windows 10 password reset 2017
Getting a shell on the box with the highest level of privileges is always the ultimate goal of a Penetration tester. However it it not always as simple as getting the physical access of the machine and reset the Administrator password.

But that’s not the case when you are in an office/college or school or accessing your friend’s laptop or in a cyber cafe which means you are having Physical access to the system.

This reminds me of a brilliant quote A.K.A Golden rule of Computer security.

If a hacker has unrestricted physical access to your computer, it’s not your computer anymore


Want to know how ?

Keep reading…

There is a method called the Sticky-Keys method.

Very famous since Windows XP and surprisingly it still exist.

It allows your to reset Windows password and become the administrator without even knowing the previous password.

Scary, right ? Yes it is!

There are certain ways to do that

  1. Using Linux Live CD/USB
  2. Privilege escalation on compromised machine
  3. Kon-Boot
  4. Using Windows startup repair

We will go with the simplest of them all i.e Using Windows startup repair method

In this method we do not need to create a Linux bootable USB to get the system drive access  nor Kon-boot CD or Privilege escalation assuming that we don’t have access to the system in any way.

WARNING: I am NOT responsible for any expulsions or such if you do this at school/work!

This tutorial is for Educational Purposes Only

Let’s begin now

Step 0: Get physical access

Sounds pretty obvious.. duh!

Step 1: Restart the system

Press and hold the power button while booting until the system turns off (it won’t cause any damage).

or, on the login screen click on Power icon and press [Shift] + Restart. It’ll boot you into recovery mode.

Restart. Windows would launch an Automatic repair

Windows automatic repair


Step 2: Go to Advanced options

If you did it correctly, you should get this screen. Select “Advanced Options

automatic repair advanced options

Step 3: Select Troubleshoot


Step 4: Select System Image Recovery / Command Prompt

This will allow us to browse a recovery image on the Hard drive

Click on System Image Recovery and continue to Step #5.

system image recovery

or Click on Command Prompt

system image recovery

Type the following commands and Go to Step #13:

c:    #Change working directory to c: (may vary)
cd Windows\System32\    #Move to System32
rename sethc.exe sethc1.exe
xcopy cmd.exe sethc.exe


Step 5: Click Cancel

We do not want to Retry and find the system image. So, click Cancel


Step 6: Click “Next >”


Step 7: Click Install a driver

Option says “Locate and install driver…”. Let’s locate

install a driver

Step 8: Click “Ok”

Yeah, we will SELECT THE DRIVER.

add driver - ok


Step 9: Browse to C:/Windows/System32

By default X:/System32 is selected.  In order to make changes, go to System32 of Local Disk(C:) i.e the Windows drive.

Your system drive may vary

browse c drive-system32

Step 10: Clone cmd

Press CTRL-c and CTRL-v to make a copy of cmd

Use Keyboard only

clone cmd

Step 11: Rename sethc

Left click on sethc and press <f2> to rename sethc to sethc1

Right clicking anywhere lead me crashing the browsing window. May be Windows trying to defend, but we are going to get Admin access anyway.

rename sethc to sethc1

Step 12: Rename cmd – Copy.exe

Rename “cmd – Copy” to “sethc”

Press <f5> to see the changes made. Interface is kind of Lame.

rename cmd to sethc

Step 13: Continue to Windows 10 boot

Time to boot Windows 10…

continue to Windows 10

Step 14: Open command prompt [Sticky Keys Method]

Press <Shift>  5 times to launch command prompt (sethc.exe).

Note the title bar

open command prompt-sticky keys method

Step15: Reset admin password

Here we can reset password in 2 ways

  1. Using GUI
  2. Using command line

We’ll cover both

Step 1: open “control userpasswords2” interface

control userpasswords2

A Window will appear with User Names, select a user and click Reset Password…

rootsh3ll is a member of Administrators; See [Group] tab

control userpasswords2-reset password

Step 2: Reset password

Enter desired password and confirm.

New password is pass here

control userpasswords2-set new password

Step 1: Get administrators list

net localgroup administrators

It will display list of all the accounts with administrator privilege

Step 2: Reset Password

Administrator and rootsh3ll are the 2 accounts in our case. Our target is rootsh3ll

To Reset any account’s password type:

net user <Username> <Pass>

net user-set password

Here “rootsh3ll” is the administrator account and “pass” is the desired password. You can set password of any length.


Step 16: Log in with new credentials

log in windows 10


Once you got the administrator level cmd shell, there are a number of interesting things that you can do. Not only using cmd but using Powershell also.

But I’ll keep this tutorial in its expected scope only. Rest I’ll leave up to you.

Let me know in the comments section what else you discovered after this step.

It may happen sometime that the administrator account is set to hidden, like in school/college labs to prevent a standard user to log in or perform a brute-force attack remotely(if admin. username is known)

So, to bypass this a potential attacker can Enable/Disable the admin account right from the Log in screen

1. Enable/Disable administrator account

net user <Username> /active:[STATUS]

rootsh3ll” is the Username.

net user-enable/disable hidden account windows-cmd

If STATUS=yes, Account is enable i.e visible to all users

If STATUS=no, Account is hidden


2. Create a hidden administrator account


Step 2.1: Create new user

net user administrator <New Username> /add

Step 2.2: Set the account hidden

net user <New Username> /active:no

Step 2.3: Check admin account list

net localgroup administrators

net user-create hidden user in windows from cmd

Step 2.4: Check hiddenuser‘s visibility

control userpasswords2

You’ll only see a list of enabled accounts. hiddenuser should not be shown in the list

Prevention from Sticky-Keys attack

Unless it’s a public machine (home/work),you can prevent this by adding disk encryption or even a BIOS boot password.

Just don’t forget them.

Also, Disable USB/CD/DVD from boot device priority, so that an attacker won’t be able to boot a Linux Live distro or a Windows recovery disk

In case you are not willing/authorized to perform any of them, you could also opt for disabling sticky keys(on Log in screen)

reg add "HKU\.DEFAULT\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d "506" /f

Why on Log-in screen specifically ?

As it turned out that disabling sticky keys right from your logged in account doesn’t stop sticky keys from pooping up at log-in screen (not lock screen, keep in mind), because the setting you might have changed in the setting would be applied for current user only.

But we need to apply it system wide. So that it won’t get called even when no account is logged in i.e on Log-in screen


Attacker successfully compromised the system getting the administrator level privilege by setting up a backdoor on the machine (hiddenuser), which owner is unaware of.

The reason this works is that Windows doesn’t check the integrity of the Sticky Keys executable and just runs it regardless.

Further attacks can be performed since the system is owned.

Sticky-keys method is applicable to Windows XP/7/8 also but due to change in automatic repair method the way to perform the attack differs. We’ll see that soon.

Stay Tuned.

Next Step: Join for Updates

Advanced Windows, WiFi hacks for developing targeted hacking skills in record time.

Click the image below and enter your email to access the hacks:

Click here to subscribe

Was this helpful ? Let me know about your experience. I would love to hear right from you in the comments

P.S: I respond to every comment

Next we will learn how to get root access on a Linux machine.

Keep Learning.