Offline enable the built-in administrator account in Windows 7 and Vista

Michael PietroforteMVP By Michael Pietroforte - Fri, August 6, 2010 - 51 comments google+ icon

Michael Pietroforte is the founder and editor of 4sysops. He is a Microsoft Most Valuable Professional (MVP) with more than 30 years of experience in system administration.

Update: Also read Offline enable the Windows 8 administrator account.

In my last my post I described how to offline edit the Registry of a Windows installation through Windows PE or Windows RE. Today, I will give you the procedure to offline enable the built-in administrator account. This can be useful when you have to reset the password of the administrator account without having admin privileges on this machine.

I tried the procedure described here on Windows 7 and Windows Vista. I suppose it also works on Windows XP. However, in Windows XP you can just boot up in Safe Mode (press F8 before Windows starts booting) and log on with the built-in administrator account even it is disabled. Because an administrator password has to be configured when Windows XP is installed, the Safe Mode procedure will only help if you have at least this password.

Once you enable the administrator account, you can use this account to log on to this Windows installation. This works because, by default, the built-in administrator account is configured with an empty password in Vista and Windows 7. Of course, if you configured an administrator password (which I recommended in my article about the built-in administrator account), this procedure is useless if you have also forgotten this password or if a user has set the password and didn’t tell you about it.

Before you proceed, please note that editing the Registry is always risky if you don’t know what you are doing.


To offline enable the built-in administrator account, follow these steps:

  1. Load the SAM Registry hive with regedit as described in my post about the offline Registry editor.
  2. Navigate to HKLM\%your_key_name%\SAM\Domains\Accounts\Users\Names\.
  3. Click “Administrator” and note the value in the type column.
  4. Navigate to HKLM\%your_key_name%\SAM\Domains\Accounts\Users\.
  5. Use the type value you noted before to locate the Registry key of the administrator account (see screenshot). Offline enable built in administrator locate administrator
  6. Edit the F entry of the administrator key and navigate to the 0038 position.
  7. If the built-in administrator account is disabled, the value of this position is “11″; replace it with “10″. NOTE: Make sure to edit the correct position because editing binary values in the Registry is a bit tricky: Move the cursor to the beginning of position 0038, press “DEL,” and then type “10″.
    Offline enable built-in administrator
  8. Click %your_key_name% and then unload the hive through the corresponding menu point in the File menu.

After you reboot, you can log on using the built-in administrator and reset the password of other accounts.

Note that you can also use this procedure to offline enable other accounts with administrator privileges. In this case, the value at position 0038 will be “15″ if the account is disabled; replace it with”14″ to enable the account.

-1+1 (+1 rating, 1 votes)
Loading ... Loading ...
Disclaimer
Your question wasn't answered? Please ask in the new 4sysops forum!

51 Comments- Leave a Reply

  1. Petr says:

    Here is an interesting utility:
    Offline NT Password & Registry Editor
    http://pogostick.net/~pnh/ntpasswd/

  2. Petr, thanks. I forgot to mention that I once wrote an overview about options of how to reset the Windows password.

  3. Keith says:

    This will come in handy at some point I’m sure. Also serves as a good reason to set a password on the default Administrator account even if you leave it disabled.

  4. Chris says:

    Much thanks sir, I had no idea I could enable admin through the RE. You saved me a major headache!

  5. HoHum says:

    Thank you for this write-up! Allowed me to instantaneously gain access to a locked account. Also, I was able to resolve a “User Profile Service failed login” error that resulted because of reseting the password on the locked account.

    I logged on with the administrator profile.
    Executed regedit
    Went to Local Machine\Software\Microsoft\Windows NT\Profile List
    Went through the profiles and located mine using the ProfileImagePath.
    Found two with the exact key, but my real one had the “.bak” appended to it.
    Renamed the other identical key and removed the “.bak” from mine.
    I then changed the State property to 0.
    Logged off.
    Then logged back on! Voila! Awesome!

  6. You are welcome! It is interesting for what purposes this procedure is useful.

  7. sahil says:

    sir i tried this method and when i reached at step no 2 mentiond in your method i didnot find your_key_name

  8. sahil, “your_key_name” is the term you entered in step 5 in this guide.

