Author Topic: Reset Win7 password  (Read 580 times)

0 Members and 1 Guest are viewing this topic.

Online Mark Greaves (PCNetSpec)

  • Administrator
  • Hero Member
  • *****
  • Posts: 13805
  • Karma: 343
  • Gender: Male
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
    • Awards
Reset Win7 password
« on: November 19, 2013, 10:09:51 pm »
I came across a novel way to reset a forgotten Win7 password the other day, and as it uses Linux for a small part of the procedure I thought I'd post it here .. I know this isn't new, but it's as much for my memory, as it may be of interest to others.

First let me explain something .. sethc.exe is the Windows executable that is run when you hit the shift key 5 times, that allows you to enable/disable sticky keys.

It can be run BEFORE logging on by hitting the shift key 5 times (bit of a security flaw there) .. so we're going to temporarily replace it with cmd.exe, therefore allowing you to open an administrative shell where you'll enable the Administrator account, log onto it, change the password .. then undo everything.

Anyway .. here's the procedure:-

boot to a Livux liveCD/Live USB

copy C:\windows\system32\sethc.exe to somewhere safe (C:\Storage\sethc.exe)

copy C:\windows\system32\cmd.exe to C:\cmd.exe

rename C:\cmd.exe to C:\sethc.exe

move C:\sethc.exe to C:\windows\system32\sethc.exe (overwriting the original)

============================

Reboot to Win7

At the login screen, hit the shift key 5 times .. an admin command prompt should open.

in the command prompt enter:
Code: [Select]
net user administrator /active:yes

close the command prompt .. reboot

you should now be able to log in as Administrator without a password.

============================

Reset the users password

============================

log off

hit the shift key 5 times

run:
Code: [Select]
net user administrator /active:no

close command prompt .. reboot to Linux liveCD/USB (though this can probably also be done from within Windows)

copy C:\Storage\sethc.exe to C:\windows\system32\sethc.exe  (overwriting the original)

shut down

============================

Reboot to Win7 and login with new password

delete C:\Storage\sethc.exe and C:\sethc.exe

DONE.
« Last Edit: November 19, 2013, 11:06:40 pm by Mark Greaves (PCNetSpec) »
WARNING: You are logged into reality as 'root'

logging in as 'insane' is the only safe option.

Offline chemicalfan

  • Hero Member
  • *****
  • Posts: 680
  • Karma: 25
  • Gender: Male
  • I've been here a little while!
    • View Profile
    • Awards
Re: Reset Win7 password
« Reply #1 on: November 20, 2013, 11:41:45 am »
Damn, that's worth reporting to Microsoft (they pay bug bounties, right?)

Edit: According to this - http://technet.microsoft.com/en-us/security/dn425055 - only Windows 8.1 vunerabilities get bounties. But they'd love to hear about this Win7 bug for free! lol
« Last Edit: November 21, 2013, 12:10:54 pm by chemicalfan »

Online Mark Greaves (PCNetSpec)

  • Administrator
  • Hero Member
  • *****
  • Posts: 13805
  • Karma: 343
  • Gender: Male
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
    • Awards
Re: Reset Win7 password
« Reply #2 on: November 21, 2013, 03:14:08 pm »
I'm not really interested in helping them .. that said it's a well known bug (?) anyway, they'd have to be blind to the internet to not know about it .. but they're obviously not bothered about fixing it either  ::)
WARNING: You are logged into reality as 'root'

logging in as 'insane' is the only safe option.

Offline chemicalfan

  • Hero Member
  • *****
  • Posts: 680
  • Karma: 25
  • Gender: Male
  • I've been here a little while!
    • View Profile
    • Awards
Re: Reset Win7 password
« Reply #3 on: November 21, 2013, 04:31:03 pm »
It's effectively priviledge escalation - I'd be pretty worried about it if I were in the IT department of a company. The thought of the users having the ability to get root access isn't something I'd want (just like I wouldn't give them the root password if they were using Linux)

 


SimplePortal 2.3.3 © 2008-2010, SimplePortal