How to Get Admin Access on Windows 10

How to Get Admin account Access on Windows 10

ATTENTION: This method apparently doesn’t work on Windows 10 Anniversary update reason being OS Compression. Subscribe for major update notification

Getting a shell on the box with the highest level of privileges is always one of the ultimate goals of a Penetration tester. However it it not always as simple as getting the physical access of the machine and get the Admin access.

But that’s not the case when you are in an office/college or school or accessing your friend’s laptop or in a cyber cafe which means you are having Physical access to the system.

This reminds me of a brilliant quote A.K.A Golden rule of Computer security

If a hacker has unrestricted physical access to your computer, it’s not your computer anymore

security

Want to know how ?

Keep reading…

There is a method called the Sticky-Keys method.

 

Very famous since Windows XP and surprisingly it still exist.

 

 

It allows your to reset Windows password and become the administrator without even knowing the previous password.

Scary, right ? Yes it is!

There are certain ways to do that

  1. Using Linux Live CD/USB
  2. Privilege escalation on compromised machine
  3. Kon-Boot
  4. Using Windows startup repair

We will go with the simplest of them all i.e Using Windows startup repair method

In this method we do not need to create a Linux bootable USB to get the system drive accessΒ  nor Kon-boot CD or Privilege escalation assuming that we don’t have access to the system in any way.

WARNING: I am NOT responsible for any expulsions or such if you do this at school/work!

This tutorial is for Educational Purposes Only

Let’s begin now

Step 0: Get physical access

Sounds pretty obvious.. duh!

Step 1: Restart the system

Press and hold the power button while booting until the system turns off (it won’t cause any damage).

or, on the login screen click on Power icon and press [Shift] + Restart. It’ll boot you into recovery mode.

Restart. Windows would launch an Automatic repair

Windows automatic repair

 

Step 2: Go to Advanced options

If you did it correctly, you should get this screen. Select “Advanced Options”

automatic repair advanced options

Step 3: Select Troubleshoot

troubleshoot

Step 4: Select System Image Recovery / Command Prompt

This will allow us to browse a recovery image on the Hard drive

Click on System Image Recovery and continue to Step #5.

system image recovery

or Click on Command Prompt

system image recovery

Type the following commands and Go to Step #13:

 

Step 5: Click Cancel

We do not want to Retry and find the system image. So, click Cancel

cancel

Step 6: Click “Next >”

next

Step 7: Click Install a driver

Option says “Locate and install driver…”. Let’s locate

install a driver

Step 8: Click “Ok”

Yeah, we will SELECT THE DRIVER.

add driver - ok

 

Step 9: Browse to C:/Windows/System32

By default X:/System32 is selected.Β  In order to make changes, go to System32 of Local Disk(C:) i.e the Windows drive.

Your system drive may vary

browse c drive-system32

Step 10: Clone cmd

Press CTRL-c and CTRL-v to make a copy of cmd

Use Keyboard only

clone cmd

Step 11: Rename sethc

Left click on sethc and press <f2> to rename sethc to sethc1

Right clicking anywhere lead me crashing the browsing window. May be Windows trying to defend, but we are going to get Admin access anyway.

rename sethc to sethc1

Step 12: Rename cmd – Copy.exe

Rename cmd – Copy to sethc

Press <f5> to see the changes made. Interface is kind of Lame.

rename cmd to sethc

Step 13: Continue to Windows 10 boot

Time to boot Windows 10…

continue to Windows 10

Step 14: Open command prompt [Sticky Keys Method]

Press <Shift>Β  5 times to launch command prompt (sethc.exe).

Note the title bar

open command prompt-sticky keys method

Step15: Reset admin password

Here we can reset password in 2 ways

  1. Using GUI
  2. Using command line

We’ll cover both

Step 1: open “control userpasswords2” interface

A Window will appear with User Names, select a user and click Reset Password…

rootsh3ll is a member of Administrators; See [Group] tab

control userpasswords2-reset password

Step 2: Reset password

Enter desired password and confirm.

New password is pass here

control userpasswords2-set new password

Step 1: Get administrators list

It will display list of all the accounts with administrator privilege

Step 2: Reset Password

Administrator and rootsh3ll are the 2 accounts in our case. Our target is rootsh3ll

To Reset any account’s password type:

net user-set password

Here “rootsh3ll” is the administrator account and “pass” is the desired password. You can set password of any length.

