Offline enable the built-in administrator account in Windows 7 and Vista

Profile gravatar of Michael Pietroforte

Michael Pietroforte

Michael Pietroforte is the founder and editor of 4sysops. He is a Microsoft Most Valuable Professional (MVP) with more than 30 years of experience in IT management and system administration.
Profile gravatar of Michael Pietroforte

In my last my post I described how to offline edit the Registry of a Windows installation through Windows PE or Windows RE. Today, I will give you the procedure to offline enable the built-in administrator account. This can be useful when you have to reset the password of the administrator account without having admin privileges on this machine.

I tried the procedure described here on Windows 7 and Windows Vista. I suppose it also works on Windows XP. However, in Windows XP you can just boot up in Safe Mode (press F8 before Windows starts booting) and log on with the built-in administrator account even it is disabled. Because an administrator password has to be configured when Windows XP is installed, the Safe Mode procedure will only help if you have at least this password.

Once you enable the administrator account, you can use this account to log on to this Windows installation. This works because, by default, the built-in administrator account is configured with an empty password in Vista and Windows 7. Of course, if you configured an administrator password (which I recommended in my article about the built-in administrator account), this procedure is useless if you have also forgotten this password or if a user has set the password and didn't tell you about it.

Before you proceed, please note that editing the Registry is always risky if you don't know what you are doing.

To offline enable the built-in administrator account, follow these steps:

  1. Load the SAM Registry hive with regedit as described in my post about the offline Registry editor.
  2. Navigate to HKLM\%your_key_name%\SAM\Domains\Accounts\Users\Names\.
  3. Click "Administrator" and note the value in the type column.
  4. Navigate to HKLM\%your_key_name%\SAM\Domains\Accounts\Users\.
  5. Use the type value you noted before to locate the Registry key of the administrator account (see screenshot). Offline enable built in administrator locate administrator
  6. Edit the F entry of the administrator key and navigate to the 0038 position.
  7. If the built-in administrator account is disabled, the value of this position is "11"; replace it with "10". NOTE: Make sure to edit the correct position because editing binary values in the Registry is a bit tricky: Move the cursor to the beginning of position 0038, press "DEL," and then type "10".
    Offline enable built-in administrator
  8. Click %your_key_name% and then unload the hive through the corresponding menu point in the File menu.

After you reboot, you can log on using the built-in administrator and reset the password of other accounts.

Note that you can also use this procedure to offline enable other accounts with administrator privileges. In this case, the value at position 0038 will be "15" if the account is disabled; replace it with"14" to enable the account.

Take part in our competition and win $100!

Related Posts

  1. avatar
    Petr 7 years ago

    Here is an interesting utility:
    Offline NT Password & Registry Editor

  2. Profile gravatar of Michael Pietroforte
    Michael Pietroforte 7 years ago

    Petr, thanks. I forgot to mention that I once wrote an overview about options of how to reset the Windows password.

  3. avatar
    Keith 7 years ago

    This will come in handy at some point I'm sure. Also serves as a good reason to set a password on the default Administrator account even if you leave it disabled.

  4. avatar
    Chris 7 years ago

    Much thanks sir, I had no idea I could enable admin through the RE. You saved me a major headache!

  5. avatar
    HoHum 7 years ago

    Thank you for this write-up! Allowed me to instantaneously gain access to a locked account. Also, I was able to resolve a "User Profile Service failed login" error that resulted because of reseting the password on the locked account.

    I logged on with the administrator profile.
    Executed regedit
    Went to Local Machine\Software\Microsoft\Windows NT\Profile List
    Went through the profiles and located mine using the ProfileImagePath.
    Found two with the exact key, but my real one had the ".bak" appended to it.
    Renamed the other identical key and removed the ".bak" from mine.
    I then changed the State property to 0.
    Logged off.
    Then logged back on! Voila! Awesome!

  6. Profile gravatar of Michael Pietroforte
    Michael Pietroforte 7 years ago

    You are welcome! It is interesting for what purposes this procedure is useful.

  7. avatar
    sahil 7 years ago

    sir i tried this method and when i reached at step no 2 mentiond in your method i didnot find your_key_name

  8. Profile gravatar of Michael Pietroforte
    Michael Pietroforte 7 years ago

    sahil, "your_key_name" is the term you entered in step 5 in this guide.

  9. avatar
    noufal 7 years ago

    hello Michael Pietroforte i am working as a pc service engineer in have helped me a lot.thank u so much,now i am asking about activating built in administrator account.i have done all mentioned above,but the last step "Click %your_key_name% and then unload the hive through the corresponding menu point in the File menu." cannot do because that option is hidden, i mean not active.can u help me?plssss

  10. Profile gravatar of Michael Pietroforte
    Michael Pietroforte 7 years ago

    noufal, hmm are you sure that you clicked the temporary node you created (%your_key_name%) first? The unload menu point should only be hidden if another node is selected.

  11. avatar
    Jackey 7 years ago

    It is great knowledge.

  12. avatar
    noufal 7 years ago

    yea i got.thanks alot.

