Michael Pietroforte

Michael Pietroforte is the founder and editor of 4sysops. He is a Microsoft Most Valuable Professional (MVP) with more than 30 years of experience in IT management and system administration.

In my last my post I described how to offline edit the Registry of a Windows installation through Windows PE or Windows RE. Today, I will give you the procedure to offline enable the built-in administrator account. This can be useful when you have to reset the password of the administrator account without having admin privileges on this machine.

I tried the procedure described here on Windows 7 and Windows Vista. I suppose it also works on Windows XP. However, in Windows XP you can just boot up in Safe Mode (press F8 before Windows starts booting) and log on with the built-in administrator account even it is disabled. Because an administrator password has to be configured when Windows XP is installed, the Safe Mode procedure will only help if you have at least this password.

Once you enable the administrator account, you can use this account to log on to this Windows installation. This works because, by default, the built-in administrator account is configured with an empty password in Vista and Windows 7. Of course, if you configured an administrator password (which I recommended in my article about the built-in administrator account), this procedure is useless if you have also forgotten this password or if a user has set the password and didn't tell you about it.

Before you proceed, please note that editing the Registry is always risky if you don't know what you are doing.

To offline enable the built-in administrator account, follow these steps:

  1. Load the SAM Registry hive with regedit as described in my post about the offline Registry editor.
  2. Navigate to HKLM\%your_key_name%\SAM\Domains\Accounts\Users\Names\.
  3. Click "Administrator" and note the value in the type column.
  4. Navigate to HKLM\%your_key_name%\SAM\Domains\Accounts\Users\.
  5. Use the type value you noted before to locate the Registry key of the administrator account (see screenshot). Offline enable built in administrator locate administrator
  6. Edit the F entry of the administrator key and navigate to the 0038 position.
  7. If the built-in administrator account is disabled, the value of this position is "11"; replace it with "10". NOTE: Make sure to edit the correct position because editing binary values in the Registry is a bit tricky: Move the cursor to the beginning of position 0038, press "DEL," and then type "10".
    Offline enable built-in administrator
  8. Click %your_key_name% and then unload the hive through the corresponding menu point in the File menu.

After you reboot, you can log on using the built-in administrator and reset the password of other accounts.

Note that you can also use this procedure to offline enable other accounts with administrator privileges. In this case, the value at position 0038 will be "15" if the account is disabled; replace it with"14" to enable the account.

Win the monthly 4sysops member prize for IT pros


Related Posts

  1. Petr 7 years ago

    Here is an interesting utility:
    Offline NT Password & Registry Editor


  2. Michael Pietroforte 7 years ago

    Petr, thanks. I forgot to mention that I once wrote an overview about options of how to reset the Windows password.


  3. Keith 7 years ago

    This will come in handy at some point I'm sure. Also serves as a good reason to set a password on the default Administrator account even if you leave it disabled.


  4. Chris 7 years ago

    Much thanks sir, I had no idea I could enable admin through the RE. You saved me a major headache!


  5. HoHum 7 years ago

    Thank you for this write-up! Allowed me to instantaneously gain access to a locked account. Also, I was able to resolve a "User Profile Service failed login" error that resulted because of reseting the password on the locked account.

    I logged on with the administrator profile.
    Executed regedit
    Went to Local Machine\Software\Microsoft\Windows NT\Profile List
    Went through the profiles and located mine using the ProfileImagePath.
    Found two with the exact key, but my real one had the ".bak" appended to it.
    Renamed the other identical key and removed the ".bak" from mine.
    I then changed the State property to 0.
    Logged off.
    Then logged back on! Voila! Awesome!


  6. Michael Pietroforte 7 years ago

    You are welcome! It is interesting for what purposes this procedure is useful.


  7. sahil 7 years ago

    sir i tried this method and when i reached at step no 2 mentiond in your method i didnot find your_key_name


  8. Michael Pietroforte 7 years ago

    sahil, "your_key_name" is the term you entered in step 5 in this guide.


  9. noufal 7 years ago

    hello Michael Pietroforte i am working as a pc service engineer in oman.you have helped me a lot.thank u so much,now i am asking about activating built in administrator account.i have done all mentioned above,but the last step "Click %your_key_name% and then unload the hive through the corresponding menu point in the File menu." cannot do because that option is hidden, i mean not active.can u help me?plssss


  10. Michael Pietroforte 7 years ago

    noufal, hmm are you sure that you clicked the temporary node you created (%your_key_name%) first? The unload menu point should only be hidden if another node is selected.


  11. Jackey 7 years ago

    It is great knowledge.


  12. noufal 7 years ago

    yea i got.thanks alot.


