Backdoor to Reset Administrator

Password or Add New User in Windows 7

As long as there is physical access to a computer, it is always possible to gain access to the
operating system even if it is password protected. For example, you can use Kon-Boot to
login to any user account in Windows with any password by booting up the computer with
the CD or USB. If BIOS is secured with a password to prevent changing of boot order, you
can change the jumpers or remove the battery from the motherboard to clear the CMOS
settings. As long as you can boot up the computer with CD or USB, there are quite a lot of
tools that allows you to reset the user account password even if you dont know the original
password.
Here is an interesting method which I recently discovered that allows you to plant a
backdoor to your Windows 7 operating system so that you can always reset or even add a
new user account without even first logging in to Windows. This method is a bit restrictive
because it requires an administrator privilege to the computer in order to make changes to
the system but it does not involve installing any third party software or changing any
system files like the old DreamPackPL.
This backdoor allows you to run command prompt (cmd.exe) with system privilege from
the Windows 7 login screen. So with a system privilege command prompt in your hands,
you can actually do a lot of stuff including creating new accounts to resetting administrator
password to gain access to the password protected Windows. Check out these step-by-step
instructions:
1. First, make sure you are logged in as an administrator. Click on the start button, type
cmd in the Search programs and files bar, right click on the cmd.exe that is displayed on the
list and select Run as administrator.
2. Copy the command below and paste it to the command prompt.
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"
If you see the message that says The operation completed successfully, that means you
have installed the backdoor. If not, make sure you are logged in to a user account with
administrator privilege and also run the cmd as administrator.

3. When you are at the login screen, you can either press the SHIFT key continuously for 5
times or Alt+Shift+PrintScreen which will open a command prompt with system privilege.
You can now do whatever you want with it such as typing:
Explorer To launch explorer and give you access to Start menu and taskbar. Any attempt
to run Windows Explorer will prompt an error saying The server process could not be
started because the configured identity is incorrect. Check the username and password. If
you need to check the files and folders on the sytem, use the dir command instead in cmd.

Net user user_name new_password This command allows you to set a new password to
any username without knowing the current password.
Net user user_name password /add This command allows you to add a new user to the
system so you can login to Windows without touching the existing user accounts.
This proof of concept has been around for a very long time and is not really an exploit
which is why Microsoft does not intend to patch and block it. To remove or uninstall the
backdoor, simply delete the registry value that you have added or paste the command below
to an elevated command prompt followed by pressing the Y key to confirm the deletion.
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\sethc.exe"
Here is a simple explanation on how this backdoor works. In the Windows login screen,
you are allowed to turn on sticky keys or high contrast using the hotkeys (Shift x 5 OR
Alt+Shift+PrintScreen). Attempting to turn on either one with launch the sethc.exe file.
Adding the provided registry will tell Windows that you want to run cmd.exe as a debugger
for sethc.exe but the problem is Windows does not check if it is a valid debugger. So
whenever you try to launch sticky keys or high contrast in the Windows 7 login screen, you
will run the command prompt instead.

Below is a video demo to show how the whole thing works.

Unlock! Create a hidden or invisible drive
Tip! How to execute an app during Windows startup
Updated! Adding Desktop Right-Click Menu items using Registry and Regdevelop

Unlock For Us
Hidden Backdoor in Windows 7/Vista Welcome Screen

Ok, This is fun. Anyone of you watch the famous 1995 movie "The Net" by Sandra
Bullock? The Famous Praetorian PI was used as a backdoor to access password-protected
sites. Can we create a vista backdoor, something like that in Windows Vista or 7? Yes you
Can! How?
The Clue: The Ease of Access Program

Where? The 624kb Utilman.exe is the key located at System Folder.

Steps:
Open the Folder Windows\System32\ and check the Properties of Utilman.exe

Problem... My current Logon Username Lawrence and Administrators has no Permission

no modify the file. Thus, If you try to rename the file, it will give you the message:
Destination Folder Access is Denied You need permission to perform this action

Normally, Winbubble Context Menu "Take the Ownership of this file" can add the
permission but this time, you can't. (The Next Version can do it easily).

Also, Most of the Buttons are Disabled.

