When it comes to troubleshooting a running application on a user's Windows desktop, the first problem you face is that you need to access the user session. If you don't know the user password, it can be a bit tricky. Let's learn how to access a user's session without knowing their password.

The most common scenario is this:

  1. The user faces an issue.
  2. The user created a ticket and left the computer.
  3. To understand the problem, you need to see the user's desktop or the error message.
  4. You can access the user's computer physically or via remote control, but it's locked and you don't know the user's password.
  5. You can't access the user session without changing their password.

Our user's name is Jake. Let's say his desktop looks like this before he the locked the computer:

The end user faces a problem on their computer

The end user faces a problem on their computer

Now the user locks the screen and leaves work, hoping you will fix it while he is gone.

The end user locks the computer when leaving the office

The end user locks the computer when leaving the office

You log on with a local or domain user that has access to the computer. In my example, the user name is ws_samilaiho.

A service desk employee logs on to the computer with an admin account

A service desk employee logs on to the computer with an admin account

If you open the Task Manager and go to the Users tab, you can see the name of the account that is logged in. If you right-click it and choose Connect, you have to enter the user password to access the session.

An administrator cannot access another user session without knowing the password

An administrator cannot access another user session without knowing the password

Luckily (sadly for security), Microsoft has left a backdoor. 😊

First, you need to download the Sysinternals Suite or just PsExec.exe. Then you need to run PsExec from an elevated command prompt or PowerShell console.

Downloading Psexec.exe from live.sysinternals.com

Downloading Psexec.exe from live.sysinternals.com

Run PsExec with the following syntax:

PsExec.exe from Sysinternals allows an admin to elevate to SYSTEM (the root of Windows)

PsExec.exe from Sysinternals allows an admin to elevate to SYSTEM (the root of Windows)

Now start Taskmgr.exe from the new command prompt (make sure Task Manager isn't already running).

Opening Task Manager from the command prompt with SYSTEM account

Opening Task Manager from the command prompt with SYSTEM account

Now, go to the Users tab, right-click the user session, and click Connect.

The SYSTEM account can access any logged on user's session via the Task Manager

The SYSTEM account can access any logged on user's session via the Task Manager

And there you are, on the user's desktop without knowing their password 😉

The end user's desktop available to the admin account without knowing the password

The end user's desktop available to the admin account without knowing the password

If you are worried about this from a security perspective, just remember, you are an admin of the box; hence, you can do whatever you want. Standard users can't do this. This also demonstrates nicely why end users shouldn't ever have admin rights.

Read 4sysops without ads by becoming a member!

Your question was not answered? Ask in the forum!

11+

Users who have LIKED this post:

  • avatar
Share
34 Comments
  1. Frank Ketelsen 1 month ago

    This is brilliant 🙂

    3+

  2. Vandrey Trindade 1 month ago

    I have just tried this at work with my teammate PC and it asked for credentials.

    I've logged in his PC using the local admin account.

    Latest Windows 10 versions on both PCs.

    1+

    Users who have LIKED this comment:

    • avatar
    • I have tested this procedure on two different Win 10 computers and worked exactly as described. It doesn't require any password.

      0

      • Vandrey Trindade 1 month ago

        Funny, I'll try with another computer.

        0

        • Vandrey Trindade 1 month ago

          Tried on another computer, same thing. Maybe some specific GPO is blocking that. I'll create a test environment to check.

          0

          • Author

            Are you sure that you are running the Task Manager from the CMD that is running as SYSTEM? And that you remembered to shutdown all other Task Manager instances before ?

            0

            • Vandrey Trindade 1 month ago

              Sami Laiho,

              Yes... I really suspect that is something on this domain, because we can't even connect using the RDP shadow session.

              Here is a print: Print

              0

              • Vandrey Trindade 1 month ago

                Now I see what I was doing wrong... I was testing it using Remote Desktop and not locally.

                Have tried locally on the PC and it works as detailed here.

                Any idea why it doesn't work using Remote Desktop?

                0

                • Vandrey Trindade 1 month ago

                  You can use this command directly too: psexec -SID taskmgr

                  2+

                  Users who have LIKED this comment:

                  • avatar
  3. Eric 1 month ago

    Great tutorial!

    In case the user is not logged in any more? Do I have to change the users active directory password?

    0

  4. Author

    Well then you have to reset the AD account.

    0

  5. Jesse 1 month ago

    remote controlled via sccm and could confirm that this worked as described.

    0

  6. James 1 month ago

    I tested it on latest 10 and all good. 

    0

  7. Aimee 1 month ago

    Danger Warning - the Sysinternals Suite or PsExec.exe are Trojan Virus Programs that let hackers into YOUR computer/ laptop! You have been warned!

    0

    • smorrissey 1 month ago

      Sysinternals Suite and PSExec.exe are wholly owned by Microsoft, and are NOT trojan virus programs as long as you download them directly from Microsoft's sites and not from some 3rd party source...

      3+

      Users who have LIKED this comment:

      • avatar
  8. Joseph 1 month ago

    Awesome article! Confirmed working in a Windows 10 1909 environment with the Windows 10 Security Baselines enabled.

    1+

  9. Ham Williams 1 month ago

    I have needed this forever, thank you.

    0

  10. Author

    Try on a server 2019 that has RDS like I said. Server 2019 licensing allows only one console session at a time - just like the client.

    0

  11. Lando 1 month ago

    Guau!!!

    Its great, really wonking. I test in Win10 1909...

    Thanks for share!!!

    Best wishes

    Regards!

    0

  12. Keith Davis 1 month ago

    Does not work for me, even when local.

    0

  13. @Sami, for your info your article is mentioned in this IlSoftware.it article : Accedere al desktop di un altro utente senza conoscere la password 

    0

  14. Very useful. Shared with my team.

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account