  13. Austin 7 years ago

    When I go to load the SAM, I get error 'cannot load SAM: The process cannot access the file because it is being used by another process'

    Ideas? I followed these directions exactly...even rebooted and tried again, still no luck


  14. Austin 7 years ago

    Never mind about that, I was unaware that I was in the X: drive (boot up)...changed it to C: and got right in, thanks a lot for this! Extremely easy (once I figured out I was in the wrong area) and worked flawlessly. Thanks again!


  15. Richie 7 years ago

    WOW, nice.

    Used a Vista32 repair disc, DON'T do a System Restore, just let it run thru the "repair". Eventually it will fail at a Send Report? window. Just close it and Voila! Behind is a list of things to do, one of which is Command Prompt.
    This saved a 2 year old Vista Business Acer with Domain style log in that the user (client) forgot the PW.
    Company has been sold too.
    This fix is for advanced users....tread lightly. /R


  16. Auston 7 years ago

    I do all the changes, unload the have, close the regedit, then reboot but when it starts up there still is no administrator account.


  17. Prem151 7 years ago

    Nice article, solved lot of problems,


  18. Cosimo 7 years ago

    Dear Michael,
    what an incredible helping hand you gave me today.
    Many many thanks.
    Greetings from Italy.


  19. JF 6 years ago

    one of the most cool things I ever made! Great article!

    I was facing this issue:
    "The referenced account is currently locked out and may not be logged on to."

    The account locked was the Local Administrator account and that was the only active account. Server was not in a domain.

    I followed your steps, but the first value at position 038 was already 10. The curious was that the second value at position 038 was 02. Then I changed the second value to 00 as your screenshot then I reboot and surprise!, account was unlocked!

    Everything works now! Thank yoU!

    I made it for Windows Server 2008 R2 SP1 Standard 64bit.


  20. Aftab 6 years ago

    its a great help man and it worked, thanks alot for such a great share 🙂


  21. Enima 6 years ago

    You are a genius! Thank you so much! 🙂


  22. BarryA 6 years ago

    I am trying to enable the local Administrator account on a (Win7) laptop that sysprep encountered a 'fatal error.' Windows will boot, but now the Administrator account is disabled, and it is apparently no longer on the Domain for me to log on with my domain account. I removed the hard drive and did as you said. When I load the SAM hive, I only get a key named SAM (under my_key_name), but no sub-keys under the SAM key. Is this due to sysprep?


  23. Lawrence 6 years ago

    You're just dame good!!
    Your trick was solved my problem as no one could.
    Thank you indeed.

    from China


  24. Neil 6 years ago

    Worked very well. Thanks a lot for sharing.


  25. D 6 years ago

    @BarryA — November 8, 2011

    The content of the SAM subkey is hidden by default on Windows 7, but you may display it with right-click [Permission].
    Select the current user (typically the local, built-in, Administrator account) and click on "Advanced". Write down the current permissions to be able to restore them.
    Then set the permissions to "Full Control" and click OK twice. Press [F5] to refresh. That's it.

    NOTE: When the current user has full control over the SAM subkey, it seems the [File][Load Hive] menu command is disabled. So be sure to first load the hive(s) you need and then unblock the subkey. Do not forget to set the permissions back to their original values prior unloading the hive(s).


  26. Brian 6 years ago

    I keep getting an error when trying to load the SAM hive, that it is already in use. It allows me to type in a name but then when I click OK it returns the in use error. We are trying to recover 5 Win 7 clients admin access after the domain admins ran a program that malfunctioned and removed all administrators from the admin group except for the local accout, which we had left disabled for security. I do know that password, but without it being enabled it does me no good.


  27. Michael Pietroforte 6 years ago

    Brian, did you boot from a second Windows installation?


  28. Brian 6 years ago

    I used the same boot media that loaded the machine initially, Win 7 Enterprise, with these five machines in particular @ 64 bit. There is only one Windows installation, if I am understanding your question correctly.
    The exact error I receive is:

    "Cannot load X:\Windows\System32\config\SAM: The process cannot access the file because it is being used by another process."


  29. Michael Pietroforte 6 years ago

    Brian, the drive letter X indicates that you are trying to load the registry of the boot OS which is Windows PE. You can probably find the Windows 7 installation on drive D.


  30. Brian 6 years ago

    I am at a loss here. I navigate to d:\windows\system32\config and run regedit it pulls up the same regedit. I run it from d:\windows it tells me its the wrong version. I run if from d:\windows\system32 it returns an apphelp.dll error saying it isn't designed to run on this version of windows or it contains an error.


  31. Michael Pietroforte 6 years ago

    Brian, did you read this?


  32. Paul 6 years ago

    Thanks a million. I'm computer dumb and your pages allowed me to save a laptop from being scrapped and pass it along to a happy new home. You, Sir, are a scholar and a saint.


