Changing Windows account passwords and enabling the local Windows admin account

Recently, I needed to get into a client’s computer (running Windows 8) in order to fix a few problems. Having forgotten to ask for a most obvious piece of needed information (the account password), I just decided to get around it. The account that he was using on a daily basis was tied to a Microsoft Live account instead of being local to the machine. So, instead of changing that account password, I chose to activate the local Windows administrator account and change the password for it. This method was tested on Windows 7 and Windows 8, but it should work on all modern versions of Windows (including XP, Vista, Windows 7, Windows 8, Windows 8.1, and Windows 10).

Before jumping into the procedure, you’ll want to grab a copy of a Linux live CD. You can really use any distribution, but I prefer the SystemRescueCD, because it is simple, lightweight, and based on Gentoo (my preferred distribution). There are instructions on that site for burning SysRescCD to a CD, or installing it on a USB drive. It would also be helpful for you to know the basics of the Linux CLI, but in case you don’t, I’ve tried to use exact commands as much as possible. Now that you’re ready, here are the steps:

  • Boot the System Rescue CD (or any Linux live CD of your choice)
  • Find the disk partition that contains the Windows installation (probably on the primary disk, which is /dev/sda:
    • fdisk -l /dev/sda
    • Look for the partition has a type of “Microsoft basic data,” or “HPFS/NTFS/exFAT”, OR it is likely that it is largest partition (probably a few hundred GB or more) on the drive
    • For the sake of ease, we’re going to say that’s /dev/sda5, but anywhere you see that code in the following steps, replace it with the partition that you actually found with fdisk
  • Make a temporary directory for Windows, fix the Windows hibernation problem, and mount the partition:
    • mkdir -p /mnt/win/
      ntfsfix /dev/sda5
      ntfs-3g -o remove_hiberfile /dev/sda5 /mnt/win/
    • NOTE: Don’t run the ntfsfix command or use the -o remove_hiberfile option unless you are unable to mount the partition due to an error like:

      The disk contains an unclean file system (0, 0).
      Metadata kept in Windows cache, refused to mount.
      Failed to mount ‘/dev/sda5’: Operation not permitted
      The NTFS partition is in an unsafe state. Please resume and shutdown
      Windows fully (no hibernation or fast restarting), or mount the volume
      read-only with the ‘ro’ mount option.

      Otherwise, the Microsoft filesystem check may run when you boot back into Windows (which isn’t usually a big deal, but will take some time to run).

  • Go into the Windows system folder, swap some executable files, and get out of there:
    • cd /mnt/win/Windows/System32/
      mv cmd.exe cmdREAL.exe && mv sethc.exe sethcREAL.exe
      cp -v cmdREAL.exe sethc.exe
      cd ~ && sync && umount /mnt/win/
      init 0
  • The last command shuts down the system. Now, remove the CD or USB drive from the system, so that you can boot into Windows.
  • In the lower-left corner, click on the “Ease of Access” icon, which looks like this:
    • Windows Ease of Access icon
  • Turn on the “Sticky keys” option
  • Press the Shift key five times, and that will bring up the command prompt
  • At this point you have two options. If there is a local account you want to change, follow option 1. If there are only Microsoft Live (remote) accounts, you can enable the local Administrator account by following option 2.
  • 1. Changing the password for a local user:
    • Type net user to see a list of available user accounts
    • Type net user $USERNAME * (replacing $USERNAME with the desired username), and follow the prompts to set the password for that local user
    • NOTE: You can just hit the enter key if you want an empty password.
  • 2. Enabling the local Administrator account, and setting the password
    • Type net user administrator /active:yes to activate the local Administrator account
    • Type net user administrator * and follow the prompts to set the password for the local Administrator
    • NOTE: You can just hit the enter key if you want an empty password.
  • Now that you’ve taken care of the password, reboot the computer back into the System Rescue CD
  • Make a temporary directory for Windows, fix the Windows hibernation problem, and mount the partition:
    • mkdir -p /mnt/win/
      ntfsfix /dev/sda5
      ntfs-3g -o remove_hiberfile /dev/sda5 /mnt/win/
  • Undo the sethc.exe and cmd.exe changes:
    • cd /mnt/win/Windows/System32/
      rm -fv sethc.exe && mv cmdREAL.exe cmd.exe && mv sethcREAL.exe sethc.exe
      cd ~ && sync && umount /mnt/win
      init 0

Now when you power on the computer again (back into Windows), your new password(s) will be in place. If you followed option 2 from above, you’ll also have the local Windows ‘Administrator’ account active.

Hope the information helps!

Cheers,
Zach

Leave a Reply

Your email address will not be published.