 

 

Step 16: Log in with new credentials

log in windows 10

Optional

Once you got the administrator level cmd shell, there are a number of interesting things that you can do. Not only using cmd but using Powershell also.

But I’ll keep this tutorial in its expected scope only.Rest I’ll leave up to you.

Let me know in the comments section what else you discovered after this step.

It may happen sometime that the administrator account is set to hidden, like in school/college labs to prevent a standard user to log in or perform a brute-force attack remotely(if admin. username is known)

So, to bypass this a potential attacker can Enable/Disable the admin account right from the Log in screen

1. Enable/Disable administrator account

rootsh3ll” is the Username.

net user-enable/disable hidden account windows-cmd

If STATUS=yes, Account is enable i.e visible to all users

If STATUS=no, Account is hidden

 

2. Create a hidden administrator account

 

Step 2.1: Create new user

Step 2.2: Set the account hidden

Step 2.3: Check admin account list

net user-create hidden user in windows from cmd

Step 2.4: Check hiddenuser‘s visibility

You’ll only see a list of enabled accounts. hiddenuser should not be shown in the list

 

Prevention from Sticky-Keys attack

Unless it’s a public machine (home/work),you can prevent this by adding disk encryption or even a BIOS boot password.

Just don’t forget them.

Also, Disable USB/CD/DVD from boot device priority, so that an attacker won’t be able to boot a Linux Live distro or a Windows recovery disk

In case you are not willing/authorised to perform any of them, you could also opt for disabling sticky keys(on Log in screen)

Why on Log-in screen specifically ?

As it turned out that disabling sticky keys right from your logged in account doesn’t stop sticky keys from pooping up at log-in screen (not lock screen, keep in mind), because the setting you might have changed in the setting would be applied for current user only.

 

 

But we need to apply it system wide. So that it won’t get called even when no account is logged in i.e on Log-in screen

 

Conclusion

Attacker successfully compromised the system getting the administrator level privilege by setting up a backdoor on the machine (hiddenuser), which owner is unaware of.

The reason this works is that Windows doesn’t check the integrity of the Sticky Keys executable and just runs it regardless.

Further attacks can be performed since the system is owned.

Sticky-keys method is applicable to Windows XP/7/8 also but due to change in automatic repair method the way to perform the attack differs. We’ll see that soon.

Stay Tuned.

 

Was this helpful ? Let me know about your experience. I would love to hear right from you in the comments

P.S: I respond to every comment

Next we will learn how to get root access on a Linux machine.

Keep Learning.

 

468
  • Jared Williams

    Awesome post. I will definitely be making sure everyone at my company adds a bios password now haha.

    • Thanks Jared πŸ™‚
      Also make sure booting from USB is also disabled. Just in case πŸ˜‰

    • UPDATE: You can now also disable sticky keys on log in screen, just in case adding a BIOS password isn’t an option πŸ˜‰

  • Razor Sharp

    Delete cmd and sethc(back up somewhere else) from system32……. It might help

    • Deleting cmd isn’t a good idea. It can cause many unnecessary issues in the system.

      It would be better if you encrypt the disk or block USB ports and prevent any potential attacker to physically access the system.

  • Chris Franklin

    I have Sticky Keys turned off (annoying for gaming and generally unnecessary), I’m assuming that would also stop it from being used in the lock screen.

    • Hello Chris,
      I also assumed that in first place. But it turned out that turning off sticky keys is a setting saved for a specific user.
      But when you press 5 times, on the Log-in screen (not lock screen), there is no user logged in at the moment hence no setting for sticky keys-off.

      That’s what caused cmd(sethc.exe) pop up on log-in screen.

      • Chris Franklin

        Damn πŸ™ Wasn’t sure if it was user specific or not. Should probably encrypt my disk at some point.

        • Will update the article soon as I find the fix for that. Haven’t seen an easy fix, but it would be very helpful in cases.

          Encrypting disk will still save you from a lot more attacks. Go ahead with it πŸ˜‰

  • Henri Virtanen

    You could just SET a new enviroment variable and try to hide cmd and sethc in a different folder. SET -command will reveal the location in the end though.

