Subscribe via e-mail: 
In my last my post I described how to offline edit the Registry of a Windows installation through Windows PE or Windows RE. Today, I will give you the procedure to offline enable the built-in administrator account. This can be useful when you have to reset the password of the administrator account without having admin privileges on this machine.
I tried the procedure described here on Windows 7 and Windows Vista. I suppose it also works on Windows XP. However, in Windows XP you can just boot up in Safe Mode (press F8 before Windows starts booting) and log on with the built-in administrator account even it is disabled. Because an administrator password has to be configured when Windows XP is installed, the Safe Mode procedure will only help if you have at least this password.
Once you enable the administrator account, you can use this account to log on to this Windows installation. This works because, by default, the built-in administrator account is configured with an empty password in Vista and Windows 7. Of course, if you configured an administrator password (which I recommended in my article about the built-in administrator account), this procedure is useless if you have also forgotten this password or if a user has set the password and didn’t tell you about it.
Before you proceed, please note that editing the Registry is always risky if you don’t know what you are doing.
To offline enable the built-in administrator account, follow these steps:
- Load the SAM Registry hive with regedit as described in my post about the offline Registry editor.
- Navigate to HKLM\%your_key_name%\SAM\Domains\Accounts\Users\Names\.
- Click “Administrator” and note the value in the type column.
- Navigate to HKLM\%your_key_name%\SAM\Domains\Accounts\Users\.
- Use the type value you noted before to locate the Registry key of the administrator account (see screenshot).
- Edit the F entry of the administrator key and navigate to the 0038 position.
- If the built-in administrator account is disabled, the value of this position is “11″; replace it with “10″. NOTE: Make sure to edit the correct position because editing binary values in the Registry is a bit tricky: Move the cursor to the beginning of position 0038, press “DEL,” and then type “10″.
- Click %your_key_name% and then unload the hive through the corresponding menu point in the File menu.
After you reboot, you can log on using the built-in administrator and reset the password of other accounts.
Note that you can also use this procedure to offline enable other accounts with administrator privileges. In this case, the value at position 0038 will be “15″ if the account is disabled; replace it with”14″ to enable the account.
Here is an interesting utility:
Offline NT Password & Registry Editor
http://pogostick.net/~pnh/ntpasswd/
Petr, thanks. I forgot to mention that I once wrote an overview about options of how to reset the Windows password.
This will come in handy at some point I’m sure. Also serves as a good reason to set a password on the default Administrator account even if you leave it disabled.
Much thanks sir, I had no idea I could enable admin through the RE. You saved me a major headache!
Thank you for this write-up! Allowed me to instantaneously gain access to a locked account. Also, I was able to resolve a “User Profile Service failed login” error that resulted because of reseting the password on the locked account.
I logged on with the administrator profile.
Executed regedit
Went to Local Machine\Software\Microsoft\Windows NT\Profile List
Went through the profiles and located mine using the ProfileImagePath.
Found two with the exact key, but my real one had the “.bak” appended to it.
Renamed the other identical key and removed the “.bak” from mine.
I then changed the State property to 0.
Logged off.
Then logged back on! Voila! Awesome!
You are welcome! It is interesting for what purposes this procedure is useful.
sir i tried this method and when i reached at step no 2 mentiond in your method i didnot find your_key_name
sahil, “your_key_name” is the term you entered in step 5 in this guide.
hello Michael Pietroforte i am working as a pc service engineer in oman.you have helped me a lot.thank u so much,now i am asking about activating built in administrator account.i have done all mentioned above,but the last step “Click %your_key_name% and then unload the hive through the corresponding menu point in the File menu.” cannot do because that option is hidden, i mean not active.can u help me?plssss
noufal, hmm are you sure that you clicked the temporary node you created (%your_key_name%) first? The unload menu point should only be hidden if another node is selected.
It is great knowledge.
Thanks.
yea i got.thanks alot.
