I covered this topic last year (Windows Backdoor: System Level Access via Hot Keys) but just ran into this again recently. How do you gain access to a Windows system that you have legitimately lost the password to?
Well, there seems to be a couple utilities out there that claim to allow you to do this. We tried a Linux Live-CD based, one that was supposed to allow you to change any Windows password. But it didn’t work.
I even tried Kon-Boot, both the CD based and USB flash drive variety. Kon-boot sounds very cool, and comes highly recommended. You boot Kon-Boot first, then after it is booted, it loads your OS. Then you can put in any password, or hit enter and it bypasses the login and allows you into the users account. It is supposed to work on Windows and Linux systems. But unfortunately it also did not work on my systems.
What to do? Well, I figured I would give my article from last year a shot to see if it still worked. (Okay, just a quick disclaimer. Do not do this on a system that you do not own, or have permission to modify. And messing with system files could leave your system in an unstable state, if you chose to continue, you do so at your own risk.)
So I booted into Ubuntu, went to the Windows System 32 directory, renamed utilman.exe to utilman.old, copied cmd.com to utilman.exe and rebooted. At the Windows log in prompt I hit the “Windows”+”U” key and open pops a system level command prompt. From here you can type any windows command, add users, etc.
The funny part is you can type “explorer.exe”, hit enter and a you get a System level desktop. From here you can open Internet Explorer, and surf the web. And while you are doing all this, the Windows login screen dutifully stays in the background protecting(?) your system.
I found the Utilman modification solution on Microsoft’s Technet site, but it is not the only one that works. A comment on last year’s post pointed me to another trick on Adam’s Technical Journal. Modifying the “Sethc.exe” command in the same way also allows you to bypass the Windows login screen. The “sethc” file is for the Windows Sticky Keys function. Under normal operation, if you hit the Shift key something like 5 times in a row, the sticky key dialog box will pop up.
Doing so when the sethc file has been replaced with a copy of command.com, opens up a system command prompt at the login screen, just like the utilman modification above.
This process still works on a fully patched and updated Windows 7 system. When I checked it last year, it also worked on all of Windows server products. Windows protects these system files from being modified when Windows is booted, but booting in Linux to alter them just takes a couple minutes at most.
These techniques can be a life saver if you have lost the password to an important system, but it also goes to show that strong physical security is also needed when securing your systems.