Reset Windows 10 password by disabling Windows Defender

A simple hack for resetting a Windows 10 password by abusing tools such as Ultiman.exe, StickyKeys, or DisplaySwitch.exe has existed for some time. Microsoft recently raised the hurdle a little by preventing these Windows modifications with Windows Defender. In this post, I show you how you can easily hack into Windows anyway.
Latest posts by Sami Laiho (see all)

The Immutable Law of Security says that if someone has physical access to your computer, it's not your computer anymore. These simple hacks, along with abusing tools on the logon screen such as Utilman.exe, DisplaySwitch.exe, or Sethc.exe, have existed since 2001 in Windows XP. Before that, you could do the same with the screensaver in Windows 2000, and before that, you could do the same with the Spooler service in NT 4. So in no way am I showing this in order to say it's something I invented—I’m doing this, as in my other blogs, to document the most common things I need when troubleshooting Windows.

The biggest reason for writing this blog (although similar blogs are available, even on 4sysops) is that in August 2018, Microsoft started blocking these Accessibility Feature hacks with Windows Defender. For 18 years before this, I had started many of my presentations with the same hack— you could hack yourself into any Windows version, from Windows XP to Windows Server 2016 Domain Controllers, with a single command. Even though this broke the Third Immutable Law of Security, I told Microsoft every time I visited Redmond that it was ridiculous how easy it was—one command to hack any Windows version. So in August 2018, Microsoft finally fixed it. Of course, they did it when I was on stage, showing the hack that I'd done 18 years in a row. It was a very important presentation, so I guess I got what I deserved—or it was a targeted attack.

So now Microsoft has made great progress on this. I can happily tell you that now it requires not one command, but one command and booting into Safe Mode to hack any Windows version.

A computer account that you don’t know the password for

A computer account that you don’t know the password for

Let's get going.

You need to boot up your machine with something that can read NTFS. Here are some options:

  1. Boot with any Windows installation media (the newer the version, the more likely it is that it has drivers for your hard disk)
  2. Linux with NTFS driver
  3. Windows PE (preinstallation environment)

In my example, I'm booting it with a standard Windows 10 installation DVD (actually an ISO of it, as this is a Hyper-V VM).

The computer booted up with a Windows installation DVD

The computer booted up with a Windows installation DVD

After booting, there are two options I recommend:

  1. If your computer doesn't have BitLocker, just hit Shift+F10 to get to a command prompt.
  2. If your computer has BitLocker, start the Setup and choose Repair, as it will ask you for the BitLocker recovery key and then let you head on to a command prompt.

This computer doesn't have BitLocker, so I just hit Shift+F10 to get the prompt. After this, I’ll find the Windows installation that I can't access. In this case, it’s the D: drive.

Starting CMD with Shift+F10

Starting CMD with Shift+F10

Next you need to change the directory to D:\Windows\System32\.

The actual hack is done by the second command, but I recommend doing the first. (I'm showing this not as an attack, but as a procedure you are absolutely allowed to perform since you are the administrator on this PC.)

First, run the following command: copy sethc.exe ..

This command copies the sethc.exe as a backup to the parent folder with the "copy, space, sethc.exe, space, dot notation.

Second, run the following command: copy cmd.exe sethc.exe

This command replaces the Sticky Keys command with a command prompt.

 Replacing the sethc.exe with the cmd.exe, after creating a backup

This is what we did for years. But now, Windows Defender will catch this on Windows 10. So what you need to do is get the computer to Safe Mode.

  1. Restart the computer.
    Restart the machine

    Restart the machine

  1. On the logon screen, click Restart while pressing the Shift key.
    Getting the computer to Safe Mode by using Shift+Restart

    Getting the computer to Safe Mode by using Shift+Restart

  1. Select Troubleshoot > Advanced Options > Startup Settings.
  2. Select Restart.
    Select Restart to get to the F8 menu of Windows 10

    Select Restart to get to the F8 menu of Windows 10

  1. Choose the fourth option, Enable Safe Mode.
    Choosing Safe Mode to avoid Windows Defender

    Choosing Safe Mode to avoid Windows Defender

When you are on the logon screen, press the Shift key five times rapidly to get a command prompt with system access.

