If you find yourself locked out of your admin account and didn’t follow best practices and create a password reset disk beforehand, you’re not out of luck. In fact, hacking into a Windows account is surprisingly easy and can be done in minutes. This method is called the sticky keys hack and has been tested in Windows 7/8/10. Our hack has the name because it exploits the manner in which the Sticky Keys program is called. If you’ve never seen Sticky Keys press Shift 5 times, and you should see something like this:
We are going to trick windows into starting a command prompt with elevated permissions at the login screen by replacing the sticky keys program with the ccommand prompt program and then summoning it by making it start the sticky keys program. Here are the steps:
You need to boot your computer with either a Windows installation disc or a Linux distro of your choice. Change the BIOS boot order to prioritize booting from a CD (or USB if you’re using that) and boot it up.
If you’re using Linux, navigate in the file explorer to the Windows hard drive and get to your C:\Windows\System32 directory.
If you’re booting from a Windows installation disc, great. You will have to click through a language and time settings screen, and when you get to the screen to install Windows, don’t, and bring up the System Recovery Options instead. You will have the option to bring up a command prompt. Do it, and enter the command:
This will move you into the directory we’ll be working in.
Note: If you get an error saying “The system cannot find the drive specified.” don’t sweat. Windows probably changed it to the D drive for the repair sessions. Switch to the D drive by typing D: and pressing enter. Carry out the rest of this exercise replacing anywhere it says “c:” with “d:”
We now have to create a backup of the sticky keys program – setch.exe – and rename the command prompt program – cmd.exe – to sethc.exe. If you’re using Linux you can use the graphical interface. Just rename setch.exe to something like setch.exe.bak first and then rename cmd.exe to sethc.exe and reboot your computer back to Windows.
If you’re using the windows command prompt, enter the commands:
copy sethc.exe c:\
copy /y cmd.exe sethc.exe
Exit the command prompt and reboot the computer
Now the fun part. When you get to the login screen, press the Shift key times. Windows will now open a command prompt with elevated permissions Type:
net use username password(where username is the administrator’s username and password is whatever password you want to reset it to)
- You can now log in using the password you specified.