Skip to main content
Joshua Robbins
  1. Blog Posts/

Gaining entry into Windows as Administrator

·399 words·2 mins

This is an old but still relevant method of gaining access to an local Administrator account on any windows machine running Vista on-wards.

Note: This method will only work when Bitlocker is not enabled on the machine.

You can either use a live CD or Windows PE (From Windows installation media), this guide will use Windows PE.

  • Download Windows Media Creation Tool and make a USB installer by following the instructions when launching the .exe (Any version is fine as we are not installing Windows).
  • Change the boot priority of the device to use the USB before the OS Disk
  • Launch the Windows Installation Media and press SHIFT+F10 to launch a CMD prompt
Launching CMD in Windows PE through

Find the Windows OS volume by looking through the different drives, e.g.

Type “C:” -> “Dir” -> Replacing C: With D: etc…

Finding the OS drive from Windows PE

Once you have found the OS drive, Enter “cd X:/Windows/System32” (X: being the OS drive identified earlier)

We are going to replace the sticky keys executable with CMD, so when sticky keys is launched we open CMD instead

Make a backup of sticky keys with: copy sethc.exe ..

Backing up sethc.exe for restoration later
Overwrite sticky keys with CMD by entering: copy cmd.exe sethc.exe

Overwriting sethc.exe with cmd

Reboot the machine without launching the Installation Media

Once windows is loaded up, press SHIFT 5 times to launch a CMD

By entering “whoami” you can see we are running as system

Opening a CMD at the login screen with the system account

List the local users by typing “net user”

You can also run computer management if you prefer a GUI by entering: compmgmt.msc

Hunting for the Administrator account

Depending on the target machines configuration you may see the “Administrator” account, however, if best practises are followed this may have been renamed.

You can check which groups an account is apart of by typing:

net user USERACCOUNT

Assuming the Administator account hasn’t been renamed, you can activate it with:

net user Administrator /ACTIVE:Yes

Activating the local Administrator account
Change the password of the Administrator account with:

net user Administrator Password123

Resetting the password of the local Administrator account
You can now login to the device with the password in which you defined above

You can revert the changed sethc.exe while logged in by opening a CMD as admin and entering:

robocopy c:\windows c:\windows\system32 sethc.exe /B

/B instructs robocopy to use the Backup API, otherwise the operation will fail due to insufficient privileges

The results from successfully reverting the sethc.exe file back from inside the machine

To mitigate the risk the risk of this happening to a machine in your environment you should use BitLocker to prevent access to the OS drive being the machine has booted up.

Joshua Robbins
Author
Joshua Robbins
I write about the things I’m building, learning, breaking and fixing across Computer Science and Cyber Security.
Tryhackme Streamline Icon: https://streamlinehq.comTryHackMe