  33. Sandeep 6 years ago

    Thanks a lot!!! Now I don't need to reload Windows in more than 40 computers.
    It works great.
    Thanks again...


  34. Ashish 6 years ago

    Awesome tricks.Once I visited your site and now I'm a regular visitor..
    Thanks for the write up.


  35. John Otu 6 years ago

    rebooted and ran regedit from all drives possible but still had the "...file is used by another process error". noticed this only accepts SAM root creation, SYSTEM and SOFTWARE worked well.
    so i thought, if i got admin privileges in the PR environment, then i can copy files from admin account so i used the command prompt and the copied (still copying...) the files from the account i forgot the password to a public folder. hopefully i will see my files with the non-admin account but it seems i might not be able again to create another admin user account.


  36. sms 6 years ago

    This article helped me alot 🙂 thanks alot, today, while i was playing with net command in cmd i by mistake deleted my account which has administrator privileges and when i restarted my computer i got a login screen but since i had no account i wasn't able to login so i run the pc in safemode and create the new account but this account was Standard user account so i used your tutorial to enable the administrator account 😀
    Thanks again


  37. Hector 6 years ago

    Wow! If you were right in front of me, I could give you a huge bear hug. LOL

    I accepted the task of recovering files on a Parental Controlled locked laptop. The previous owner sold it, but her father had gone over-kill with Parental Controls and the new owner had no passwords or access to anything.

    For guessing the old owners password, it was ophcrack live cd to the rescue. Then it was your guide to the rescue to enable the Vista default administrator account. Voila! Cracked Open System!

    Thank you! Thank you! Thank you!


  38. mlachmann 6 years ago

    Thank you for this post. Helped me a lot!
    Greetings from Germany


  39. JoJo 6 years ago

    I changed my password 4 my administrator account and then forgot it. Nothing will work because it keeps asking for an administrator password and I can't download anything. HEEEEEEELP!!!!!!!!!!!!!!


  40. Michael 6 years ago

    Thank you very much. It worked of course 🙂


  41. Deborah 5 years ago

    Any thoughts on what to do if you can get in to the admin account using a biometric device instead of a password, but can't remember the physical password. Not urgent, but with my luck I will cut my finger off, or the biometric device will break and I won't be able to get in.


  42. Mike 5 years ago

    My son forgot his password.... This worked perfectly and was amazingly easy to do. Thanks for the post!


  43. Andrew 5 years ago

    This method saved me a reinstall after I locked my main account! For some reason, net user wouldn't enable the Administrator account.

    Thanks so much for the walkthrough!


  44. Roddy 5 years ago

    I ran into an issue that had (what seemed to me) a weird fix: much like Barry_A I wasn't seeing much under the newly loaded SAM key, until I thought to close out of regedit (without unloading) and reopen. Then it worked fine! I also mucked w permissions, not sure if that mattered


  45. Roddy 5 years ago

    I had to close regedit (without unloading the SAM hive) & reopen before it'd let me see any keys under SAM, similar problem to BarryA above, though permission changes weren't enough. was at a loss and tried that in vain... and it worked. Windows is so quirky. Thanks! Used my old xp ThinkPad to recover a win7 installation by plugging the HDD into a SATA to USB adapter


  46. No name 5 years ago

    Thanks a lot for this. Worked first time 100%.


  47. morry 5 years ago

    I have nothing (no Keys) under SAM. Why?


  48. morry 5 years ago

    Actually all I have under SAM is SAM under which there is nothing.
    Why would that be?


  49. Nicholas 5 years ago

    I have followed all of the steps and managed to enable the built in Admin, the problem seems to be that there once was a password for the account but it is now expired. However the Admin account still requests a password... I just want to be able to install things on my PC again...


  50. John 4 years ago

    Thank you for posting. Confirmed to remote registry edit enable local Administrator account on Windows 8.1 after getting locked out of Live account.


  51. Bruno 2 years ago

    Now that more and more people use Microsoft Accounts, knowing how to switch a profile from a Microsoft Account to a local account, via regedit, would be extremely useful. There are cases where resetting a Microsoft Account is out of the question (user is deceased, cell phone is unavailable or long gone, access to recovery email address isn't possible, etc). It's easy to switch from a Microsoft Account to a local account when you're logged in to it, but how about doing it from another account with administrator privileges, via regedit? Gaining local admin access is easy, gaining access to data under a Microsoft Account profile is also easy. Converting a Microsoft Account user profile into a local account profile should be easy (via regedit), but I can't find any way to do it.


  52. Angryviking 4 months ago

    Michael, this guide just saved my bacon, thank you !!!!


Leave a reply

Your email address will not be published. Required fields are marked *



Please ask IT administration questions in the forum. Any other messages are welcome.

© 4sysops 2006 - 2017

Log in with your credentials


Forgot your details?

Create Account