Recently a family member brought me their laptop that they had forgotten the password to and like so many other people, had never unlocked the Administrator account. I have tried many of the free downloadable crack programs in the past and never had much luck. This time I decided to see if Microsoft had ever patched the Repair Boot Menu Exploit and I was happy to find that they had not. There are many, many additional ways of doing this. Now, I am going to share some of the sage wisdom with you.
Disclaimer: I do not support or endorse these steps being taken to illegally gain access to any computer that you do not own or have the authority to gain access to.
This will not recover the old password, this is not a crack or literal hack, it is a backdoor.
Also, do this at your own risk. You will be modifying system files and this should be left to experienced professionals. If you have encrypted files or folders or programs that encrypt themselves using the accounts encryption key you will lose access to them.
Additionally, this will not work on any future versions of Windows.
So, let’s get started
Turn on the computer and from a completely powered off state. When the first boot screen comes up but before the Windows startup logo arrives on screen begin pressing the “F8” key repeatedly (if this is a laptop, you may need to also hold down the function key as well). You should now see the “Advanced Boot Options” menu (if Windows begins to boot, you have failed and need to start over).
Select the option for ‘Start Windows Normally’ and then quickly power down the computer by holding down the power button or pulling the plug, whichever works for you. The important part is the Windows attempts to boot from this menu and fails.
Turn the computer back on. You should, if the previous steps were completed properly, be faced with the “Windows Error Recovery” Menu. Select the option to ‘Launch Startup Repair (Recommended)’ and let it start checking for problems. After a couple of minutes (1-5), depending on the system speed, you should receive a prompt asking if you want to restore the system to an earlier point in time. Hit “Cancel” and let the scan continue.
Step 3 (The Slightly Tedious Part)
Now for the Waiting game. The scan can take anywhere up to 20 minutes or more to let you know that it can’t help you. What you need to do then is select the option to “View Problem Details”. Scroll down to the bottom of the report box and click on the link that begins with “X:\windows\….”. The will open up a text editor with the full report displayed.
Now for the part that some people find tricky. We don’t care about the report, this has all been done to get us to where we can access the file management options that you are able to access when opening a file. From the menu bar at the top of the window, select ‘File’ and then ‘Open’ (we are not going to actually open a file). In the ‘Open File’ dialog box, make your way to the “System32” folder (typically C:\windows\system32\). Once there, change the file type from “Text Documents (*.txt)” to “All Files”.
You should now be viewing the complete list of files in the in the System32 directory. Find the file maned “sethc”. This is meant to activate Sticky Keys menu when you hit the same key too many times; we need to rename it, I generally will change it to “change me back to sethc”, that way it is easy to find and change it back later.
Once that file name is changed, we will need to find the “cmd” file and change its name to “sethc”. Once those steps are completed, we are done here. Turn off the computer.
Turn the computer back on and let it boot up to the Windows sign-in page normally. Don’t try to sign in yet as you have not yet changed the password, simply hit the ‘Shift’ key 5 times fast and like magic, a Command Prompt window will appear.
Now you have a couple of options. First, you can reactivate the “Administrator” account by typing <net user administrator /active:yes> and then change the password on it by typing <net user administrator *>, this will prompt you to enter and re-enter a new password. Once you restart the computer again you will be able to sign in as the administrator account and have full control over any accounts on the system including changing the passwords.
The second option is to simply change the password on the account you are trying to get back into by typing the <net user [USERNAME] *> and following the prompts to change the password.
-=-=-=-=-=-=Done! You can now sign in using the new password.=-=-=-=-=-=-
Now there are other alternatives out there that involve using Linux Live boot CD’s or flash drives, but this is the simplest way I have found that doesn’t require anything but the computer you are trying to change the password on. One more word of advice is to never pay for one of those password reset tools, they are a waste of money.
If you found this useful, give it a like. I will be creating additional posts like this (hopefully weekly) and the best way to get updated it to follow me.