How to Add the permission

Prevention is better than Cure: To easily recover your system from any problems, Create
a Restore Point First using the Context Menu that can be created by WinBubbles, Read here
or you can do it manually: Win+R > rundll32.exe shell32.dll,Control_RunDLL
sysdm.cpl,,4 > Create Button > Enter the name
1. Take the Ownership Of the File using the LONG METHOD, Click here and Right-Click
the file > Properties > Go to Security Tab > To change Permission Click Edit Button >
Click Administrator > Click to Check Allow Setting of Full Control option box
Another Way because I understand that your a Geek:
Open Command Prompt as Administrator, Start Search > type CMD > Press
CTRL+ALT+Enter > Enter the Following commands:
a. takeown /f "Directory\File"
e.g. takeown /f "c:\windows\system32\Utilman.exe"
b. icacls "Directory\File" /grant administrators:F
e.g.
icacls "c:\windows\system32\Utilman.exe" /grant
administrators:F

If you didn't open CMD.exe as administrator, you'll get this message:

ERROR: The current logged on user does not have ownership privileges on the file (or
folder) "c:\windows\system32\Utilman.exe"
2. Rename Utilman.exe to any for backup example: Utilman_old.exe

3. Create a copy of cmd.exe (CTRL+Drag)

4. Rename the Copy - cmd to Utilman

That's It!
Go to your Welcome Screen: Start Menu > At the Bottom, Click the Right Arrow > Switch
User
5. Click the Blue Magic Button pointed by the arrow as shown in the first Picture above.

You have now successfully launch a Command Prompt in Administrator mode with UAC
disabled...
Doesn't Work? Possible Mistake: In your Folder Option Window > View Tab > "If Hide
extensions for known file types" is checked, Don't rename it to "Utilman.exe", use
"Utilman" ONLY.

NEW! Using the newest version of WinBubble, you can easily get this functionality in just
few clicks!
Click the Windows 7/Utilities Tab, Logon Tools option

Click Yes and Restart your PC. Works great in Windows 7 32/64 bit version!
NOTE: You need to re-open again the program after restarting your computer and repeat
the procedure again to be able to activate the feature.
SWEET!!! Start Hacking your own computer :)
Now, it's fine for me to forget my password without creating a password reset disk or by
hacking and clearing Vista Password using a Linux OS. Create a Backdoor instead! Is this
bad? Of course, this is bad if you'll use it that way.
Net user [Username] [NewPassword]
For more Information, Read Here
Is this legal? Yes, it is... My steps needs the Administrator login to create a backdoor and
If you do this by using another OS like Linux to another computer. That's the time it will
became Illegal.
Type: whoami /all |more

Now we can see that System logon is the one running when you input Username and
Password in the Welcome Screen.
Try typing taskmgr.exe (Browse Button let's you run a mini-windows explorer), Notepad
and even Explorer.exe!
In my observations:

Windows Firewall is ON (Great!)

Spyware and other Malware Protection is ON (Great!)
User Account Control is OFF
You can browse the Internet
The Location of Desktop: c:\Windows\System32\config\systemprofile\Desktop
Launch Windows Media Player, Windows Calendar, Windows Mail and many more

Note: There is a possibility that the guide above will work in latest build (RC version) of
Windows 7. Due to License and some legal concerns I can't reveal any data. Tell me?
ENJOY LEARNING WINDOWS!!!
6 Comments:
vince said...

nice hack, but won't that just defeat the purpose of the welcome screen?, why not
just forget your password for your username all together and boot directly to the
desktop :)
November 20, 2008 at 10:11 PM
Anonymous said...

Wait, are you saying that you have Windows 7 Beta? Just wondering... Or can you
not tell us that either?
November 20, 2008 at 11:32 PM
Anonymous said...

It works! I have Windows 7 Build 6801 leaked from torrents and it worked
perfectly! I am waiting to download "The Net (1995)"... I am curious... ;)
November 22, 2008 at 11:23 PM
Nura M. said...

Hi!
I have forgotten that movie(The Net) you were talking about. I do not know if I may

be opportuned to have a look at it(refer me to site ), so that I can answer the

question.
I WISH TO HAVE MORE OF YOUR EDUCATING INFORMATION.
Thanks!
Nura
November 23, 2008 at 9:44 PM
Anonymous said...

Unlock! Create a hidden or invisible drive

Tip! How to execute an app during Windows startup
Updated! Adding Desktop Right-Click Menu items using Registry and Regdevelop

Unlock For Us
Hidden Backdoor in Windows 7/Vista Welcome Screen

Ok, This is fun. Anyone of you watch the famous 1995 movie "The Net" by Sandra
Bullock? The Famous Praetorian PI was used as a backdoor to access password-protected
sites. Can we create a vista backdoor, something like that in Windows Vista or 7? Yes you
Can! How?
The Clue: The Ease of Access Program

Where? The 624kb Utilman.exe is the key located at System Folder.

