How to access a user's Windows desktop without knowing their password

When it comes to troubleshooting a running application on a user's Windows desktop, the first problem you face is that you need to access the user session. If you don't know the user password, it can be a bit tricky. Let's learn how to access a user's session without knowing their password.
Latest posts by Sami Laiho (see all)

The most common scenario is this:

  1. The user faces an issue.
  2. The user created a ticket and left the computer.
  3. To understand the problem, you need to see the user's desktop or the error message.
  4. You can access the user's computer physically or via remote control, but it's locked and you don't know the user's password.
  5. You can't access the user session without changing their password.

Our user's name is Jake. Let's say his desktop looks like this before he the locked the computer:

The end user faces a problem on their computer

The end user faces a problem on their computer

Now the user locks the screen and leaves work, hoping you will fix it while he is gone.

The end user locks the computer when leaving the office

The end user locks the computer when leaving the office

You log on with a local or domain user that has access to the computer. In my example, the user name is ws_samilaiho.

A service desk employee logs on to the computer with an admin account

A service desk employee logs on to the computer with an admin account

If you open the Task Manager and go to the Users tab, you can see the name of the account that is logged in. If you right-click it and choose Connect, you have to enter the user password to access the session.

An administrator cannot access another user session without knowing the password

An administrator cannot access another user session without knowing the password

Luckily (sadly for security), Microsoft has left a backdoor. 😊

First, you need to download the Sysinternals Suite or just PsExec.exe. Then you need to run PsExec from an elevated command prompt or PowerShell console.

Downloading Psexec.exe from live.sysinternals.com

Downloading Psexec.exe from live.sysinternals.com

Run PsExec with the following syntax:

PsExec.exe from Sysinternals allows an admin to elevate to SYSTEM (the root of Windows)

PsExec.exe from Sysinternals allows an admin to elevate to SYSTEM (the root of Windows)

Now start Taskmgr.exe from the new command prompt (make sure Task Manager isn't already running).

Opening Task Manager from the command prompt with SYSTEM account

Opening Task Manager from the command prompt with SYSTEM account

Now, go to the Users tab, right-click the user session, and click Connect.

The SYSTEM account can access any logged on user's session via the Task Manager

The SYSTEM account can access any logged on user's session via the Task Manager

And there you are, on the user's desktop without knowing their password 😉

The end user's desktop available to the admin account without knowing the password

The end user's desktop available to the admin account without knowing the password

If you are worried about this from a security perspective, just remember, you are an admin of the box; hence, you can do whatever you want. Standard users can't do this. This also demonstrates nicely why end users shouldn't ever have admin rights.

12+
avatar

Poll: Does your organization plan to introduce Artifical Intelligence?

Read 4sysops without ads and for free by becoming a member!

46 Comments
  1. Frank Ketelsen 9 months ago

    This is brilliant 🙂

    3+

  2. Vandrey Trindade 9 months ago

    I have just tried this at work with my teammate PC and it asked for credentials.

    I've logged in his PC using the local admin account.

    Latest Windows 10 versions on both PCs.

    1+
    avatar
    • I have tested this procedure on two different Win 10 computers and worked exactly as described. It doesn't require any password.

      1+

      • Vandrey Trindade 9 months ago

        Funny, I'll try with another computer.

        0

        • Vandrey Trindade 9 months ago

          Tried on another computer, same thing. Maybe some specific GPO is blocking that. I'll create a test environment to check.

          0

          • Author

            Are you sure that you are running the Task Manager from the CMD that is running as SYSTEM? And that you remembered to shutdown all other Task Manager instances before ?

            0

            • Vandrey Trindade 9 months ago

              Sami Laiho,

              Yes... I really suspect that is something on this domain, because we can't even connect using the RDP shadow session.

              Here is a print: Print

              0

              • Vandrey Trindade 9 months ago

                Now I see what I was doing wrong... I was testing it using Remote Desktop and not locally.

                Have tried locally on the PC and it works as detailed here.

                Any idea why it doesn't work using Remote Desktop?

                0

                • Vandrey Trindade 9 months ago

                  You can use this command directly too: psexec -SID taskmgr

                  2+
                  avatar
  3. Eric 9 months ago

    Great tutorial!

    In case the user is not logged in any more? Do I have to change the users active directory password?

    0

  4. Author

    Well then you have to reset the AD account.

    0

  5. Jesse 9 months ago

    remote controlled via sccm and could confirm that this worked as described.

    0

  6. James 9 months ago

    I tested it on latest 10 and all good. 