  9. noufal says:

    hello Michael Pietroforte i am working as a pc service engineer in oman.you have helped me a lot.thank u so much,now i am asking about activating built in administrator account.i have done all mentioned above,but the last step “Click %your_key_name% and then unload the hive through the corresponding menu point in the File menu.” cannot do because that option is hidden, i mean not active.can u help me?plssss

  10. noufal, hmm are you sure that you clicked the temporary node you created (%your_key_name%) first? The unload menu point should only be hidden if another node is selected.

  11. Jackey says:

    It is great knowledge.
    Thanks.

  12. noufal says:

    yea i got.thanks alot.

  13. Austin says:

    When I go to load the SAM, I get error ‘cannot load SAM: The process cannot access the file because it is being used by another process’

    Ideas? I followed these directions exactly…even rebooted and tried again, still no luck

  14. Austin says:

    Never mind about that, I was unaware that I was in the X: drive (boot up)…changed it to C: and got right in, thanks a lot for this! Extremely easy (once I figured out I was in the wrong area) and worked flawlessly. Thanks again!

  15. Richie says:

    WOW, nice.

    Used a Vista32 repair disc, DON’T do a System Restore, just let it run thru the “repair”. Eventually it will fail at a Send Report? window. Just close it and Voila! Behind is a list of things to do, one of which is Command Prompt.
    This saved a 2 year old Vista Business Acer with Domain style log in that the user (client) forgot the PW.
    Company has been sold too.
    This fix is for advanced users….tread lightly. /R

  16. Auston says:

    I do all the changes, unload the have, close the regedit, then reboot but when it starts up there still is no administrator account.

  17. Prem151 says:

    Nice article, solved lot of problems,

  18. Cosimo says:

    Dear Michael,
    what an incredible helping hand you gave me today.
    Many many thanks.
    Greetings from Italy.
    Cosimo

  19. JF says:

    one of the most cool things I ever made! Great article!

    I was facing this issue:
    “The referenced account is currently locked out and may not be logged on to.”

    The account locked was the Local Administrator account and that was the only active account. Server was not in a domain.

    I followed your steps, but the first value at position 038 was already 10. The curious was that the second value at position 038 was 02. Then I changed the second value to 00 as your screenshot then I reboot and surprise!, account was unlocked!

    Everything works now! Thank yoU!

    I made it for Windows Server 2008 R2 SP1 Standard 64bit.

  20. Aftab says:

    its a great help man and it worked, thanks alot for such a great share :)

  21. Enima says:

    You are a genius! Thank you so much! :)

  22. BarryA says:

    I am trying to enable the local Administrator account on a (Win7) laptop that sysprep encountered a ‘fatal error.’ Windows will boot, but now the Administrator account is disabled, and it is apparently no longer on the Domain for me to log on with my domain account. I removed the hard drive and did as you said. When I load the SAM hive, I only get a key named SAM (under my_key_name), but no sub-keys under the SAM key. Is this due to sysprep?

  23. Lawrence says:

    You’re just dame good!!
    Your trick was solved my problem as no one could.
    Thank you indeed.

    from China

  24. Neil says:

    Worked very well. Thanks a lot for sharing.

  25. D says:

    @BarryA — November 8, 2011

    The content of the SAM subkey is hidden by default on Windows 7, but you may display it with right-click [Permission].
    Select the current user (typically the local, built-in, Administrator account) and click on “Advanced”. Write down the current permissions to be able to restore them.
    Then set the permissions to “Full Control” and click OK twice. Press [F5] to refresh. That’s it.

    NOTE: When the current user has full control over the SAM subkey, it seems the [File][Load Hive] menu command is disabled. So be sure to first load the hive(s) you need and then unblock the subkey. Do not forget to set the permissions back to their original values prior unloading the hive(s).

  26. Brian says:

    I keep getting an error when trying to load the SAM hive, that it is already in use. It allows me to type in a name but then when I click OK it returns the in use error. We are trying to recover 5 Win 7 clients admin access after the domain admins ran a program that malfunctioned and removed all administrators from the admin group except for the local accout, which we had left disabled for security. I do know that password, but without it being enabled it does me no good.

  27. Brian, did you boot from a second Windows installation?

  28. Brian says:

    I used the same boot media that loaded the machine initially, Win 7 Enterprise, with these five machines in particular @ 64 bit. There is only one Windows installation, if I am understanding your question correctly.
    The exact error I receive is:

    “Cannot load X:\Windows\System32\config\SAM: The process cannot access the file because it is being used by another process.”

