Sunday, January 1, 2012

Windows password reset (Sticky keys abuse)

Resetting the Windows administrator/user password is ridiculously easy. While there are other options, I find this one quite entertaining. It involves "abuse" of the Sticky key feature (which is invoked upon repeatedly pressing the SHIFT key for five times). The entire procedure is explained in detail bellow.
Summarizing it all .. this procedure replaces the sethc.exe (which runs the Sticky keys) with cmd.exe, and also renames it as the original file. So when SHIFT key is pressed five times, we invoke CMD instead of Sticky keys, allowing us to manipulate Windows users.

- STEP 1: Boot your Windows recovery CD.

- STEP 2: Access the partition where Windows is installed (by default either c:\ or d:\)

- STEP 3: Write the following (where "c:" is the drive letter of Windows installation):

copy c:\windows\system32\sethc.exe c:\
   
(This will create a copy of sethc.exe for the restore step)


- STEP 4:
Afterwards, write this (to replace sethc.exe with cmd.exe):

copy /y c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe

- STEP 5: Now reboot your computer and normally start your Windows installation.
When the logon screen appears, press the SHIFT key five times in an adequately rapid timing.
CMD should appear, where you can enter the following to set your new Windows password:

net user yourusername yournewpassword

(in case you don't remember your username, write "net user" to list all available usernames)

You just changed your password and can now login with it!

- STEP 6 (restore): It is advisable to restore the sethc.exe file to it's respective place (we did a backup copy a few steps before).
Once again, boot your Windows recovery CD and write the following:

copy /y c:\sethc.exe c:\windows\system32\sethc.exe

Pressing the SHIFT key five times will now (again) invoke Sticky keys.

This is also possible by booting a Live CD (eg. Ubuntu, Knoppix) and manually doing copy/paste/rename for all involved files.

1 comment: