Reset Windows passwords in minutes without extra hardware or software

By on December 13, 2012, 5:00 PM

Although a man recently made headlines for demonstrating that he could brute force an eight-character Windows password in less than six hours by harnessing the power of 25 GPUs, another savvy user has reminded us of a workaround that can bypass the security of virtually any Windows account in 10 minutes.

The trick has been around for years and involves replacing the login screen's Ease of Access Center software with a command prompt. To pull it off, all you need is a bootable System Recovery media or a bootable Windows 8 installation media (Jamal Naji offers instructions on both approaches, though little changes).

Once you've loaded into the System Recovery environment, you need to access the command prompt to get started. From there, you need to identify your Windows volume with DiskPart, navigate to the WindowsSystem32 directory, then delete utiliman.exe and rename cmd.exe as that file (backup both apps first).

After that's done, you can reboot and when you get to the Windows login screen, the Ease of Access Center icon should launch a command prompt. Now you can enter net user to get a list of Windows accounts, then net user USERNAME * to initiate a reset, which requires you to enter and confirm the new password.

Naji notes that you'll probably want to reverse the changes you've made after the password is reset, which basically involves undoing the steps in paragraph three so utiliman.exe is restored. He offers a detailed breakdown of the entire procedure for Windows 8 if you need it, as well as specific instructions for Windows 7.




User Comments: 21

Got something to say? Post a comment
Nima304 said:

Or you can use a utility like Ultimate Boot CD to remove it in the same amount of time.

jobeard jobeard, TS Ambassador, said:

Btw: The assumption here is the use of the OLD style NTLM hashing which only supports 8 character PWs.

Using more than eight, stops the Rainbow Table approach by avoiding NTLM altogether

The Brute Force technique also assumes that the login authentication will not lock the account nor enforce a timeout after 3 consecutive failure - - and most admins will do BOTH.

So the only thing we can say about the approach is - - Y A W N

Trillionsin Trillionsin said:

Been using a linux bootup that takes me only a minute or so, and most of that time is trying to get the PC to boot from the optical drive.

Staff
Jesse Jesse said:

Btw: The assumption here is the use of the OLD style NTLM hashing which only supports 8 character PWs.

Using more than eight, stops the Rainbow Table approach by avoiding NTLM altogether

The Brute Force technique also assumes that the login authentication will not lock the account nor enforce a timeout after 3 consecutive failure - - and most admins will do BOTH.

So the only thing we can say about the approach is - - Y A W N

I don't get it. Are you replying to the briefly mentioned "brute force an eight-character Windows password" article?

cliffordcooley cliffordcooley, TechSpot Paladin, said:

I don't get it. Are you replying to the briefly mentioned "brute force an eight-character Windows password" article?
Looks to me he is replying to both articles with a yawn. If I were to bet, I'd bet neither one, has him shaking in his boots.

Darth Shiv Darth Shiv said:

I thought the old NTLM applied for passwords up to 14 characters?

gamoniac said:

Cool. That trick is good to know... and now I know how insecure my PC is. I assume the trick work on administrator account, too, ya?

WaveZero said:

That's an assumption that you can boot from DVD drives and usb drives. Businesses tend to lock them down.

1 person liked this |
Staff
Per Hansson Per Hansson, TS Server Guru, said:

I thought the old NTLM applied for passwords up to 14 characters?

Ten Windows Password Myths: [link]

But things are different with newer versions of Windows. Windows 2000 and XP passwords can now be up to 127 characters in length and so 14 characters is no longer a limit. Furthermore, one little known fact discovered by Urity of SecurityFriday.com is that if a password is fifteen characters or longer, Windows does not even store the LanMan hash correctly. This actually protects you from brute-force attacks against the weak algorithm used in those hashes.

Fokissed Fokissed said:

The Brute Force technique also assumes that the login authentication will not lock the account nor enforce a timeout after 3 consecutive failure - - and most admins will do BOTH.

The brute-force algorithm doesn't try every password against the login server. It hashes every password until it finds a password with a matching hash (found in the system) as the original password. So to the system, it looks like one (successful) login.

jobeard jobeard, TS Ambassador, said:

The brute-force algorithm doesn't try every password against the login server. It hashes every password until it finds a password with a matching hash (found in the system) as the original password. So to the system, it looks like one (successful) login.