  29. Brian, the drive letter X indicates that you are trying to load the registry of the boot OS which is Windows PE. You can probably find the Windows 7 installation on drive D.

  30. Brian says:

    I am at a loss here. I navigate to d:\windows\system32\config and run regedit it pulls up the same regedit. I run it from d:\windows it tells me its the wrong version. I run if from d:\windows\system32 it returns an apphelp.dll error saying it isn’t designed to run on this version of windows or it contains an error.

  31. Paul says:

    Thanks a million. I’m computer dumb and your pages allowed me to save a laptop from being scrapped and pass it along to a happy new home. You, Sir, are a scholar and a saint.

  32. Sandeep says:

    Thanks a lot!!! Now I don’t need to reload Windows in more than 40 computers.
    It works great.
    Thanks again…

  33. Ashish says:

    Awesome tricks.Once I visited your site and now I’m a regular visitor..
    Thanks for the write up.

  34. John Otu says:

    rebooted and ran regedit from all drives possible but still had the “…file is used by another process error”. noticed this only accepts SAM root creation, SYSTEM and SOFTWARE worked well.
    so i thought, if i got admin privileges in the PR environment, then i can copy files from admin account so i used the command prompt and the copied (still copying…) the files from the account i forgot the password to a public folder. hopefully i will see my files with the non-admin account but it seems i might not be able again to create another admin user account.

  35. sms says:

    This article helped me alot :) thanks alot, today, while i was playing with net command in cmd i by mistake deleted my account which has administrator privileges and when i restarted my computer i got a login screen but since i had no account i wasn’t able to login so i run the pc in safemode and create the new account but this account was Standard user account so i used your tutorial to enable the administrator account :D
    Thanks again

  36. Hector says:

    Wow! If you were right in front of me, I could give you a huge bear hug. LOL

    I accepted the task of recovering files on a Parental Controlled locked laptop. The previous owner sold it, but her father had gone over-kill with Parental Controls and the new owner had no passwords or access to anything.

    For guessing the old owners password, it was ophcrack live cd to the rescue. Then it was your guide to the rescue to enable the Vista default administrator account. Voila! Cracked Open System!

    Thank you! Thank you! Thank you!

  37. mlachmann says:

    Thank you for this post. Helped me a lot!
    Greetings from Germany

  38. JoJo says:

    I changed my password 4 my administrator account and then forgot it. Nothing will work because it keeps asking for an administrator password and I can’t download anything. HEEEEEEELP!!!!!!!!!!!!!!

  39. Michael says:

    Thank you very much. It worked of course :)

  40. Deborah says:

    Any thoughts on what to do if you can get in to the admin account using a biometric device instead of a password, but can’t remember the physical password. Not urgent, but with my luck I will cut my finger off, or the biometric device will break and I won’t be able to get in.

  41. Mike says:

    My son forgot his password…. This worked perfectly and was amazingly easy to do. Thanks for the post!

  42. Andrew says:

    This method saved me a reinstall after I locked my main account! For some reason, net user wouldn’t enable the Administrator account.

    Thanks so much for the walkthrough!

  43. Roddy says:

    I ran into an issue that had (what seemed to me) a weird fix: much like Barry_A I wasn’t seeing much under the newly loaded SAM key, until I thought to close out of regedit (without unloading) and reopen. Then it worked fine! I also mucked w permissions, not sure if that mattered

  44. Roddy says:

    I had to close regedit (without unloading the SAM hive) & reopen before it’d let me see any keys under SAM, similar problem to BarryA above, though permission changes weren’t enough. was at a loss and tried that in vain… and it worked. Windows is so quirky. Thanks! Used my old xp ThinkPad to recover a win7 installation by plugging the HDD into a SATA to USB adapter

  45. No name says:

    Thanks a lot for this. Worked first time 100%.

  46. morry says:

    I have nothing (no Keys) under SAM. Why?

  47. morry says:

    Actually all I have under SAM is SAM under which there is nothing.
    Why would that be?

  48. Nicholas says:

    I have followed all of the steps and managed to enable the built in Admin, the problem seems to be that there once was a password for the account but it is now expired. However the Admin account still requests a password… I just want to be able to install things on my PC again…

  49. John says:

    Thank you for posting. Confirmed to remote registry edit enable local Administrator account on Windows 8.1 after getting locked out of Live account.

Please share your thoughts in a comment!

Login

Lost your password?