Update: Also read Offline enable the Windows 8 administrator account.
Latest posts by Michael Pietroforte (see all)
- The Disable-PSRemoting warning - Wed, Dec 6 2017
- New wiki docs about enabling PowerShell remoting - Fri, Dec 1 2017
- New wiki doc about free Microsoft eBooks and new free VMware eBooks - Mon, Oct 30 2017
In my last my post I described how to offline edit the Registry of a Windows installation through Windows PE or Windows RE. Today, I will give you the procedure to offline enable the built-in administrator account. This can be useful when you have to reset the password of the administrator account without having admin privileges on this machine.
I tried the procedure described here on Windows 7 and Windows Vista. I suppose it also works on Windows XP. However, in Windows XP you can just boot up in Safe Mode (press F8 before Windows starts booting) and log on with the built-in administrator account even it is disabled. Because an administrator password has to be configured when Windows XP is installed, the Safe Mode procedure will only help if you have at least this password.
Once you enable the administrator account, you can use this account to log on to this Windows installation. This works because, by default, the built-in administrator account is configured with an empty password in Vista and Windows 7. Of course, if you configured an administrator password (which I recommended in my article about the built-in administrator account), this procedure is useless if you have also forgotten this password or if a user has set the password and didn't tell you about it.
Before you proceed, please note that editing the Registry is always risky if you don't know what you are doing.
To offline enable the built-in administrator account, follow these steps:
- Load the SAM Registry hive with regedit as described in my post about the offline Registry editor.
- Navigate to HKLM\%your_key_name%\SAM\Domains\Accounts\Users\Names\.
- Click "Administrator" and note the value in the type column.
- Navigate to HKLM\%your_key_name%\SAM\Domains\Accounts\Users\.
- Use the type value you noted before to locate the Registry key of the administrator account (see screenshot).
- Edit the F entry of the administrator key and navigate to the 0038 position.
- If the built-in administrator account is disabled, the value of this position is "11"; replace it with "10". NOTE: Make sure to edit the correct position because editing binary values in the Registry is a bit tricky: Move the cursor to the beginning of position 0038, press "DEL," and then type "10".
- Click %your_key_name% and then unload the hive through the corresponding menu point in the File menu.
After you reboot, you can log on using the built-in administrator and reset the password of other accounts.
Note that you can also use this procedure to offline enable other accounts with administrator privileges. In this case, the value at position 0038 will be "15" if the account is disabled; replace it with"14" to enable the account.