Reset UEFI Windows 10 admin password with boot CD?

cyclone3d

[H]F Junkie
Joined
Aug 16, 2004
Messages
16,248
Having a dilemna... Trying to reset the admin password on a Windows 10 PC at work so I can remove and re-add to the domain.

So far I am having no luck.

Tried:
Hiren's boot CD - will not even find the Windows partition
chntpw boot CD - same issue
Ubuntu live CD and chntpw - finds and mounts the Windows 10 partition just fine, but says that Windows 10 is in a hibernation state even though it isn't (so it will not remount with r/w access).

I did get chntpw to appear to work 1 time, but it didn't actually do anything.

I have tried booting up Windows and shutting down. Thinking that maybe Windows 10 is using the lame quick-boot .. a.k.a hibernation even though there is no quick-boot option in the BIOS.

HALP!
 
did you turn off hibernation in the os

admin cmd

powercfg -h off
 
you have to change the boot mode and do a little file changing. this should get it going:
https://community.spiceworks.com/ho...word-on-uefi-boot-protected-pc-win8-and-newer

Thanks. I'll try that tomorrow. I did see that post on that same exact page already, but was hoping for a way that didn't involve me swapping out files.

did you turn off hibernation in the os

admin cmd

powercfg -h off

Can't really do that if I can't log into Windows. I generally do that on all builds when I image them, but I guess I forgot this one.
 
pendragon1
That worked. Took a stupid amount of time to find commands that actually worked to find working commands to be able to mount the "hibernated" ntfs volume in write mode.

Most everything out there is severely outdated.
 
pendragon1
That worked. Took a stupid amount of time to find commands that actually worked to find working commands to be able to mount the "hibernated" ntfs volume in write mode.

Most everything out there is severely outdated.

Glad to see you found a solution.

Please post the commands you used to resolve the situation so others can use them in the future.

Thanks.
 
Ok, here is the current working process.

How to enable and reset the local administrator password for Windows 10

1. Create Ubuntu live CD or USB stick
a. Download Ubuntu Desktop: https://www.ubuntu.com/download/desktop
b. Burn to CD or USB - Rufus works well to burn to USB: https://rufus.akeo.ie/

2. Disable UEFI in BIOS if it is enabled

3. Boot Ubuntu live CD/USB - select "Try Ubuntu"

4. Open file browser and make note of the Windows ntfs partition id and then right click on it and unmount.

5. Open terminal and enter these commands:
a. To mount the drive -

sudo mkdir /mnt/ntfs (or whatever directory you want to use)
sudu mount -t ntfs-3g -o remove_hiberfile (ntfs partition id - mine was /dev/sda3 ) /mnt/ntfs (if it claims it is in a hibernated state, it will fall-back to read only unless you force it - if it doesn't mount properly, you will have to reboot and start over - much easier to just enter this command instead of trying it without removing the hibernation file)

b. To set up Windows to be able to reset the administrator password (case matters)
This swaps the assistive program at the login screen with a command prompt

cd /mnt/ntfs
cd Windows
cd System32
mv Utilman.exe Utilman.exe.bak
cp cmd.exe Utilman.exe

6. Reboot, go into BIOS and re-enable UEFI if you disabled it in step 2.

7. Boot to Windows

8. Click the Assistive button at the login screen (middle button in the bottom right hand corner of the screen)
It should bring up a command prompt.

9. Enter these commands to enable and reset the administrator account password

net use administrator /active
net use administrator * ( This will prompt you for the new password - any password policies already on the computer will need to be followed)

10. Reboot the computer and verify that you can log in to the local administrator account.

Now you need to change the files back to the original configuration. You can sort-of do this through Windows, but you will not be able to restore the proper ownership
to Utilman.exe so that is why we are going to do it through Ubuntu.

11. Follow steps 2 through 5 up till you are in the System32 folder.
Enter these commands to change back to the original configuration (for security purposes - you don't want everybody to be able to change the administrative passowrd)

rm Utilman.exe
mv Utilman.exe.bak Utilman.exe

12. Reboot and go back into the BIOS and re-enable UEFI if you previously disabled it.

13. Exit BIOS and you should be in business.
 
Last edited:
Ok, here is the current working process.

How to enable and reset the local administrator password for Windows 10

1. Create Ubuntu live CD or USB stick
a. Download Ubuntu Desktop: https://www.ubuntu.com/download/desktop
b. Burn to CD or USB - Rufus works well to burn to USB: https://rufus.akeo.ie/

2. Disable UEFI in BIOS if it is enabled

3. Boot Ubuntu live CD/USB - select "Try Ubuntu"

4. Open file browser and make note of the Windows ntfs partition id and then right click on it and unmount.

5. Open terminal and enter these commands:
a. To mount the drive -

sudo mkdir /mnt/ntfs (or whatever directory you want to use)
sudu mount -t ntfs-3g -o remove_hiberfile (ntfs partition id - mine was /dev/sda3 ) /mnt/ntfs (if it claims it is in a hibernated state, it will fall-back to read only unless you force it - if it doesn't mount properly, you will have to reboot and start over - much easier to just enter this command instead of trying it without removing the hibernation file)

b. To set up Windows to be able to reset the administrator password (case matters)
This swaps the assistive program at the login screen with a command prompt

cd /mnt/ntfs
cd Windows
cd System32
mv Utilman.exe Utilman.exe.bak
cp cmd.exe Utilman.exe

6. Reboot, go into BIOS and re-enable UEFI if you disabled it in step 2.

7. Boot to Windows

8. Click the Assistive button at the login screen (middle button in the bottom right hand corner of the screen)
It should bring up a command prompt.

