Windows Password Recovery

Overview

A password is meant to protect our computer and our data from unauthorised access but when we forget our password as often happens, we end up locking ourselves out of our computers. Here are the steps to perform an emergency Windows password recovery on your computer using a Linux image you can download for free from any number of websites.

For best results, your computer should meet the following requirements:

• The computer should not be part of a domain – domain accounts cannot be recovered this way*
• The Operating System should be either Windows 7 or Windows Vista
• There should be no EFS-encrypted files as these files will not be accessible after this is done

* This can still be used on domain PCs to create a user name to enable you to recover your files, however the original account cannot be recovered.

The Linux image should be loaded onto removable media like a DVD or USB stick. You can use any of the following free Linux images:

• Ubuntu: https://www.ubuntu.com/download
• Debian: https://www.debian.org/CD/
• Fedora: https://getfedora.org/en/workstation/download/
• Others: https://livecdlist.com

As for me, I’m using the Parted Magic recovery DVD available to buy here for $9 USD:
https://partedmagic.com/downloads/

Windows Password Recovery

The following steps will detail the exact procedure for using Parted Magic to swap the command line interpreter executable file with the accessibility menu for the purpose of running user management operations from the Windows login screen.

1. Boot into Linux

Insert the Parted Magic DVD (or USB stick) and restart your computer. Interrupt the normal startup and select another boot device. This is usually done by turning on the computer and continuously pressing the F12 key on your keyboard to get into the One-time Boot Device Selection Menu, though a lot of computers use a different procedure.

In most computers you can press the Del or F2 key to get into the BIOS menu. Once there, find the Boot menu where you select your first boot device. Set this temporarily to either your Optical (DVD/CD) drive or USB depending on what you’re using.

Once you’ve booted successfully into the Parted Magic disc, you’ll see the following screen:

Allow the operating system to load with default option or simply select Option 1.

2. Find the files

Once Linux is loaded, you’ll see a desktop. Find the ‘File Manager’ application and open it.

Find and open the disk containing your Windows directory. Since the disk labels may be different on all computers, the best way to find this is by opening each of the disks in the list under ‘Places’ until you see your ‘Windows’ directory in the list of files on the right.

Open the ‘Windows’ directory and find the ‘System32’ directory inside it. Inside ‘System32’ find a file called ‘Utilman.exe’.

3. Rename UTILMAN.EXE and replace it with CMD.EXE

Once you’ve found the file, right-click it and select ‘Rename’ from the context menu. The following window should appear:

Add ‘.bak’ to the end of the file name to indicate that it’s the backup of the original file.

Once finished, the file should look like this:

Next, find the file ‘cmd.exe’ by scrolling up within the same directory. Right-click the file and select ‘Copy’.

Right-click anywhere within the ‘System32’ directory without clicking on a file and select ‘Paste’ to copy the ‘cmd.exe’ file into that location.

Since ‘cmd.exe’ already exists in the ‘System32’ directory, you should get the following screen:

You want to change the name of the copied file to ‘utilman.exe’ so type that into the text box and click ‘Rename’.

If you scroll down to find ‘utilman.exe’, you should see it next to the original file which you renamed to ‘utilman.exe.bak’.

4. Reboot into Windows

Now that the ‘Ease of Access’ menu file is replaced with the command line interpreter, you want to get back into Windows to use this exploit. Make sure the Linux disc or USB stick is no longer in your computer and find the menu that allows you to log out (typically the bottom left corner as seen below).

Select ‘Restart Computer’.

5. Open the Command Prompt

To use the Administrator Command Line Interpreter which you just created, find the ‘Ease of Access’ button in the lower left corner of the login screen below the user list.

When the button is clicked, a command prompt should appear with the title “Administrator: C:\Windows\System32\utilman.exe”.

Type in the command “net user” to get a list of user accounts on your PC as seen below.

Next, note down the user whose password you wish to remove and type in the following command:

net user <username> *

Replace “<username>” with the user name from the list. If your user has a space in the name, put the name in quotation marks like so:

net user “<user name>” *

The star character at the end results in the program asking you for a new password. This can either be the password you want to replace it with or it can be blank to remove the password completely.

6. Clean-up

To restore the computer to its original configuration as it was before we changed the files, put the Linux disc back in and repeat steps 1 and 2 again until you’ve found the ‘utilman.exe’ and ‘utilman.exe.bak’ files again.

You now want to delete ‘utilman.exe’.

After the file is deleted, right-click on ‘utilman.exe.bak’ and select ‘Rename’ from the menu.

Rename the file back to ‘utilman.exe’ like so:

Now remove the Linux disc and repeat step 4 to get back into Windows. The ‘Ease of Access’ button should display the ‘Ease of Access’ menu and you will now be able to get into the account with the new password you set.