    It might be possible to start a service where you just simply unpack and replace these files at boot. Havent tried.

  • Aljanse

    My computer keeps restarting and doing automatic repair, and I can’t get it to work. Eventually I use PCUnlocker Live CD to clear the password and I can access my computer now. Thanks any way.

  • i cant access the cmd because windows 10 asks for admin password fisrt. I also cant access system repair with no password

    • You can try Linux Live USB/CD as an alternative.

    • Gurmeet Nakhwal

      Hey, i am facing same problem.Did you get the solution?

  • Codekses

    Will all the files and programs you previously installed still be there as if nothing ever happened?

    • Every thing will remain the same. Except the system password!

  • acejok3r

    can someone tell me why there is no local disk after i go look in for it there is only CD drive and thats it

  • acejok3r

    okay so my question is this i go to my account and try to get in through gui method and it doesnt let me change my password because i guess its an email ??? i also tried the cmd prompt through net localgroup administrators and found the admin name which was Red for me and then tried to get net user “Red” pass but gave me an error saying System error 8646 the system is not authoritative for the specified account….. i think this is because its a gmail account that was signed and thats why i cant log into it… is there any other way

  • acejok3r

    i made another account thorugh net user username pass /add. but say i still want to get into this account with the email is there a way i can perhaps see the password or change it. it doesnt let me use the gui method too because of the same reason… the account being not part of windows and part of gmail (email).

    • As you created a dummy(hidden) account to get Admin level system access, you can further try post exploitation to get desired data.
      Have a look at nishang (A powershell based framework for Post-Ex): https://github.com/samratashok/nishang

      For passwords in plain text: Invoke-CredentialPhish
      For Hash Dump: Get-PassHashes

      There’s a lot more in nishang to explore.

  • acejok3r

    This is unrelated but u seem to know a lot do u know how i can hafk a wifi password that i was never connected to. As in the network key is absent and ive been searching all i get is the netsh wlan show profiles cmd which is not what im looking for.

    • There are many scenarios under which A WiFi can be hacked.
      I have written a dedicated series on that, you can choose accordingly here:
      How to Hack a WiFi – Series

      Do let me know if you face any issue or need help πŸ™‚

  • TURTLE492348

    Does this still work today, almost September 2016?

    • It does, unfortunately πŸ™‚

      • TURTLE492348

        Wait, when i was trying step 1, Press and hold the power button while booting until the system turns off (it won’t cause any damage).
        Restart. Windows would launch an Automatic repair, it didn’t launch an automatic repair…. what am I doing wrong?

        I’m going to the menu and pressing power and then restart, and then I hold down the power button when the screen says restarting…. and when i turn it back on, it goes to my desktop

        • Make sure you are pressing power button while Windows is booting(when it shows the Windows logo)

          It’ll take a few tries to get into auto-repair.

          • TURTLE492348

            Oh okay, thanks! I’ll try this

            Will it ask me for admin password any time in the process if I do everything correctly?

          • It shouldn’t. That’s the point!. *T&C apply

            *Unless email login is used as a primary login method

          • TURTLE492348

            Wait, I just realized that when i reboot my computer, it doesn’t show the windows logo, but it shows HP instead, should that be when I’m holding down the power button?

          • It means Windows is installed in HP UEFI Environment.
            When you install Windows in Legacy BIOS, it shows original Windows logo, rather than OEM.
            It has nothing to do with power button though.

          • TURTLE492348

            Ok, so I tried a similar method to this on my Windows 7, and it works, so I know I can get into the admin account using this method… but the problem is, I’m not sure if it still works on my Windows 10?

          • Just test it on Windows 10 and be sure! πŸ™‚

          • TURTLE492348

            Alright, I’ll try it and see if it works, thanks! πŸ˜€

          • TURTLE492348

            I’m still having problems with Step 1, where I can’t seem to get the automatic repair screen… is there any other way to get to that screen possibly? Because I don’t completely understand what you meant by HP UEFI or Legacy BIOS, and the HP logo is the only one that appears before I go to my desktop

          • Here is another way to get into recovery mode(Attacker’s perspective):
            1. Start Windows 10
            2. On Login screen, click on Power button(Lower right probably)
            3. Press [Shift] + Restart

            Windows should now reboot and ask you for troubleshooting PC.
            And that’s Step 3

          • TURTLE492348

            Yeah, it does go to the Automatic Repair, however, when I do the system recovery image part, it asks me to login to the admin account to perform the system recovery image?