Steps:
Open the Folder Windows\System32\ and check the Properties of Utilman.exe

Problem... My current Logon Username Lawrence and Administrators has no Permission

no modify the file. Thus, If you try to rename the file, it will give you the message:
Destination Folder Access is Denied You need permission to perform this action

Normally, Winbubble Context Menu "Take the Ownership of this file" can add the
permission but this time, you can't. (The Next Version can do it easily).

Also, Most of the Buttons are Disabled.

How to Add the permission

Prevention is better than Cure: To easily recover your system from any problems, Create
a Restore Point First using the Context Menu that can be created by WinBubbles, Read here
or you can do it manually: Win+R > rundll32.exe shell32.dll,Control_RunDLL
sysdm.cpl,,4 > Create Button > Enter the name
1. Take the Ownership Of the File using the LONG METHOD, Click here and Right-Click
the file > Properties > Go to Security Tab > To change Permission Click Edit Button >
Click Administrator > Click to Check Allow Setting of Full Control option box
Another Way because I understand that your a Geek:
Open Command Prompt as Administrator, Start Search > type CMD > Press
CTRL+ALT+Enter > Enter the Following commands:
a. takeown /f "Directory\File"
e.g. takeown /f "c:\windows\system32\Utilman.exe"
b. icacls "Directory\File" /grant administrators:F
e.g.
icacls "c:\windows\system32\Utilman.exe" /grant
administrators:F

If you didn't open CMD.exe as administrator, you'll get this message:

ERROR: The current logged on user does not have ownership privileges on the file (or
folder) "c:\windows\system32\Utilman.exe"
2. Rename Utilman.exe to any for backup example: Utilman_old.exe

3. Create a copy of cmd.exe (CTRL+Drag)

4. Rename the Copy - cmd to Utilman

That's It!
Go to your Welcome Screen: Start Menu > At the Bottom, Click the Right Arrow > Switch
User
5. Click the Blue Magic Button pointed by the arrow as shown in the first Picture above.

You have now successfully launch a Command Prompt in Administrator mode with UAC
disabled...

Doesn't Work? Possible Mistake: In your Folder Option Window > View Tab > "If Hide
extensions for known file types" is checked, Don't rename it to "Utilman.exe", use
"Utilman" ONLY.
NEW! Using the newest version of WinBubble, you can easily get this functionality in just
few clicks!
Click the Windows 7/Utilities Tab, Logon Tools option

Click Yes and Restart your PC. Works great in Windows 7 32/64 bit version!
NOTE: You need to re-open again the program after restarting your computer and repeat
the procedure again to be able to activate the feature.
SWEET!!! Start Hacking your own computer :)
Now, it's fine for me to forget my password without creating a password reset disk or by
hacking and clearing Vista Password using a Linux OS. Create a Backdoor instead! Is this
bad? Of course, this is bad if you'll use it that way.
Net user [Username] [NewPassword]
For more Information, Read Here
Is this legal? Yes, it is... My steps needs the Administrator login to create a backdoor and
If you do this by using another OS like Linux to another computer. That's the time it will
became Illegal.
Type: whoami /all |more

Now we can see that System logon is the one running when you input Username and
Password in the Welcome Screen.
Try typing taskmgr.exe (Browse Button let's you run a mini-windows explorer), Notepad
and even Explorer.exe!
In my observations:

Windows Firewall is ON (Great!)

Spyware and other Malware Protection is ON (Great!)
User Account Control is OFF
You can browse the Internet
The Location of Desktop: c:\Windows\System32\config\systemprofile\Desktop
Launch Windows Media Player, Windows Calendar, Windows Mail and many more

Note: There is a possibility that the guide above will work in latest build (RC version) of
Windows 7. Due to License and some legal concerns I can't reveal any data. Tell me?
ENJOY LEARNING WINDOWS!!!
6 Comments:
vince said...

nice hack, but won't that just defeat the purpose of the welcome screen?, why not
just forget your password for your username all together and boot directly to the
desktop :)
November 20, 2008 at 10:11 PM
Anonymous said...

Wait, are you saying that you have Windows 7 Beta? Just wondering... Or can you
not tell us that either?
November 20, 2008 at 11:32 PM
Anonymous said...

It works! I have Windows 7 Build 6801 leaked from torrents and it worked
perfectly! I am waiting to download "The Net (1995)"... I am curious... ;)
November 22, 2008 at 11:23 PM
Nura M. said...

Hi!
I have forgotten that movie(The Net) you were talking about. I do not know if I may
be opportuned to have a look at it(refer me to site ), so that I can answer the
question.
I WISH TO HAVE MORE OF YOUR EDUCATING INFORMATION.
Thanks!
Nura
November 23, 2008 at 9:44 PM
Anonymous said...