Reset Win7 password

I came across a novel way to reset a forgotten Win7 password the other day, and as it uses Linux for a small part of the procedure I thought I’d post it here … I know this isn’t new, but it’s as much for my memory, as it may be of interest to others.

First let me explain something … sethc.exe is the Windows executable that is run when you hit the shift key 5 times, that allows you to enable/disable sticky keys.

It can be run BEFORE logging on by hitting the shift key 5 times (bit of a security flaw there) … so we’re going to temporarily replace it with cmd.exe, therefore allowing you to open an administrative shell where you’ll enable the Administrator account, log onto it, change the password … then undo everything.

Anyway … here’s the procedure:-

boot to a Livux liveCD/Live USB

copy C:\windows\system32\sethc.exe to somewhere safe (C:\Storage\sethc.exe)

copy C:\windows\system32\cmd.exe to C:\cmd.exe

rename C:\cmd.exe to C:\sethc.exe

move C:\sethc.exe to C:\windows\system32\sethc.exe (overwriting the original)

============================

Reboot to Win7

At the login screen, hit the shift key 5 times … an admin command prompt should open.

in the command prompt enter:

net user administrator /active:yes

close the command prompt … reboot

you should now be able to log in as Administrator without a password.

============================

Reset the users password

============================

log off

hit the shift key 5 times

run:

net user administrator /active:no

close command prompt … reboot to Linux liveCD/USB (though this can probably also be done from within Windows)

copy C:\Storage\sethc.exe to C:\windows\system32\sethc.exe (overwriting the original)

shut down

============================

Reboot to Win7 and login with new password

delete C:\Storage\sethc.exe and C:\sethc.exe

DONE.

Damn, that’s worth reporting to Microsoft (they pay bug bounties, right?)

Edit: According to this - http://technet.microsoft.com/en-us/security/dn425055 - only Windows 8.1 vunerabilities get bounties. But they’d love to hear about this Win7 bug for free! lol

I’m not really interested in helping them … that said it’s a well known bug (?) anyway, they’d have to be blind to the internet to not know about it … but they’re obviously not bothered about fixing it either ::slight_smile:

It’s effectively priviledge escalation - I’d be pretty worried about it if I were in the IT department of a company. The thought of the users having the ability to get root access isn’t something I’d want (just like I wouldn’t give them the root password if they were using Linux)