          • Few questions:
            1. Does the system uses email login ?
            2. Can you access Command Prompt without password
            3. What version of Windows you are using ?

            It won;t work if Windows uses email login. I have to look at it though.

          • TURTLE492348

            My account uses email login, but not the admin account

            I can access the standard user version of Command Prompt without password

            Windows 10

          • You can still create a new user with admin privileges. Just see the second image under Step 4, to get it work via CMD.

          • TURTLE492348

            How do I create a new user without having to know the admin’s password? It’s still asking me for admin password πŸ™

          • As you can access CMD without password, you have to create a copy of cmd.
            Just enter these commands in command prompt:

            c: #Change working directory to c: (may vary)
            cd WindowsSystem32 #Move to System32
            rename sethc.exe sethc1.exe
            xcopy cmd.exe sethc.exe
            exit

          • TURTLE492348

            Wait, if I’m running cmd as system32 right now, does that mean I have admin privileges?

          • Not. This just means you are in System32 directory. But you can still make changes to files as you are in recovery mode. So, basically you are the Administrator

            You need to point cmd to the System Drive(in which Windows 10 in installed, c: most probably) and then follow the commands to rename cmd.exe to sethc.exe.
            Follow from Step 15 onwards.

          • TURTLE492348

            Do I have to do the UEFI based installation thing? Because entering the commands into the cmd from my account doesn’t work, keeps saying access denied. I can only somewhat access system32 cmd, but that doesn’t work either πŸ™

          • I think you should. Please read this article by howtogeek:http://www.howtogeek.com/175649/what-you-need-to-know-about-using-uefi-instead-of-the-bios/

            I think it can help. Let me know if it does πŸ™‚

          • TURTLE492348

            I should be trying to enable the Legacy BIOS mode right? Or something else?

          • Yes. Try to enable Legacy BIOS.

            Try second one. Hope it works

          • TURTLE492348

            Sorry if this sounds dumb, but am I supposed to be enabling or disabling secure boot??

            It’s confusing when they talk about both and I’m getting all jumbled

          • No problem dear.

            You(attacker) need to disable secure boot or in other words, you need to enable Legacy(non-secure) BIOS.

            But as you were able run commands in cmd (recovery mode) this shouldn’t be needed AFAIK.
            Still, let me know if there’s any issue.

          • Phoenix Johnson

            What happens if you dont get it to do the auto-repair? will it not let you run the shift-restart thing? or will it require you use an admin password to continue? what happens?

          • If you are using USB stick or DVD to repair.. it won’t ask you for admin password

          • Phoenix Johnson

            Ok, thanks. Also, i read the article on UEFI vs. the regular BIOS and I tried what it was saying and when i went to the UEFI setting i found an “Administrator Password” option that let me change the password without having to change the boot type. I didn’t try it because it wasn’t on my computer and i didn’t want to make anyone mad, so i dont know if it actually works.

          • You can always test it on your friend’s machine😊

      • rdchase

        I tried this approach on Windows 10 pro a month ago, and it didn’t work.

        • Possible, if using a Microsoft account for login or Windows is installed on a UEFI-based system

  • doggo

    If you were to follow this step using the system startup repair etc. would for example the school IT guy notice that the system password is changed, isn’t this what he uses to login?
    Or does he have an own seperate admin account that works throughout all the school computers,
    because it seems all the users are on the same domain, so that would make sense’ish??
    I’m pretty noob at all of this, answers would be appreciated.

    • Of course, if the administrator’s password is changed, the school IT Guy would come to know this, as soon as he try to log into that system. To prevent that to happen you’ll create a hidden account with Administrator privileges. No matter how you get to create that, via a repair disc, Hacking remotely, method above, anything…

      • doggo

        Alright, now I understand a bit more.
        The only thing that I don’t fully understand is; if we are resetting the systems administrators password to then proceed to make a hidden account with administrator privileges, isn’t still the systems password reset, which leaves the trail?

