HACKING WINDOWS PASSWORD

A: Bypass Windows Logons with the Utilman.exe Trick

Utilman.exe is a built in Windows application that is designed to allow the user to

configure Accessibility options such as the Magnifier, High Contrast Theme, Narrator
and On Screen Keyboard before they log onto the system.
This was designed to help people who are hard of sight, hearing or mobility to log onto
Windows themselves without the need of outside help. Its a great feature for disabled
people but it opens up a security hole that we can take advantage of to bypass
Windows logons.
Bypassing the Windows logon comes in handy if our clients have forgotten their logon
password, their user profiles were corrupted or malware was interfering with the system
before login.

This works because the user can trigger Utilman by pressing Windows Key + U before
Windows logon. This will load up the Utilman.exe executable which resides in the
Windows\System32 directory. If you swap the Utilman.exe file with something else like
cmd.exe, you have access to the command prompt running SYSTEM privileges.
SYSTEM is an account with the highest possible privileges on Windows which similar to
the root account on Unix systems.
Here are the step by step instruction on how to do this.

WARNING:
You can do a lot of damage to a system if you dont know what you are doing. Technibble
accepts no responsibility if something goes wrong.

First of all, we will need a way to access the file system to swap out Utilman.exe with
something else like cmd.exe. There are a few ways to achieve this:

 Remove the operating system hard drive from the target system and slave it into
another system with a working operating system. From there you can swap out the files
on the slave drive

 Use a Boot CD like UBCD4Win and use the file management software there

 Use the Windows Vista/7 /8/10 DVD

In this example we will be using the Windows 7 DVD.

1. To begin, boot from your Windows 7 DVD and when you reach the first screen
asking about the language, currency and keyboard format, Click Next.
On the next page, down in the lower left hand side, click on the “Repair your computer” link.

2. Next, select the “Use recovery tools that can help fix problems starting Windows.
Select an operating system to repair” option, choose an operating system from the
list and Click Next.
 3. You will now have an option to “Choose a recovery tool”. Select Command
Prompt.
You should now have a Command Prompt Window open. Type in the following
commands:
4. Replace UTILMAN.exe With CMD.exe
C:\
cd windows\system32
ren utilman.exe utilman.exe.bak
copy cmd.exe utilman.exe
This will navigate to the system32 directory, rename utilman.exe to utilman.exe.bak,
make a copy of cmd.exe and name it utilman.exe.

5. Remove the DVD and reboot the system.

Once the computer boots up normally, press the key combination Windows Key +
U and you should get a Command Prompt. If the Command Prompt doesnt appear,
press Alt+Tab as the Command Prompt may appear behind the Logon screen. From
here, you can run many (if not all) of the commands you can normally use in Command
Prompt.

Resetting an Existing Users Password

WARNING:
If you reset a users account password. This will permanently lose access to the users
encrypted files. Be sure to back these up.

To reset an existing users password, we need type the text below. In this example, we
will be changing JohnDoe’s password to “hunter2”.
net user JohnDoe hunter2
You should be able to log in with this new password straight away.

If you dont know what the username on the system actually is, you can see a list of the
users by typing:
net user

Creating a New User Account

To create a new user account in the Command Prompt (Username: NewGuy.
Password: abc123), and add them to the Administrators usergroup type:
net user NewGuy abc123 /add
net localgroup Administrators NewGuy /add
Again, you should be able to login straight away with this new account.

Reverting Changes
To restore utilman.exe, in the Command Prompt type in:
C:
cd windows\system32
del utilman.exe
ren utilman.exe.bak utilman.exe
Then reboot the system.
To remove the new user account you just created earlier, type in:
net user NewGuy /delete
That’s all there is to it.
B: Hack a Windows 7/8/10 Admin Account Password with Windows Magnifier

This how-to on hacking Windows 7/8/10 etc. admin account passwords using
Windows Magnifier is focused on adding, changing, or deleting an admin level
account on a Windows 7/8/10 etc.
Maybe you forgot or lost the password to your Windows Admin account, this
guide will help with that. If you are trying to hack the computer lab at school
then you will need a different method

Disclaimer: This is for use on a PC that you own. Breaking into someone else's
PC is considered a serious crime in most places. If you make a mistake or
change something else, your Windows may become a non-boot. If so, just undo
whatever you changed outside of the hack shown here, and it will back to
normal. Need I say this is for Educational Purposes! You are responsible for
your own thoughts and actions.

Prerequisites:
 Any Linux Live CD/DVD/USB with Live option (ex. Ubuntu Live, Linux
Live, Kali, etc.).
  Ability to use said Linux CD/DVD/USB.
 Basic understanding of Windows file structure. i.e. can navigate.
 The desire to modify user account(s) on said Windows boxen.
 Physical access to said Windows box.
 Ability to use BIOS if needed.
 Ability to use command line and basic understanding of net user
commands.
Things to Note:
 If you are trying to hack a coworker / boss / job / school / customer /
friend / spouse's account, you are screwed because they won't be able to
use the old password anymore—try explaining that.
 This hack works on Windows 7, 8, 10 and basically any that have "Ease
of Access".
 Servers require "net user Administrator blabla /domain".
 This will destroy all data encrypted with EFS on the account if it's enabled
(you have to enable it first).
 If you do not undo the hack after you change the password, you will get
the magnifier every time you use cmd or nothing at all.
 If you modify or delete any other files in Sys32, your next boot up is
doomed (maybe).
 Scared? You should be. Now let's get hacking.

Step 1Boot Some Flavor of Linux Live CD
Insert CD/DVD into drive and reboot the machine. Start your Live DVD. You
may need to go into the BIOS screen and change the boot-up order to CD/DVD
drive first, HDD second.

Step 2Navigate to Sys32

Use the file browser in your Linux environment, navigate to %windir
%/system32/. You may have to right-click and mount the Windows
partition/drive first or use the NTFS-3G command.
Step 3Rename Magnify.exe
Find and rename magnify.exe (Magnifier file) to magnify.old.
Step 4Rename cmd.exe
Find and rename cmd.exe to magnify.exe.
Step 5Shut Down Linux & Reboot Windows
Logout, remove DVD, and reboot into Windows.

Step 6Get CMD Prompt Modify Accounts

When Windows reboots, click on the ease of access button in the bottom left
corner.

Click magnify and hit apply. Ta da. You have a system level command prompt.
At this point is where we will only change the Admin password and not any of
the 1000 other things that could be done at this point!

Tip: You can right-click on cmd.exe and click run as administrator inside of

Windows for escalated privileges. To edit files, it would never be allowed at
basic admin level (caution).
Image via whstatic.com
(Hacked system level command prompt. -Cx2H)
As the photo above shows, typenet user to get a list of accounts. To the point
type: net user administrator *

Your Options (Choose One That Applies):

Change Password:
net user username new_password
When you do so, the password changes without prompting you again.

Add an account:
net user username password /add
Tip: If your username has a space, like John Doe, use quotes like "John Doe".
Admin that:
net localgroup administrators username /add

Delete that:
net user username /delete

Remote Desktop Users Group:  (just in case)

net localgroup Remote Desktop Users UserLoginName /add

Net User Syntax Reference:

net user commands

Domain i.e. Servers:

net user for domain

Step 7Reboot Linux & Fix magnfiy.exe

Now you should insert your Linux Live CD/DVD and rename the files back to
original names or you will have issues later.

1. Repeat Step 1
2. Repeat Step 2
3. Rename magnify.exe back to cmd.exe
4. Rename magnify.old back to magnify.exe
5. Log out, take out CD/DVD USB, reboot into Windows