Command prompt with SYSTEM access

Command prompt with SYSTEM access

Here, you can reset the user account passwords or create new users. Here are some examples:

  • NET USER Master Qwerty1
    • In my example, I have an account called Master. This will change its password to be Qwerty1.
  • NET USER Administrator Qwerty1
    • This changes the Administrator user's password to Qwerty1.
  • NET USER Administrator /ACTIVE:YES
    • This activates a disabled admin account.
  • NET USER TEMP Qwerty1 /ADD
    • This creates a new user.
  • NET LOCALGROUP Administrators TEMP /add
    • This makes the new user an admin.
  • msc
    • Open the Computer Management screen if you don't like my command-line examples.
Changing a user's password

Changing a user's password

Note: If you create a new user and the computer is part of a workgroup, you might need to boot the computer once more before you can log on with the user as it might not be listed on the logon screen.

Close the CMD and logon. After logon, there is still some cleanup to do because the computer is still "hacked," which you can verify by pressing the Shift key again five times. It still starts a command prompt. Close this command prompt and start a new one from the Start menu, elevating it with the Run as Administrator option.

Running a new CMD with admin rights (not the one that was started by the Shift key)

Running a new CMD with admin rights (not the one that was started by the Shift key)

From this new CMD.exe, type the following command: Robocopy C:\Windows C:\Windows\System32 sethc.exe /B

  • This uses the backup with your restored privilege.
  • A normal copy won't do, as the file is protected by Windows Resource Protection.
Robocopy restoring the sticky keys to normal

Robocopy restoring the sticky keys to normal

You can verify that everything is back to normal by pressing the Shift key five times. Notice the Sticky Keys notification pops up.

StickyKeys is working normally

StickyKeys is working normally

Now all that is left is to reboot the computer back to normal mode.

A few points to consider:

  • This is not an attack. If you are worried that this would be used against you as an attack, just make sure you have BitLocker, as it will mitigate this.
  • If StickyKeys is disabled via policy, you can try Utilman.exe or DisplaySwitch.exe. If those don't work either, there is a way to hack yourself in via Group Policy; however, that is a story for another post.
  • If you can't access Safe Mode, you can also Disable Windows Defender by renaming MsMpEng.exe while in Windows PE.
3+
avataravatar

Poll: Does your organization plan to introduce Artifical Intelligence?

Read 4sysops without ads and for free by becoming a member!

9 Comments
  1. nospam 9 months ago

    This is so oldschool, it even works on Windows NT.

    It surprised me MS put again the user and picture on the logon screen. Huge security risc.

    0

    • haoos 9 months ago

      Yes, this is exactly what his post is about. Great summary!

      0

  2. Hello and thank you very much for this usefull article.

    As a small addition i have to say that when you are in the language selection screen (i tried it on a physical machine with a windows 10 boot USB), the key combination shift-F10 doesn't bring a command prompt.You can get a command prompt by pressing next , then selecting 'repair' --> troubleshoot --> command prompt.You will find yourself in x:\Sources and then you have to changedir to c:\windows\system32\

    After this point your instructions have worked flawlessly.

    Please take no offence of my correction.thank you again and have a good day.

    2+

    • Ten 7 months ago

      Thanks this helped me get past that point. 

      0

  3. Kai-Uwe 7 months ago

    I just tried this in order to help a neighbour to get back into his PC but learned that even that approach does not work any longer. Both sethc.exe and utilman.exe renamed. But even with the way through safe mode (or disable defender) no command prompt opens. 🙁

    0

    • Author

      I’ve been able to do this even with a new insider build... Maybe he has another anti-malware installed? Or a policy to block this.

      0

    • Author

      And you copied the cmd.exe on top of sethc.exe just like in the blog post? I’m just asking cause you refer to ”renaming”

      0

  4. Ashle 3 months ago

    It does not work now, there was a new update. can you make another post or respond with steps to make it work now.

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account