        Or am I completely misunderstanding this method above?

        • You do not need to change the original Administrator’s password.
          Simply creating a new, hidden Administrator account would do the job.

          Just test it on a virtual environment and you’ll get it better than ever. πŸ™‚

          • doggo

            Oh ok!
            So if we change the systems password it doesn’t affect the original adminstrator account, which the IT guy uses, yes?

            I’ll try to go through with this method in about a weeks time, I’ll let you know how it goes with an update here.

            (Great help by the way, and it’s a very thorough and well made guide)

          • Absolutely correct!

            Thanks πŸ™‚
            Please share it with your friends if it works for you.

            #KeepLearning

          • doggo

            Another question has popped up in my mind while planning this out, my classes computers are being degraded to Windows 7 in the up coming week because some software license reasons, if I create this hidden account, will it go along with the degrade?

          • By degrading, most possibly they are installing fresh Windows 7. So yeah, everything will vanish.

          • doggo

            Yeah, also noticed that the system repair basically has everything locked down, so it is not possible to be done for me.

            I’m currently looking into tutorials of how to use Hiren’s Boot to gain access to the local administrator account, is this something you can recommend or have written a tutorial about?

          • Try KonBoot. It comes in a small package and works without any user interaction.

          • doggo

            So it is as easy as to just pay these 15$ and run it through an USB, and you get access to the local administrator account, without any traces?

          • Right!
            Hence the saying:
            Physical Access = root

  • Gurmeet Nakhwal

    Hi I have accidentally set my Administrator account as standard account and now when i am trying to switch back, it is asking me for admin rights which i apparently don’t have cause i forgot my password.

    are these instruction applicable in my problem as well?

    • Yes.
      On Windows login screen(Step 15) when you open cmd, type :

      net localgroup administrators {youraccountname} /add
      to set your standard account as administrator.

      • Gurmeet Nakhwal

        Hey, I am not able to do it. When we click on system image recovery. It restarts the system and ask for adminstrator password (which i don’t have)

        • Please try via CMD on the recovery screen and follow the commands on step 4(click next for commands under the image).
          Then continue from step 15 Onwards.
          It should work this way.

          • Gurmeet Nakhwal

            Not happening as i click on CMD. It is again asking me for administrator password.

  • The Last Melody

    This does not seem to work for me. Whenever I try to access command prompt or the system restore, it asks me for the admin password. Any advice?
    My account does not use the email login, but it is a domain account.

    • A lot of people is facing the same issue and I think the issue to be UEFI based system.
      As I do not have privilege to have a UEFI-based machine I can’t actually test it.
      Please connect on harry@rootsh3ll.com so that we can discuss and find out a solution much quicker.

  • NguyΓͺn

    It seem can only work with local account. I tried with mycrosoft account and it didn’t work

  • Eric Wei

    I wonder if the Best Buy employees will notice me doing this….. I wanna get on their password protected demo network for fun πŸ™‚

  • mmm

    When I press System Image Recovery, In next screen ask to choose account (Admin) and password.( Windows 10) Please help me

  • Luca

    Will this 100% percent work on a very old school computer? It wont be recognized or blow up? Also its Windows 10 Pro just to be clear

    • It will work if the system is running Windows prior to Windows 10 Anniversary update

      It will also work on systems >= Windows 7

      Tip: To reset Windows 10 password Anniversary Update, create a Bootable DVD/USB of Windows 10 and on install screen press shift+F10. now in cmd rename the files accordingly and you are good to go!

      • Dean Lu

        I have this exact problem (windows 10 anniversary update) and created a bootable usb of windows 10, but I have a few problems. First, the computer (a surface 3) doesn’t boot from the usb and I can’t change the boot order b/c the uefi is password protected, and second, where is the install screen you mentioned where you press shift+F10?

    • Aaron Kelly

      Whatsup are you looking for green?

  • Blake

    Wait.. So would the people be able to track it to me? Like if they gained access again, would they be able to track my computer?

    • Blake

      And is there a way to revert the process, so they don’t get suspicious that they can’t log in?