    0

  7. Aimee 9 months ago

    Danger Warning - the Sysinternals Suite or PsExec.exe are Trojan Virus Programs that let hackers into YOUR computer/ laptop! You have been warned!

    0

    • smorrissey 9 months ago

      Sysinternals Suite and PSExec.exe are wholly owned by Microsoft, and are NOT trojan virus programs as long as you download them directly from Microsoft's sites and not from some 3rd party source...

      3+
      avatar
  8. Joseph 9 months ago

    Awesome article! Confirmed working in a Windows 10 1909 environment with the Windows 10 Security Baselines enabled.

    1+

  9. Ham Williams 9 months ago

    I have needed this forever, thank you.

    0

  10. Author

    Try on a server 2019 that has RDS like I said. Server 2019 licensing allows only one console session at a time - just like the client.

    0

  11. Lando 9 months ago

    Guau!!!

    Its great, really wonking. I test in Win10 1909...

    Thanks for share!!!

    Best wishes

    Regards!

    0

  12. Keith Davis 9 months ago

    Does not work for me, even when local.

    0

  13. @Sami, for your info your article is mentioned in this IlSoftware.it article : Accedere al desktop di un altro utente senza conoscere la password 

    0

  14. Very useful. Shared with my team.

    0

  15. Dave 7 months ago

    Does anyone know any way of logging on with a local account's username and password when you don't know what the password is for this local admin account and you don't have the right to change the password for this local admin account?

    I have logged onto a Server 2016 server located within another (trusted) domain. My admin domain account from the other primary domain doesn't have full administrator rights on this server in the other (trusted domain).

    I have been able to perform my job of installing the latest Windows updates using the SCCM console but then when these updates are done installing I am unable to reboot this server.

    Unfortunately, the local administrator account isn't currently logged onto this server.

    So I'm wondering if anyone knows of a way I can access the local administrator account on this server when I don't know what its password is.

    1+
    avatar
    • You would need to have administrator rights on the target machine even to do this session hijack trick. What you are talking about is a pure hack of the system.

      If you have physical access (or VMware console or so) you can do the standard trick with stickykeys.exe, it was described here on 4sysops several times.

      I am wondering - if you can deploy patches via SCCM there, why cant you reboot the server from SCCM? 

      2+

  16. user624234 5 months ago

    Hi, if I use this with Remote Desktop then I have to input the user password, but locally it works without password. There is some option, idea, how to resolve to work with the Windows Remote Desktop?

    1+
    avatar
    • No, in Windows 10 and Windows Server 2019 it cant be done. It was possible to be done via RDP on previous versions.

      0

      • user624234 5 months ago

        Thank you, so there is no other way like this, to administrate a pc without knowing user password? (win 10 pro)

        1+
        avatar
        • Only locally or via SCCM remote control. Or in case of virtual machine it can be done via Console, which is the same as locally.

          Via RDP your only option is to either know the users password or reset it 🙂

          1+

        • You can remotely, just not with RDP. Any of the remote desktop tools actually access the console, work. We use DameWare Remote Control, but VNC, Chrome RD, Splashtop, all of these work fine with this method.

          1+
          avatar
          • Right Keith, forgot about those tools.

            In this case those have to be preinsalled in the system as a service.

            Guess the wording is important here, the RDP protocol does not work 🙂

            1+
            avatar
  17. user624234 5 months ago

    Ok, so what method/soft do you recommend, I tested TightVNC, but there is UltraVNC, or TigerVNC. I want to work with az open source (maintaned), free soft. (I dont want to use Teamviewer, Anydesk, Ammyy Admin, DameWare Remote Control, Chrome RD, Splashtop). The Remote Desktop was a way, but its not usable, and I dont want to setup SCCM for 5-10 pc. Opinion, ideas, recomandations?

    0

    • We use TightVNC for years. I would go this way.

      Of course it only works on LAN, but if you need, you can redirect the ports from your management IP to customers location and use VNC directly from your PC.

      If you want the easy way, use TightVNC.

      1+

      • user624234 4 months ago

        I have a problem with TightVNC. When I login to user using this method over VNC, and I want to install something, o run an application from the user then I can't paste the password to the UAC-promt. With the other programs installed as service, like Teamviewer or Anydesk I can use the copy-paste.

        0

        • Hi user624234,

          as far I know, pasting password to Secure Desktop is not possible by design.

          Anyway, you can still take users desktop without knowing the users password via TightVNC which I guess was the point of your question and this post.

          If you need further help I suggest to open a topic in IT admin forum.

          1+

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account