Breaking into Windows 10 locally
Note that this technique may be patched in the latest versions of Windows 10 / Windows whatever-version-we’re-on. It may also be detected and automatically mitigated by antivirus software. If that’s the case then this article is kept for archival reasons.
This technique requires the use of a Windows 10 installation ISO, Windows PE, or Linux Live CD
From time to time you may find that you’re locked out of your account in Windows. Well… if you have local access to the machine running Windows (meaning you can force a reboot and a temporary boot device) then there is a convenient vulnerability still present in Windows after all these years that will allow you to break in.
Insert your installation media and reboot, following the instructions for your BIOS to choose a temporary boot device, and choosing your installation media. If using a Windows 10 installation ISO chose the Repair your computer option. Choose Troubleshoot, then Advanced Options, then Command Prompt. Then run the following commands:
diskpart
list volumeYou’ll have to deduce which volume is the system volume, using trial and error. In my test case there was a 35GB volume mounted on D:, so when I listed the contents of that volume I found the Windows system folder right away, indicating this is the system volume.
Having identified the volume that contains the Windows system (for example D:), we’re going to take advantage of the way that Windows accessibility tools can launch from the login screen, before any user has yet logged in. The accessibility tool is simply an executable in the Windows System32 directory called sethc.exe. The login screen lauches the tool by calling the executable with the name sethc.exe, so we can trick the login screen to launch any executable by setting the desired executable’s name to sethc.exe and placing it in the same path.
To start with, let’s keep a backup copy of sethc.exe in case we want to restore it later (…maybe accessibility is important to your users!)
ren D:\Windows\System32\sethc.exe sethc.exe.bakWhile we can cause any executable to be launched from the login screen, likely the most versitile is cmd.exe. Make a copy and name it sethc.exe
cp D:\Windows\System32\cmd.exe D:\Windows\System32\sethc.exeAnd with that you’re set to reboot and regain your access! When you’re back to the login page of your existing Windows installation, press Shift five times to trigger the launch of sethc.execmd.exe). Alternately you can launch sticky keys from the accessibility menu icon in the lower right. Doing so should present you with an elevated command window with Administrator access. From here you could enable the built-in Administrator account and set the password for it
net user Administrator [password] /active:yesSince the built-in administrator account has local administrator permissions, and you know the password to it now (since you just set it), you can log in and take any action you need to, such as resetting the password on any user account, creating a user account, or whatever.