      • No they can’t track you as you are performing everything physically without using your computer.
        Although to prevent getting caught you can create a hidden user. So that you can login and the victim would be able to login with his/her account.

        • Dr.Chicken

          Ok thanks!

  • Comport Failure

    how do you reset everything you changed? like how we changed the name of CMD and sticky keys? is there a way to easily reset this?

    • Login as Administrator.

      Remove sethc.exe(copy of cmd.exe) and rename sethc1.exe to sethc.exe

      • Comport Failure

        thxs, for some reason now whenever i boot up, force shut down during boot up, my computer doesn’t open the automatic repair, and i have to have administrator permission to open the command prompt

        • You are probably running Windows 10 Anniversary update.
          Please try a Windows 10 Bootable USB/DVD to open the command prompt and rename files from there.
          You wouldn’t need the admin password then

  • Peter Earp

    i have a win 10 laptop nd its nov 9th 2016 and i tried this method and got stuck on part 4 as after clicking system recovery image it said u need to put in password for Dan administrator accound (im trying to get admin acc controls on my user one without my dad noticing) so i coudent proceed past step 4 please help!!!!
    EDIT: so i can download stuff without needing to put the admin pass (wich i dont know) in. (mainly games)

    • This technique doesn’t work on Windows 10 Anniversary update. to get to CMD without admin pass use Windows 10 bootable USB/DVD.

  • Delon Perry

    I can’t find Sethc

  • Max Li

    Hi, after step 4, I can’t open the command prompt and it makes me type in admin password. I already chrcked and I am using a Bios system.

    • You are probably using version of Windows 10 after Anniversary update. Unfortunately it is not vulnerable to recovery mode attack.

      But to recover the admin pass of this version you need to have a bootable USB/DVD of Windows 10.
      Join me on Gmail(iamrootsh3ll@gmail.com) if you need further assistance.

      • Max Li

        Ho if I use a bootable usb, will it lose all my files?

        • Take care while renaming the sethc & cmd.exe, rest is safe.

  • Chase Danoff

    Windows 10 did not work.. asked for admin creds. I had to boot from install disk then run CMD from that πŸ˜‰

    • Yes, It does not work on Windows 10 Anniversary update. Only recovery CD/USB with bootable windows 10 can do that, apparently there are other less time consuming methods as well, but not using Linux or this recovery method for Windows 10 (anniversary update).

      • Jay

        How would I go about getting a recovery CD/USB with bootable windows 10? Or links to the other less time consuming methods you mention? Thanks!

    • Ginger Uris

      I forgot my Windows 10 password and reset it easily with UUkeys Windows Password Mate.

      • I wonder whether UUKeys’ trial version allows you to reset the password or not. As full version is pretty expensive($29) for a small task.
        There are other free n easy methods also available online though.

  • Noah Martino

    On my school laptop it asks for an admin password to do any recovery options, and bootloader is locked with a non-removable supervisor password.

  • David Croxton

    I have Windows 10 OEM. Any fixes? So somehow I just lost my admin access and cant regain it back and on OEM you don’t have the same options as Home or Pro so I cant do what you have up there.

  • xtranndoom

    help it didnt worked i tryed like a 100 times

  • yaksha

    after the 4th step it is asking admin password,but i forgot the admin password.

    • You are probably using windows 10 anniversary update. You should try this with a live USB/DVD.

  • DominikReber

    Anyone knows if this os working on a Surface Pro 4 with Anniversary Update?
    If not, any other suggestions?
    And: If Bitlocker is enabled I am out of lucl right?

    • I think that using a bootable USB with Windows 10 on it could help you retrieve the password. Though I am not sure about the bitlocker enabled, you are probably out of luck!

  • Aryllia

    I’m kinda wondering if it would be worth all the effort to go through this just to force windows 10 to let me play a game I’ve already installed. The fucking system doesn’t let me run it with the “normal” admin privileges and I’m awfully close to throwing my laptop into the wall as it is.

    The effort would probably be better spent on going through the download and installation process AGAIN on a computer that is blessedly without the windows 10 virus. Why the heck I thought installing anything on the laptop would be a good idea is a good question, I should know better by now.

  • Markus Yu

    When I go to advanced options, the only thing that shows up is startup settings. Does this mean I cannot change the Admin password?

