Breaking

Windows User Account Passwords

Have this ever happened to you that youve forgotten the password to the Windows user account on your own computer? You terribly needed to log in to your user account but Windows prohibited you from doing so since it found the password that you were entering was wrong? Sometimes people have even had to format their computer hard disk and reload the operating system to access the data. So today, Ill show you how to bypass and crack the windows user account password - without knowledge of the old password or having to logging in of course. All you need is: A bootable CD/USB Flash drive that contains a Live Operating System. A Live O/S basically means that you can boot into the O/S and run it directly from the bootable media without requiring it to be installed on your computers hard disk first; thus avoiding any loss of data. Some common examples of Live O/S are the Linux distributions like Ubuntu, Fedora, SuSE etc. And heres how it is done: Step 1: Boot from the Live media. The first thing you need to be able to do is to see that you can boot from the Live media. This assumes that you have the choice to boot from devices other than the hard disk. This is usually the case 99% of the times, but in case you had been a security freak and applied a boot device restriction through the BIOS and used a BIOS password to which too you dont have access to right now, this is the premature death of the magic. In case you are able to boot from the Live media, we are good to go. Step 2: Lay the trap Once you are running the Live O/S, we proceed to the next step Hunting down the WINDOWS folder on your hard disk. Considering Ubuntu (or any other common Linux distribution) being used as the Live O/S, you can find the Windows C Drive (supposing that C is the drive on which Windows has been installed) as well as the other drives in the Computer folder (go to Places menu> Computer). Inside C (though itll nowhere be named using the drive letter, but instead the name of the drive will be used usually) you can find the WINDOWS folder, inside which navigate to the System32 folder and locate this file:

sethc.exe
This is the executable file which provides Accessibility Options (also known as Ease of Access) like the Narrator, Magnifier, On-Screen Keyboard, Sticky Keys, etc. while using Windows. If you go to the Windows login screen and press the [SHIFT] key 5 times or click on the button on the lower left corner on the screen, you will be able to see it. What you need to do is, remove this file from the System32 folder (better move it to another place for safekeeping). Next, we need a counterfeit sethc.exe. And to do that, Windows itself provides us with the best possible solution - the well-known cmd.exe - our very own Command Prompt. So, simply create a copy of cmd.exe, paste it in the same System32 folder and just rename it to sethc.exe. Step 3: Rebooting into Windows and triggering it Now, remove the bootable media from the computer and simply reboot back into Windows.

Next on the login screen, simply trigger the Accessibility Options using the [SHIFT] key or the button provided on the screen as mentioned before. And out comes the magic. Instead of the usual Accessibility Options, what you see is the Windows Command Prompt - open and ready for your instructions. Now, before we proceed to resetting the user account password, lets understand the implications of what just happened. When you see the Command Prompt running, potentially the computer is fully exposed. All the security that the user account password offered has been bypassed and your computer is ready to be played with. Any person skilled enough at using the Windows Command can make your machine do whatever s/he desires. And of course, this is what we are going to exploit. But before that, there are a few more issues that we must refer to. Dealing with Windows XP, which is more of a childs play - a toy in terms of security now, its not a problem. But Windows Vista/7 introduced a bit more advanced security features in them. And so to do changes to the system whatever we wish to do using the Command Prompt, we need to be able to run it with elevated privileges i.e. run as administrator. Fortunately, youll find that Microsoft strongly lacks an aptitude for security in its products and so, when we run the Command Prompt in place of the Accessibility Options, it runs with elevated privileges by default, though no one knows why it should. You can call it the stupidity of the most celebrated Operating System in the market, but this is how it goes. Microsoft Windows is vulnerable. Unsecure. But this is good for us now. Isnt it? Step 4: Resetting the password Once the Command Prompt is running, all you need to do is to use the NET USER command that changes the password for a user account in Windows, without asking the previous password, thus being another security flaw. The basic syntax for the command is:

NET USER [username [password | *]]

There are a few further advanced options in the command syntax, but lets ignore them since we dont need them for now. So, say suppose the user account is named Abhishek and we want to change the password to abc123, the command goes like this:

NET USER Abhishek abc123

In case you dont want the password to be echoed on screen, you can type in the command as:

NET USER Abhishek *

This on the next line will ask you to input the password without displaying the keystrokes on screen (and so needing to retype it for confirmation). On a successful password reset, the Command will display a message reading The command completed successfully. Now, you can simple log in to your user account with the new password that you just provided. Its done!

An epilogue: To end, Id like to mention two things the first, being that as you can all see, the above process utilizes two very major security flaws in Microsoft Windows be it XP, Vista or 7 an O/S that costs thousands of bucks and we all are very fond of, due to its ease of use but in reality, Windows is very unsecure. Microsoft spends millions of dollars in its research and production; so if it wanted, it could have easily fixed the flaws but it didnt (need to ponder why?). And second, since it didnt, and as one of our favourite childhood heroes said once, With power comes responsibility, so, given the knowledge, we must use it responsibly.

Article by Abhishek Ghosh Second year student Mechanical Engineering