  13. avatar
    Austin 6 years ago

    When I go to load the SAM, I get error 'cannot load SAM: The process cannot access the file because it is being used by another process'

    Ideas? I followed these directions exactly...even rebooted and tried again, still no luck

  14. avatar
    Austin 6 years ago

    Never mind about that, I was unaware that I was in the X: drive (boot up)...changed it to C: and got right in, thanks a lot for this! Extremely easy (once I figured out I was in the wrong area) and worked flawlessly. Thanks again!

  15. avatar
    Richie 6 years ago

    WOW, nice.

    Used a Vista32 repair disc, DON'T do a System Restore, just let it run thru the "repair". Eventually it will fail at a Send Report? window. Just close it and Voila! Behind is a list of things to do, one of which is Command Prompt.
    This saved a 2 year old Vista Business Acer with Domain style log in that the user (client) forgot the PW.
    Company has been sold too.
    This fix is for advanced users....tread lightly. /R

  16. avatar
    Auston 6 years ago

    I do all the changes, unload the have, close the regedit, then reboot but when it starts up there still is no administrator account.

  17. avatar
    Prem151 6 years ago

    Nice article, solved lot of problems,

  18. avatar
    Cosimo 6 years ago

    Dear Michael,
    what an incredible helping hand you gave me today.
    Many many thanks.
    Greetings from Italy.

  19. avatar
    JF 6 years ago

    one of the most cool things I ever made! Great article!

    I was facing this issue:
    "The referenced account is currently locked out and may not be logged on to."

    The account locked was the Local Administrator account and that was the only active account. Server was not in a domain.

    I followed your steps, but the first value at position 038 was already 10. The curious was that the second value at position 038 was 02. Then I changed the second value to 00 as your screenshot then I reboot and surprise!, account was unlocked!

    Everything works now! Thank yoU!

    I made it for Windows Server 2008 R2 SP1 Standard 64bit.

  20. avatar
    Aftab 6 years ago

    its a great help man and it worked, thanks alot for such a great share 🙂

  21. avatar
    Enima 6 years ago

    You are a genius! Thank you so much! 🙂

  22. avatar
    BarryA 5 years ago

    I am trying to enable the local Administrator account on a (Win7) laptop that sysprep encountered a 'fatal error.' Windows will boot, but now the Administrator account is disabled, and it is apparently no longer on the Domain for me to log on with my domain account. I removed the hard drive and did as you said. When I load the SAM hive, I only get a key named SAM (under my_key_name), but no sub-keys under the SAM key. Is this due to sysprep?

  23. avatar
    Lawrence 5 years ago

    You're just dame good!!
    Your trick was solved my problem as no one could.
    Thank you indeed.

    from China

  24. avatar
    Neil 5 years ago

    Worked very well. Thanks a lot for sharing.

  25. avatar
    D 5 years ago

    @BarryA — November 8, 2011

    The content of the SAM subkey is hidden by default on Windows 7, but you may display it with right-click [Permission].
    Select the current user (typically the local, built-in, Administrator account) and click on "Advanced". Write down the current permissions to be able to restore them.
    Then set the permissions to "Full Control" and click OK twice. Press [F5] to refresh. That's it.

    NOTE: When the current user has full control over the SAM subkey, it seems the [File][Load Hive] menu command is disabled. So be sure to first load the hive(s) you need and then unblock the subkey. Do not forget to set the permissions back to their original values prior unloading the hive(s).

  26. avatar
    Brian 5 years ago

    I keep getting an error when trying to load the SAM hive, that it is already in use. It allows me to type in a name but then when I click OK it returns the in use error. We are trying to recover 5 Win 7 clients admin access after the domain admins ran a program that malfunctioned and removed all administrators from the admin group except for the local accout, which we had left disabled for security. I do know that password, but without it being enabled it does me no good.

  27. Profile gravatar of Michael Pietroforte
    Michael Pietroforte 5 years ago

    Brian, did you boot from a second Windows installation?

  28. avatar
    Brian 5 years ago

    I used the same boot media that loaded the machine initially, Win 7 Enterprise, with these five machines in particular @ 64 bit. There is only one Windows installation, if I am understanding your question correctly.
    The exact error I receive is:

    "Cannot load X:\Windows\System32\config\SAM: The process cannot access the file because it is being used by another process."

  29. Profile gravatar of Michael Pietroforte
    Michael Pietroforte 5 years ago

    Brian, the drive letter X indicates that you are trying to load the registry of the boot OS which is Windows PE. You can probably find the Windows 7 installation on drive D.

  30. avatar
    Brian 5 years ago

    I am at a loss here. I navigate to d:\windows\system32\config and run regedit it pulls up the same regedit. I run it from d:\windows it tells me its the wrong version. I run if from d:\windows\system32 it returns an apphelp.dll error saying it isn't designed to run on this version of windows or it contains an error.

  31. Profile gravatar of Michael Pietroforte
    Michael Pietroforte 5 years ago

    Brian, did you read this?

  32. avatar
    Paul 5 years ago

    Thanks a million. I'm computer dumb and your pages allowed me to save a laptop from being scrapped and pass it along to a happy new home. You, Sir, are a scholar and a saint.