When I go to load the SAM, I get error ‘cannot load SAM: The process cannot access the file because it is being used by another process’
Ideas? I followed these directions exactly…even rebooted and tried again, still no luck
Never mind about that, I was unaware that I was in the X: drive (boot up)…changed it to C: and got right in, thanks a lot for this! Extremely easy (once I figured out I was in the wrong area) and worked flawlessly. Thanks again!
WOW, nice.
Used a Vista32 repair disc, DON’T do a System Restore, just let it run thru the “repair”. Eventually it will fail at a Send Report? window. Just close it and Voila! Behind is a list of things to do, one of which is Command Prompt.
This saved a 2 year old Vista Business Acer with Domain style log in that the user (client) forgot the PW.
Company has been sold too.
This fix is for advanced users….tread lightly. /R
I do all the changes, unload the have, close the regedit, then reboot but when it starts up there still is no administrator account.
Nice article, solved lot of problems,
Dear Michael,
what an incredible helping hand you gave me today.
Many many thanks.
Greetings from Italy.
Cosimo
one of the most cool things I ever made! Great article!
I was facing this issue:
“The referenced account is currently locked out and may not be logged on to.”
The account locked was the Local Administrator account and that was the only active account. Server was not in a domain.
I followed your steps, but the first value at position 038 was already 10. The curious was that the second value at position 038 was 02. Then I changed the second value to 00 as your screenshot then I reboot and surprise!, account was unlocked!
Everything works now! Thank yoU!
I made it for Windows Server 2008 R2 SP1 Standard 64bit.
its a great help man and it worked, thanks alot for such a great share
You are a genius! Thank you so much!
I am trying to enable the local Administrator account on a (Win7) laptop that sysprep encountered a ‘fatal error.’ Windows will boot, but now the Administrator account is disabled, and it is apparently no longer on the Domain for me to log on with my domain account. I removed the hard drive and did as you said. When I load the SAM hive, I only get a key named SAM (under my_key_name), but no sub-keys under the SAM key. Is this due to sysprep?
You’re just dame good!!
Your trick was solved my problem as no one could.
Thank you indeed.
from China
Worked very well. Thanks a lot for sharing.
@BarryA — November 8, 2011
The content of the SAM subkey is hidden by default on Windows 7, but you may display it with right-click [Permission].
Select the current user (typically the local, built-in, Administrator account) and click on “Advanced”. Write down the current permissions to be able to restore them.
Then set the permissions to “Full Control” and click OK twice. Press [F5] to refresh. That’s it.
NOTE: When the current user has full control over the SAM subkey, it seems the [File][Load Hive] menu command is disabled. So be sure to first load the hive(s) you need and then unblock the subkey. Do not forget to set the permissions back to their original values prior unloading the hive(s).
I keep getting an error when trying to load the SAM hive, that it is already in use. It allows me to type in a name but then when I click OK it returns the in use error. We are trying to recover 5 Win 7 clients admin access after the domain admins ran a program that malfunctioned and removed all administrators from the admin group except for the local accout, which we had left disabled for security. I do know that password, but without it being enabled it does me no good.
Brian, did you boot from a second Windows installation?
I used the same boot media that loaded the machine initially, Win 7 Enterprise, with these five machines in particular @ 64 bit. There is only one Windows installation, if I am understanding your question correctly.
The exact error I receive is:
“Cannot load X:\Windows\System32\config\SAM: The process cannot access the file because it is being used by another process.”
Brian, the drive letter X indicates that you are trying to load the registry of the boot OS which is Windows PE. You can probably find the Windows 7 installation on drive D.
I am at a loss here. I navigate to d:\windows\system32\config and run regedit it pulls up the same regedit. I run it from d:\windows it tells me its the wrong version. I run if from d:\windows\system32 it returns an apphelp.dll error saying it isn’t designed to run on this version of windows or it contains an error.
Brian, did you read this?