
6.  Type: copy c:\windows\system32\sethc.exe c:\sethc.exe  * Note this makes a copy of executable file so you can copy it back after procedure is done.
7. Type: Copy c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe – This copies cmd prompt exe on top of sethc.exe (sticky keys application).
8. Reboot computer and remove USB from computer.

Change Admin Password:
1. At logon screen of computer, hit the Shift key a bunch of times, sometimes holding it down will do the same.   The result will be a cmd.exe prompt running under the system context which gives access to reset passwords and do a host of other things.
2. To look for users type:  net user  – this will dump out list of users.
3. To reset password for say Admin account type:  net user Admin password (substitute password for the real password.  Should get a result of completed successfully.
4. Make sure the account you just reset password is active, to check type: net user Admin – it will show full status of account – look for attribute: Active  – if says No… then you need to activate/enable it in order to use it.
5.  To make active: net user Admin /Active:yes;  Then check attributes again to ensure it’s active.
6.  Now you can reboot back and access the machine using the admin account with password you just set,  but you also have to go back with the USB utility to change the exe of sethc.exe back to it’s original function.

Reset System back to normal:
1. Reboot computer with USB inserted.
2. At setup screen, hit Shift+F10 to open cmd.exe prompt.
3. Change directory to c:\windows\system32
4. type: Copy c:\sethc.exe c:\windows\system32\sethc.exe  – This returns original sethc.exe to copy over cmd application named sethc.exe.
5.  exit and reboot computer and go back into BIOS to change boot order again to where Drive is primary (or whatever you would like).

Thanks.