0

I've a situation where a friend purchased a computer from a local PC shop, and seemingly they just wrote cloned images of a hard disk to all their PCs. The windows install seems like it was preconfigured to log into windows as an admin called "admin", and with unknown password. At the time I was unaware of the setup and I made a power user account for other purposes. This appears to have turned off the "auto log in as admin", and now we're a bit stuck because the only password known is the power user one (and the PC shop has since closed/gone)

I have, however been able to get said friend to put the drive into another one of their PCs that is still accessible, and I successfully replaced utilman.exe with cmd.exe

Alas, they report that even though they're clicking the ease of access icon on the login screen, nothing appears (not even the genuine EOA center; I did wonder if Defender would have swapped it back)

Assuming the computer is as up to date as Windows 10 can be, has this route of gaining admin access to a PC been closed? What options remain for me (who can remotely instruct someone capable enough to swap a hard disk over, but not necessarily particularly windows software savvy) to try, of a similar ilk?

Caius Jard
  • 404
  • 1
  • 4
  • 14
  • My go-to for this situation has always been [UBCD](https://www.ultimatebootcd.com/), which is very old now and no longer maintained, but includes a [tool to let you enable the built in administrator account and blank out the password.](http://pogostick.net/~pnh/ntpasswd/) These haven't been updated in years, but neither has this part of the Windows OS. – Joel Coehoorn Sep 14 '21 at 14:01
  • I had to purchase a dedicated tool to 'unlock' a client's Win10 machine after all the useful recommendations on the 'net had failed me. At some point, searching time exceeds purchase cost. Consider also that occasionally, Win10 will lock a user out of a machine until the internal/hidden updates are completed. One client had to wait four hours and manually reboot to get into her machine. No password by default, but it asked for one on all but the last boot. – fred_dot_u Sep 14 '21 at 14:26
  • 1
    [This](https://superuser.com/questions/1024203/how-to-get-rights-of-admin-after-i-disabled-all-admin-accounts-in-my-computer/1024221#1024221) question seems relevant. Seems like the simplest solution is to enable the built-in Administrator and reset the password for any account you are unable to access. Purchasing software you can do for free seems like a waste. – Ramhound Sep 14 '21 at 14:51
  • Do you specifically need to get access to the _currently installed_ system, or would a fresh reinstall be an option? (I think it would be the preferred option, to get rid of whatever _other_ cruft the PC shop put on their images.) – u1686_grawity Sep 14 '21 at 15:00
  • @user1686 Alas, I need access to the currently installed system because this one machine is more important (as you might imagine it would be, given that there are 7 other machines this could have happened to and this one is the only one with all the business accounts, employee pay details, no backups, no record of license keys etc etc..).. Yeah.. – Caius Jard Sep 14 '21 at 16:54
  • @Ramhound i'll have him re-mount the drive in another machine and i'll give a go at doing that to enable the built in Admin account, thanks – Caius Jard Sep 14 '21 at 16:56
  • Don't mount it in another system. If you mount it from another system that just introduces all sorts of problems. – Ramhound Sep 14 '21 at 16:58
  • @Ramhound The problem I have is that I'm several hundred miles away and doing this over TeamViewer, so I need the remote system to be reasonably functional/capable of launching TV - it'll be a bit of a stretch to get anyone at the remote location to do this. I'll look at transferring the SAM here and manipulate it locally.. Unless the steps can be performed on te remote with a hex editor (i've no idea if the SAM file is e.g. compressed?) instead of regedit – Caius Jard Sep 14 '21 at 17:07
  • Does this answer your question? [What can I do if I forgot my Windows password?](https://superuser.com/questions/72244/what-can-i-do-if-i-forgot-my-windows-password) – Moab Sep 14 '21 at 17:41
  • @Moab good info there, I'm reviewing/trying and I'll let you know – Caius Jard Sep 14 '21 at 18:52

1 Answers1

0

In relation to these specific questions of "does this hack still work" - my answer is "I don't know". I suspect the answer is "maybe, if you can get to them fast enough that windows Defender won't have undone the workaround ..

..but it's quite a bit more hassle than the technique I posted to the What can I do if I forgot my Windows password? thread Moab linked, using a blend of the advice given by Ramhound

The short short version is: i mounted the drive with the forgotten password in another machine, used a hex editor on the registry SAM file to search for an occurrence of F401 bytes with an odd number in the tens (mine was 15, often it's 11, it depends what flags out of the "account is disabled", "user cannot change password", "password never expires" etc are enabled on the account) 6 bytes after, and set the odd number even by minusing one off it. This removed the "account is disabled" flag from the built in admin account and I was able to remount the drive in the first machine, then use the enabled passwordless Admin account to set a password for the forgotten user and disable the Admin account again

All in, for me, hex editing the SAM file (location: c:\windows\system32\config) was quicker/easier than using a Live CD etc because of the personnel/remote constraints I had!

Caius Jard
  • 404
  • 1
  • 4
  • 14