  33. avatar
    Sandeep 5 years ago

    Thanks a lot!!! Now I don't need to reload Windows in more than 40 computers.
    It works great.
    Thanks again...

  34. avatar
    Ashish 5 years ago

    Awesome tricks.Once I visited your site and now I'm a regular visitor..
    Thanks for the write up.

  35. avatar
    John Otu 5 years ago

    rebooted and ran regedit from all drives possible but still had the "...file is used by another process error". noticed this only accepts SAM root creation, SYSTEM and SOFTWARE worked well.
    so i thought, if i got admin privileges in the PR environment, then i can copy files from admin account so i used the command prompt and the copied (still copying...) the files from the account i forgot the password to a public folder. hopefully i will see my files with the non-admin account but it seems i might not be able again to create another admin user account.

  36. avatar
    sms 5 years ago

    This article helped me alot 🙂 thanks alot, today, while i was playing with net command in cmd i by mistake deleted my account which has administrator privileges and when i restarted my computer i got a login screen but since i had no account i wasn't able to login so i run the pc in safemode and create the new account but this account was Standard user account so i used your tutorial to enable the administrator account 😀
    Thanks again

  37. avatar
    Hector 5 years ago

    Wow! If you were right in front of me, I could give you a huge bear hug. LOL

    I accepted the task of recovering files on a Parental Controlled locked laptop. The previous owner sold it, but her father had gone over-kill with Parental Controls and the new owner had no passwords or access to anything.

    For guessing the old owners password, it was ophcrack live cd to the rescue. Then it was your guide to the rescue to enable the Vista default administrator account. Voila! Cracked Open System!

    Thank you! Thank you! Thank you!

  38. avatar
    mlachmann 5 years ago

    Thank you for this post. Helped me a lot!
    Greetings from Germany

  39. avatar
    JoJo 5 years ago

    I changed my password 4 my administrator account and then forgot it. Nothing will work because it keeps asking for an administrator password and I can't download anything. HEEEEEEELP!!!!!!!!!!!!!!

  40. avatar
    Michael 5 years ago

    Thank you very much. It worked of course 🙂

  41. avatar
    Deborah 5 years ago

    Any thoughts on what to do if you can get in to the admin account using a biometric device instead of a password, but can't remember the physical password. Not urgent, but with my luck I will cut my finger off, or the biometric device will break and I won't be able to get in.

  42. avatar
    Mike 5 years ago

    My son forgot his password.... This worked perfectly and was amazingly easy to do. Thanks for the post!

  43. avatar
    Andrew 4 years ago

    This method saved me a reinstall after I locked my main account! For some reason, net user wouldn't enable the Administrator account.

    Thanks so much for the walkthrough!

  44. avatar
    Roddy 4 years ago

    I ran into an issue that had (what seemed to me) a weird fix: much like Barry_A I wasn't seeing much under the newly loaded SAM key, until I thought to close out of regedit (without unloading) and reopen. Then it worked fine! I also mucked w permissions, not sure if that mattered

  45. avatar
    Roddy 4 years ago

    I had to close regedit (without unloading the SAM hive) & reopen before it'd let me see any keys under SAM, similar problem to BarryA above, though permission changes weren't enough. was at a loss and tried that in vain... and it worked. Windows is so quirky. Thanks! Used my old xp ThinkPad to recover a win7 installation by plugging the HDD into a SATA to USB adapter

  46. avatar
    No name 4 years ago

    Thanks a lot for this. Worked first time 100%.

  47. avatar
    morry 4 years ago

    I have nothing (no Keys) under SAM. Why?

  48. avatar
    morry 4 years ago

    Actually all I have under SAM is SAM under which there is nothing.
    Why would that be?

  49. avatar
    Nicholas 4 years ago

    I have followed all of the steps and managed to enable the built in Admin, the problem seems to be that there once was a password for the account but it is now expired. However the Admin account still requests a password... I just want to be able to install things on my PC again...

  50. avatar
    John 3 years ago

    Thank you for posting. Confirmed to remote registry edit enable local Administrator account on Windows 8.1 after getting locked out of Live account.

  51. avatar
    Bruno 1 year ago

    Now that more and more people use Microsoft Accounts, knowing how to switch a profile from a Microsoft Account to a local account, via regedit, would be extremely useful. There are cases where resetting a Microsoft Account is out of the question (user is deceased, cell phone is unavailable or long gone, access to recovery email address isn't possible, etc). It's easy to switch from a Microsoft Account to a local account when you're logged in to it, but how about doing it from another account with administrator privileges, via regedit? Gaining local admin access is easy, gaining access to data under a Microsoft Account profile is also easy. Converting a Microsoft Account user profile into a local account profile should be easy (via regedit), but I can't find any way to do it.


Leave a reply

Your email address will not be published. Required fields are marked *



Please ask IT administration questions in the forum. Any other messages are welcome.

© 4sysops 2006 - 2017
Do NOT follow this link or you will be banned from the site!

Log in with your credentials


Forgot your details?

Create Account