This issue has been patch. But it will stil spawn and cmd prompt just for a couple of seconds. To recover the password might still be possible this way
Sometimes you lost acces to a Windows 10 machine or a friend has forgotten his password and nobody knows the administrator password. Or perhaps there is an old pc running for a while and nobody knows it’s password. Anyway you need to recover the password for an local account on this machine. It is not recover the password but more replacing it
If the drive is not ecrypted and you can boot from USB into a Windows PE environment then it is possible to change the password or even create new accounts and add them to the administrator group. This also works with Windows server editions
Let’s get started
In this scenario I’m using a virtual Machine but it also works with physical devices as long as the drive is not encrypted and you can boot from a media like USB. I’m using windows 10 1909. I do not believe it is working on the latest version. I’m sure there is a work around for this
Boot the device from an windows installation media.
Make sure your keyboard input is right en click next
Click on Repair your computer
Choose Troubeshoot
Now Click on Command Prompt
Now we are going to load the SOFTWARE registry hive from the Operating Sytem that is on the device. Type in the following command
REG LOAD hklm\thedutchhacker c:\Windows\System32\config\SOFTWARE
Now we are going to use the debgger feature to replace the utilman ( Ease of Acces Center) with cmd.exe
Type in the following command
REG ADD “HKLM\Thedutchhacker\Microsoft\Windows NT\CurrentVersion\Image File Execution tOptions\utilman.exe” /v Debugger /t REG_SZ /d “cmd.exe”
Now close the command prompt and continue to boot into windows
Once the system is started and you see a login screen. Click on the Ease of Acces button once
You will now see a command prompt spawned as System. You can use the command net use to change the password or create a new user and add it to the local administrator group
net user Thedutchhacker P@ssw0rd /ADD
net localgroup Administrators Thedutchhacker /ADD
As for the patch versions of windows the cmd prompt will popup and disapear. I just wanted to show here that trought the debugger function you can change an exe file with another exe file. In this case Ease of Acces with cmd. Because the login screen is a system process and there for it will run anything with the system account.
