I covered this topic last year (Windows Backdoor: System Level Access via Hot Keys) but just ran into this again recently. How do you gain access to a Windows system that you have legitimately lost the password to?
Well, there seems to be a couple utilities out there that claim to allow you to do this. We tried a Linux Live-CD based, one that was supposed to allow you to change any Windows password. But it didn’t work.
I even tried Kon-Boot, both the CD based and USB flash drive variety. Kon-boot sounds very cool, and comes highly recommended. You boot Kon-Boot first, then after it is booted, it loads your OS. Then you can put in any password, or hit enter and it bypasses the login and allows you into the users account. It is supposed to work on Windows and Linux systems. But unfortunately it also did not work on my systems.
What to do? Well, I figured I would give my article from last year a shot to see if it still worked. (Okay, just a quick disclaimer. Do not do this on a system that you do not own, or have permission to modify. And messing with system files could leave your system in an unstable state, if you chose to continue, you do so at your own risk.)
So I booted into Ubuntu, went to the Windows System 32 directory, renamed utilman.exe to utilman.old, copied cmd.com to utilman.exe and rebooted. At the Windows log in prompt I hit the “Windows”+”U” key and open pops a system level command prompt. From here you can type any windows command, add users, etc.
The funny part is you can type “explorer.exe”, hit enter and a you get a System level desktop. From here you can open Internet Explorer, and surf the web. And while you are doing all this, the Windows login screen dutifully stays in the background protecting(?) your system.
I found the Utilman modification solution on Microsoft’s Technet site, but it is not the only one that works. A comment on last year’s post pointed me to another trick on Adam’s Technical Journal. Modifying the “Sethc.exe” command in the same way also allows you to bypass the Windows login screen. The “sethc” file is for the Windows Sticky Keys function. Under normal operation, if you hit the Shift key something like 5 times in a row, the sticky key dialog box will pop up.
Doing so when the sethc file has been replaced with a copy of command.com, opens up a system command prompt at the login screen, just like the utilman modification above.
This process still works on a fully patched and updated Windows 7 system. When I checked it last year, it also worked on all of Windows server products. Windows protects these system files from being modified when Windows is booted, but booting in Linux to alter them just takes a couple minutes at most.
These techniques can be a life saver if you have lost the password to an important system, but it also goes to show that strong physical security is also needed when securing your systems.
CYBER ARMS - Computer Security 
I’ve had success with the Winternals bootable “ERD Commander”. We had a machine at work that lost its relationship with the domain and we didn’t know the local admin password. ERD Commander allowed us to reset that pasword.
Thanks for the comment Andy. We actually tried ERD Commander on the systems and for some reason it would not work.
They were funky Windows based Tablet systems.
Thanks for visiting!
Dan
Me thinks this can come in very handy…L0L. Hope all is well with you and yours.
Philo
*Sigh* I Guess I’m In The, “Pay No Mind” Section, eh? lol
~Philo
Philo, I am so sorry man. Things have been very bad at work and I resigned this week. I haven’t wanted to touch anything that resembled a computer for a while.
Didn’t mean to ignore ya, hope all is well with you and yours too!
Dan
Oh no! I am sorry to hear that. I hope things get straightened out for you soon. My new job absolutely sucks too., so, I’m right there with you. Keep your head up bud.
Philo
good tutorial 🙂
Thank you! 🙂