Windows Password Recovery Without Third Party tools

Windows Password Recovery Without Third Party tools

We often come across with a situation which needs us to logon to a Windows machine with local credentials and sometimes we are not equipped with the password of local Administrator ID or any other Local ID from that particular system.

There are many third party tools available on internet which lets you reset the password of local accounts but most of the System Admins are always reluctant to use any third party application for any kind of recovery options unless they are 100% sure of what that tool does and how.

There are trusted ways of resetting Windows Local ID’s passwords without using any third party application and here are the steps outlined:

What you need:

• Bootable USB Drive or ISO of Windows 7/8/2008/2012
• One or two reboots of the system.

I hope a bootable ISO is readily available with almost every system administrator but if you want to go with a Bootable USB drive then please follow my another post which describes how to create a bootable USB drive from any Windows ISO (Windows 7 or above only).

Creating Bootable usb disk : http://adminthing.blogspot.in/2016/02/install-windows-from-usb-drive.html

Once you have the Bootable disk (ISO/USB) ready.

• Insert the ISO/USB disk to the system and make sure it has been configured to first boot from ISO/USB device.
• Boot the machine with Bootable disk.
• Proceed to enter Recovery options and Open Command Prompt window or to open Command prompt you can press Shift + F10 when you are presented with Install Windows screen.

Install Windows Screen

Command Prompt Opened after pressing Shift + F10

• Once you have opened the Command Prompt, Go to C: Drive, this drive letter can vary depending on the number of drives present on your machine and you may need to find out which is the original drive where OS is originally installed.
• Under C:\Windows\System32 rename a file named Sethc.exe to Sethc.exe_OLD  
• Copy CMD.EXE to Sethc.exe

Please note that if you are not able to see the OS Disk in this Recovery Environment then please refer to another article (here) that has been published which shows how to load Hard Disk controller drivers in Recovery environment.

Rename File Operations

• After the file rename operation complete successfully, Exit the command prompt window and hit Esc to exit the installation window, Upon prompting to cancel installation click Yes and restart the machine.

Exit Installation Screen

• Now remove Bootable device (USB/ISO) and Boot the Machine normally.
• Once the machine boots up properly, open console of the machine depending on machine type (Vmware Console/Idrac/ILO/RSA/IMM)

Normal booted Machine:

• On the login screen Press Shift key 5 Times and you will be presented with a Command prompt window.

• Now you are in full control of the machine and you can Create a New user ID, Reset any exiting User’s Password, add user to local groups and so on.

Normal booted Machine with Command prompt open without logging in:

 

Here is an example of adding new User and Resetting Existing user’s password as shown in the above Image:

At Command prompt:

• List local users on that machine:

Net User

• Create new User:

            Net User /add TestUser1 Password123

• Add user to Local Administrators Group:

            Net localgroup administrators /add TestUser1

• Reset existing user’s Password:

            Net user TestUser1 Password@098

Now We can logon to the Machine with newly created user ID or with the Password we have reset for the existing user.

Disclaimer Note: Above steps have been executed several times and found working even in production environments on OS Windows 7 and above, Please follow the steps at your own wish/risk, Blogger will not be held responsible for any loss in data/systems that may have been caused while following this. 
Note: Don't forget to replace the files back with their originals names to avoid security risks.