    • Yes. You cannot change under this scenario, but you can change if you do the same using a bootable USB/DVD.

    • Yes. You cannot change under this scenario, but you can change if you do the same using a bootable USB/DVD

    • tekrgcp

      Make a boot disk with UUkeys Windows Password Mate. Then boot from it, you will see a list of accounts. And you can reset the password for each account. This works quite fine on Windows 10/8/7.

      • I have 2 reasons to disagree with you:
        1. This article is targeted for tool-free admin password reset approach.
        2. UUKeys is a paid software(~ $30), where free version doesn’t allow you to make any changes to password.

        There are plenty of methods out there to do this job, like using tools, USB methods. All of them are free. I don’t think spending $30 on a product for this little task is worthwhile at all.

        • tekrgcp

          For advanced users, there are plenty of options. I totally agree with that. but for newbies, they are more concerned about the user experience.

          • Still $30 is too much. Kon-boot is far better option IMO.
            You don’t even need to reset the password. It just lets you in.

            And at last it all ends up with the marketing and SEO skills of the product. Be it a paid one or free. If it reaches the right person, they have to make their own choice.
            We can just provide better option.
            That’s all.

  • Pete Rossetti

    I get as far as the system image recovery – then it asks me for the password for the only admin account to proceed.
    Any way round this?

    If not is it possible to create the bootable USB on a mac – or do I have to do it in a windows environment

    • Yeah You should go for the Bootable USB method.

      This might be helpful to you: http://www.windowscentral.com/how-create-windows-10-installer-usb-drive-mac

      • Pete Rossetti

        Thanks will check it out looks hopeful

        • Let me know if it works fine!

          • Pete Rossetti

            Had a go but the options available in my BootCamp Assistant aren’t the same as mentioned in the article – no option to create an install disk. Tried the hack to edit the plist file but it seems to crash the app.

            So guess I have to get a windows machine with admin access πŸ™‚

            all the best

            Pete Rossetti

            peterossetti.net toryrulecountdown.org.uk/
            thepeoplesassembly.org.uk/ momentumcheshirewest.org.uk

            Skype: petefr
            Mob: +44 (0)7870 633684

          • This doesn’t seem to be a hard thing to get on the Mac App Store.
            Look around there must be some app available to do the job. As I don’t own a Mac I can’t surely say what would work.

  • PacoBell

    I dunno. I found the whole dicking around in the Troubleshoot menu to be a completely unnecessary complication when you clearly have access to a full Command Prompt. There you can rename files to your heart’s content without worrying about things crashing. Great tutorial, though. Really saved my bacon at work.

    • Hey,
      There are actually 2 reasons I included both the ways(GUI and CMD) in the article.

      1. Command line is like a nightmare to many people. They find it much easier to follow visually navigated instructions rather than few set of commands which they dont understand what it actually does.

      2. Sometimes Windows asks you for Admin password before accessing the command prompt. So it’s an alternative to rename the files and get the job done.

      So it is essential to look around and make a way.
      and
      Thanks for the appreciation mate.

  • spine

    Ok, so i am trying this on my own windows 10 laptop after someone got it and took admin from me. I got to step 4 and choosing either comand prompt or image recovery restarts the device and when it loads up it requires me to log into the admin account.

    • Are you using Windows 10 Anniversary update or creators update ?

  • Patrick Olausson

    I can’t make a copyright of ny cmd

    • Phoenix Johnson

      what exactly is happening? you might be having the same problem I did and i can help you.

  • James Hanson

    Im not sure if I can do this or not. Whenever I go to the command prompt or the image recovery section I have to login to an account?!

  • Phoenix Johnson

    When ever I try to rename the cmd copy it says I don’t have enough memory, and if I try to do it without renaming it says it doesn’t contain information on whatever and stuff.

  • Ben Watts

    Hi,

    Just tried this and when I choose either method of CMD or recovery image it asks for me to enter the admin password to continue should this happen ? Does this mean I will need to make a USB boot ?

    • Yes. you’ll have to create a Bootable Windows USB and try the CMD method to reset the password

  • jaskan

    right after system image recovery I need the admin pw!!! Is there anyway i can avoid this button?

  • alex

    i cant find sethc

Shares
Share This