9. Enter these commands to enable and reset the administrator account password

net use administrator /active
net use administrator * ( This will prompt you for the new password - any password policies already on the computer will need to be followed)

10. Reboot the computer and verify that you can log in to the local administrator account.

Now you need to change the files back to the original configuration. You can sort-of do this through Windows, but you will not be able to restore the proper ownership
to Utilman.exe so that is why we are going to do it through Ubuntu.

11. Follow steps 2 through 5 up till you are in the System32 folder.
Enter these commands to change back to the original configuration (for security purposes - you don't want everybody to be able to change the administrative passowrd)

rm Utilman.exe
mv Utilman.exe.bak Utilman.exe

12. Reboot and go back into the BIOS and re-enable UEFI if you previously disabled it.

13. Exit BIOS and you should be in business.

Thanks! I'm sure someone will finds this helpful!
 
pendragon1
That worked. Took a stupid amount of time to find commands that actually worked to find working commands to be able to mount the "hibernated" ntfs volume in write mode.

Most everything out there is severely outdated.
glad you got it goin!
 
Ok, here is the current working process.

How to enable and reset the local administrator password for Windows 10

1. Create Ubuntu live CD or USB stick
a. Download Ubuntu Desktop: https://www.ubuntu.com/download/desktop
b. Burn to CD or USB - Rufus works well to burn to USB: https://rufus.akeo.ie/

2. Disable UEFI in BIOS if it is enabled

3. Boot Ubuntu live CD/USB - select "Try Ubuntu"

4. Open file browser and make note of the Windows ntfs partition id and then right click on it and unmount.

5. Open terminal and enter these commands:
a. To mount the drive -

sudo mkdir /mnt/ntfs (or whatever directory you want to use)
sudu mount -t ntfs-3g -o remove_hiberfile (ntfs partition id - mine was /dev/sda3 ) /mnt/ntfs (if it claims it is in a hibernated state, it will fall-back to read only unless you force it - if it doesn't mount properly, you will have to reboot and start over - much easier to just enter this command instead of trying it without removing the hibernation file)

b. To set up Windows to be able to reset the administrator password (case matters)
This swaps the assistive program at the login screen with a command prompt

cd /mnt/ntfs
cd Windows
cd System32
mv Utilman.exe Utilman.exe.bak
cp cmd.exe Utilman.exe

6. Reboot, go into BIOS and re-enable UEFI if you disabled it in step 2.

7. Boot to Windows

8. Click the Assistive button at the login screen (middle button in the bottom right hand corner of the screen)
It should bring up a command prompt.

9. Enter these commands to enable and reset the administrator account password

net use administrator /active
net use administrator * ( This will prompt you for the new password - any password policies already on the computer will need to be followed)

10. Reboot the computer and verify that you can log in to the local administrator account.

Now you need to change the files back to the original configuration. You can sort-of do this through Windows, but you will not be able to restore the proper ownership
to Utilman.exe so that is why we are going to do it through Ubuntu.

11. Follow steps 2 through 5 up till you are in the System32 folder.
Enter these commands to change back to the original configuration (for security purposes - you don't want everybody to be able to change the administrative passowrd)

rm Utilman.exe
mv Utilman.exe.bak Utilman.exe

12. Reboot and go back into the BIOS and re-enable UEFI if you previously disabled it.

13. Exit BIOS and you should be in business.
You can use a Windows 10 install disk to remove the forgotten password:
https://www.top-password.com/blog/reset-windows-10-password-with-sticky-keys/

The steps are similar with your method, but you don't need to mount the hard drive by performing complex commands.
We can download the media creation tool from Microsoft, and it lets you directly download Windows 10 ISO image and create a UEFI bootable CD/USB:
https://www.microsoft.com/en-gb/software-download/windows10

Hope this information could also be helpful!
 
You can use a Windows 10 install disk to remove the forgotten password:
https://www.top-password.com/blog/reset-windows-10-password-with-sticky-keys/

The steps are similar with your method, but you don't need to mount the hard drive by performing complex commands.
We can download the media creation tool from Microsoft, and it lets you directly download Windows 10 ISO image and create a UEFI bootable CD/USB:
https://www.microsoft.com/en-gb/software-download/windows10

Hope this information could also be helpful!

I know this is a old thread having been resurrected but, I am surprised no one else thought of this solution.
 
So, if you replace the sticky keys executable, you can run an arbitrary executable with admin privileges by pressing shift 5 times without being logged in?
 
Someone with physical access to a machine is already in a much better position to get around security regardless of OS.
 
Yup, that's the old adage of computing/metworking. If someone has physical access to your device, all security does is delay intrusion, not prevent it.
 
To prevent the sticky keys trick, you can turn on BitLocker encryption on all drives which will encrypt all sector data.
 
Back
Top