All depends. If run from a CD (which means the hacker has to have physical access to the system {shame on you}), then you are correct. Otherwise, using only network access, there has to be an attempt per generated password and the Rainbow Tables are useless.

@Darth Shiv

" The two are the LM Hash (a DES-based function applied to the first 14 chars of the password converted to the traditional 8 bit PC charset for the language)"

you are correct and my recall was fuzzy :sigh:

And while we're kibitzing on security, many know of the "hidden" Administrator login and if you loose physical control of the system (eg: a laptop),that account would be ideal to access and 90% of the time it has no password at all. HINT: SAFE BOOT and login to this account and assign it a password too! Unless joe thief also knows of the CD/Rainbow Tables hack, the system will remain secure until he reformats and in that case, all your personal data is blown away too.

1 person liked this | amstech amstech, TechSpot Enthusiast, said:

If your trusting your PC and data to be protected solely by a Windows password, you don't know how to properly protect your data anyways.

Guest said:

This is almost the exact same thing that works on Win 95,98,ME,2000,XP,Vista, not sure about 7 though. Replace logon.scr with cmd.exe. Then just sit and wait soon as the screen save tries to kick in you've got a full access dos prompt.

Guest said:

They did fix it. It's called BitLocker and it encrypts your drive. The password was never intended to stop people with physical access and the ability to boot to a disk. The article assumes you have enough access to boot the computer from an alternative medium. They can't just "fix" that short of forcing full disk encryption.

Guest said:

Same goes for Macs really. Unless you have a firmware password set, resetting the root password is a few keystrokes away.

treetops treetops said:

On my old windows xp computer I had it in storage so long that I forgot the password so I signed in as a guest, created a new user, logged in with the new user, went to users and changed the password of my old account or set it to nothing. Something very simple like that, it took me forever to figure it though. Perhaps I just deleted the old account it was around 10 years ago.

I remember calling microsoft and they told me it was impossible to use that computer again without the password, jack asses.

p.s. I think I restarted the computer in safemode so I could log in as a guest or something, idk but its really easy, it was long long ago.

jobeard jobeard, TS Ambassador, said:

I signed in as a guest, created a new user, logged in with the new user, went to users and changed the password of my old account
I DONT THINK SO. The Guest account has the least permissions and thus can not create a new login nor can it change the password of any other account

p.s. I think I restarted the computer in safemode so I could log in as a guest or something, idk but its really easy, it was long long ago.

AHH, this is far more likely the case. SAFE MODE -> Login on the Admin account which defaults to no password and that gives you the necessary permissions to do as stated above.

cookice2013 said:

To reset Windows password is easy. Try the following steps, you will login Windows with 5 minutes. But you should prepare a blank CD/DVD/USB.

Step1, Get an accessible computer, download the Windows password reset software from

***removed by mod***, install and run.

Step2, Burn the software onto the CD/DVD/USB

Step3, Insert the burned CD/DVD/USB into the computer that you have lost login passwords. And then following the step by step wizard to finish password recovery!

2 people like this | LNCPapa LNCPapa said:

I removed that last link as we're starting to cross over into some questionable territory providing links to these types of tools. If users want something like that they can google it themselves.

1 person liked this | jobeard jobeard, TS Ambassador, said:

@LNCPapa Thank you - - Techspot has jealously avoided all forms of hacking and this stance gives great credibility to the site IMO. For those that have not seen the history of this issue, I'll summarize the issue:

When even the owner of the machine makes the plea for "help, I lost my password", those contributing to this site have no means to verify that the poster is "in fact" the owner of the affected machine. A great many realities could just as easily be lurking under that request, eg: parental control.

In addition, causal browsing and searching the site would disclose far too much for the World Wide Web to snatch up. If other sites post such concepts and techniques - - well the end result lies with their choice.

The consensus has been to not discuss or post links to tools or techniques which circumvent system security/privacy.

treetops treetops said:

Yeah that is the first time I have mentioned that little method, if you want to delete it as well go ahead, not that you need my approval . Its not specific but when I first posted it I was wondering if I should have even said anything. I guess it doesn't matter you can probably google your way to anything you want nowadays.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.