Reset UEFI Windows 10 admin password with boot CD?

Discussion in 'Operating Systems' started by cyclone3d, Apr 30, 2018.

  1. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    12,677
    Joined:
    Aug 16, 2004
    Having a dilemna... Trying to reset the admin password on a Windows 10 PC at work so I can remove and re-add to the domain.

    So far I am having no luck.

    Tried:
    Hiren's boot CD - will not even find the Windows partition
    chntpw boot CD - same issue
    Ubuntu live CD and chntpw - finds and mounts the Windows 10 partition just fine, but says that Windows 10 is in a hibernation state even though it isn't (so it will not remount with r/w access).

    I did get chntpw to appear to work 1 time, but it didn't actually do anything.

    I have tried booting up Windows and shutting down. Thinking that maybe Windows 10 is using the lame quick-boot .. a.k.a hibernation even though there is no quick-boot option in the BIOS.

    HALP!
     
  2. pendragon1

    pendragon1 [H]ardForum Junkie

    Messages:
    10,624
    Joined:
    Oct 7, 2000
    FNtastic likes this.
  3. Wild1

    Wild1 n00bie

    Messages:
    51
    Joined:
    Mar 13, 2018
    did you turn off hibernation in the os

    admin cmd

    powercfg -h off
     
  4. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    12,677
    Joined:
    Aug 16, 2004
    Thanks. I'll try that tomorrow. I did see that post on that same exact page already, but was hoping for a way that didn't involve me swapping out files.

    Can't really do that if I can't log into Windows. I generally do that on all builds when I image them, but I guess I forgot this one.
     
  5. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    12,677
    Joined:
    Aug 16, 2004
    pendragon1
    That worked. Took a stupid amount of time to find commands that actually worked to find working commands to be able to mount the "hibernated" ntfs volume in write mode.

    Most everything out there is severely outdated.
     
    pendragon1 likes this.
  6. Chuklr

    Chuklr Gawd

    Messages:
    720
    Joined:
    Nov 1, 2009
    Glad to see you found a solution.

    Please post the commands you used to resolve the situation so others can use them in the future.

    Thanks.
     
    ZeqOBpf6, pendragon1 and Wild1 like this.
  7. cyclone3d

    cyclone3d [H]ardForum Junkie

    Messages:
    12,677
    Joined:
    Aug 16, 2004
    Ok, here is the current working process.

    How to enable and reset the local administrator password for Windows 10

    1. Create Ubuntu live CD or USB stick
    a. Download Ubuntu Desktop: https://www.ubuntu.com/download/desktop
    b. Burn to CD or USB - Rufus works well to burn to USB: https://rufus.akeo.ie/

    2. Disable UEFI in BIOS if it is enabled

    3. Boot Ubuntu live CD/USB - select "Try Ubuntu"

    4. Open file browser and make note of the Windows ntfs partition id and then right click on it and unmount.

    5. Open terminal and enter these commands:
    a. To mount the drive -

    sudo mkdir /mnt/ntfs (or whatever directory you want to use)
    sudu mount -t ntfs-3g -o remove_hiberfile (ntfs partition id - mine was /dev/sda3 ) /mnt/ntfs (if it claims it is in a hibernated state, it will fall-back to read only unless you force it - if it doesn't mount properly, you will have to reboot and start over - much easier to just enter this command instead of trying it without removing the hibernation file)

    b. To set up Windows to be able to reset the administrator password (case matters)
    This swaps the assistive program at the login screen with a command prompt

    cd /mnt/ntfs
    cd Windows
    cd System32
    mv Utilman.exe Utilman.exe.bak
    cp cmd.exe Utilman.exe

    6. Reboot, go into BIOS and re-enable UEFI if you disabled it in step 2.

    7. Boot to Windows

    8. Click the Assistive button at the login screen (middle button in the bottom right hand corner of the screen)
    It should bring up a command prompt.

    9. Enter these commands to enable and reset the administrator account password

    net use administrator /active
    net use administrator * ( This will prompt you for the new password - any password policies already on the computer will need to be followed)

    10. Reboot the computer and verify that you can log in to the local administrator account.

    Now you need to change the files back to the original configuration. You can sort-of do this through Windows, but you will not be able to restore the proper ownership
    to Utilman.exe so that is why we are going to do it through Ubuntu.

    11. Follow steps 2 through 5 up till you are in the System32 folder.
    Enter these commands to change back to the original configuration (for security purposes - you don't want everybody to be able to change the administrative passowrd)

    rm Utilman.exe
    mv Utilman.exe.bak Utilman.exe

    12. Reboot and go back into the BIOS and re-enable UEFI if you previously disabled it.

    13. Exit BIOS and you should be in business.
     
    Last edited: May 3, 2018
    FNtastic, ZeqOBpf6, ND40oz and 3 others like this.
  8. Chuklr

    Chuklr Gawd

    Messages:
    720
    Joined:
    Nov 1, 2009
    Thanks! I'm sure someone will finds this helpful!
     
  9. pendragon1

    pendragon1 [H]ardForum Junkie

    Messages:
    10,624
    Joined:
    Oct 7, 2000
    glad you got it goin!
     
  10. Capper

    Capper n00bie

    Messages:
    2
    Joined:
    May 1, 2018
    You can use a Windows 10 install disk to remove the forgotten password:
    https://www.top-password.com/blog/reset-windows-10-password-with-sticky-keys/

    The steps are similar with your method, but you don't need to mount the hard drive by performing complex commands.
    We can download the media creation tool from Microsoft, and it lets you directly download Windows 10 ISO image and create a UEFI bootable CD/USB:
    https://www.microsoft.com/en-gb/software-download/windows10

    Hope this information could also be helpful!
     
    cyclone3d and pendragon1 like this.
  11. ManofGod

    ManofGod [H]ardForum Junkie

    Messages:
    9,768
    Joined:
    Oct 4, 2007
    I know this is a old thread having been resurrected but, I am surprised no one else thought of this solution.
     
  12. Frobozz

    Frobozz [H]ard|Gawd

    Messages:
    1,798
    Joined:
    Feb 15, 2002
    So, if you replace the sticky keys executable, you can run an arbitrary executable with admin privileges by pressing shift 5 times without being logged in?
     
  13. Algrim

    Algrim [H]ard|Gawd

    Messages:
    1,284
    Joined:
    Jun 1, 2016
    Someone with physical access to a machine is already in a much better position to get around security regardless of OS.
     
    MikeRotch likes this.
  14. MikeRotch

    MikeRotch Limp Gawd

    Messages:
    384
    Joined:
    Aug 23, 2013
    Yup, that's the old adage of computing/metworking. If someone has physical access to your device, all security does is delay intrusion, not prevent it.
     
  15. Capper

    Capper n00bie

    Messages:
    2
    Joined:
    May 1, 2018
    To prevent the sticky keys trick, you can turn on BitLocker encryption on all drives which will encrypt all sector data.