Monday, 26 September 2016

Reset Windows 7 Administrator account (or any user account) password

Had some fun on Sunday trying to get access to Admin account on Windows 7 laptop. 
I attempted some other methods but what eventually worked for me was a bit of a hack/trick. Replace sethc.exe (sticky keys) with cmd.exe and trigger sticky keys (sticky keys is run as Administrator). This was done through using Notepad.exe which is run to view logfiles after system recovery. Other techniques to get in on command-line as admin with drive mounted didn't work. This trick is at least quite amusing :-) also simple and portable :-D. 
Background: The Administrator password with laptop was not known. There was a user account with admin privs so users didn't find the need of it. UNTIL the windows login page stopped showing their user! We are guessing the User profile became corrupt or had something bad in it.
I attempted a series of procedures before getting the Notepad+sticky keys replace hack to work. For the record here they are (and the problem I encountered with them):
  1. When trying to log in as Administrator after an incorrect password you are prompted to insert rescue disk (in order to reset password). We had a Windows 7 rescue disk on cd. But the prompt asked for floppy or USB. I had no handy USB stick and was too lazy to go shopping and messing with creating USB boot disk.
  2. Using system repair disk to get in on command-line did not allow the replacing of sethc.exe with cmd.exe trick/hack. Or allow resetting admin password 'net use Administrator *'. The command-line was running as admin but not as the real admin on machine more as the system repair admin and the disk did not seem to be mounted with full access . . . ~ not sure ~
  3. Using linux system rescue cd ( (version 4.8.2)) I could not mount the drive. I would kindof see it was a GPT partitioned drive - tools ntfs-3g gparted sfdisk should work with GPT but didn't. This computer has a prompt for username + domain + password before windows starts so not sure but maybe there is some extra security (which is needed to mount drive?)
  4. We looked at recovering the User Profile - editing registry - but . . . 
What eventually DID work was follow system recover sequence (no external/additional cd needed) at end view logfile (opens in Notepad). Then do file open - browse to cmd.exe - copy - paste - overwrite sethc.exe. Then reboot - trigger sticky keys - set password using command-line 'net user Administrator *'.
  1. Shutdown and reboot. When Windows starting is seen hold down the power button and power off.
  2. Power on. Windows boot should report that last Windows start up failed so it will give the option of "Launch startup repair". Choose this option.
  3. Cancel the Startup Repair. Cancel the System Restore.
  4. A report dialog will show reporting repair could not be done. In there expand "View problem details". Under problem details a link to x:/windows/... log file is shown. Click on this.
  5. Notepad.exe opens showing the logfile. This Notepad is running as Administrator and the mounted filesystem x: is your hard disk.
    5.1 Notepad: File - Open - browse to X:/Windows/system32 - scroll to sethc.exe
    5.2 Right-click on sethc.exe and rename to sethc-BACKUP.exe
    5.3 Scroll to cmd.exe. Right-click on cmd.exe. Copy. Right click. Paste.
    5.4. When I pasted cmd.exe the command-line ran (as Administrator) so I did 'cd x:/Windows/system32' and then 'copy cmd.exe sethc.exe' on command-line.
    5.4-1 If you prefer not command-line then just use Notepad File Open browser and make a copy of cmd.exe and rename it to sethc.exe
  6. Reboot without any funny stuff.
  7. At login page hit shift key 5 times or more triggering sticky keys. Instead of sticky keys prompt a command-line dialog appears. Running as Administrator. 'net user Administrator *' to set the password.
Good description with screenshots of the procedure here:

The rsync of old user to new user after successful recover. And a game of blockus :-)

In conclusion, this solution doesn't require you to have any extra boot or repair CD. It is very portable :-) It is pretty simple. So it is probably worth trying as one of the first password recovery methods.
We finished up Sunday with making a new user, failing to copy files from old user -> new user using windows, installing cygwin with rsync, rsyncing from old user -> new user (-avzhP and excluding ntdata files and a few other). Then backing up stuff generally. Took ages (3/4hours?) but successful recover at the end, phew.

No comments: