Did you ever try to login your friends computer ? and failed ? After this you can do it The OS can be Windows 7 or 8 or it can be the latest windows 10. You could break and login the password protected user accounts.
This exploit takes advantage of the ease of access tool on the login page by ‘tricking’ windows into launching a fully privileged command prompt by selecting ‘on the screen keyboard’ this is done by renaming the on the screen keyboard exe to something random, and renaming the cmd.exe to on the screens previous name. It will all make since later.
What you want :
- Any Linux Live CD/DVD/USB with Live option (ex. Ubuntu Live, Linux Live, Kali, etc.).
- Ability to use said Linux CD/DVD/USB.
- Basic understanding of Windows file structure. i.e. can navigate.
- Physical access to said Windows box.
- Ability to use command line and basic understanding of net user commands.
- Boot Live Linux
Insert CD/DVD into drive and reboot the machine. Start your Live DVD. You may need to go into the BIOS screen and change the boot-up order to CD/DVD drive first, HDD second.
- Navigate to sys32
Use the file browser in your Linux environment, navigate to %windir%/system32/. You may have to right-click and mount the Windows partition/drive first or use the NTFS-3G command.
Find and rename magnifier.exe (Magnifier file) to magnify.old.
- Rename cmd.exe
Find and rename cmd.exe to magnify.exe.
- Shutdown Linux & reboot windows
Logout, remove DVD/USB, and reboot into Windows.
- Get CMD Prompt Modify Accounts
When Windows reboots, click on the ease of access button in the bottom left corner.
Click magnify and hit apply.Then You have a system level command prompt. At this point is where we will only change the Admin password and not any of the 1000 other things that could be done at this point!
Tip: You can right-click on cmd.exe and click run as administrator inside of Windows for escalated privileges. To edit files, it would never be allowed at basic admin level (caution).
Your options at here.
net user username new_password
When you do so, the password changes without prompting you again.
Add an account:
net user username password /add
Tip: If your username has a space, like sivarathan sivarajah, use quotes like “sivarathan sivarajah”.
net localgroup administrators username /add
net user username /delete
Remote Desktop Users Group: (just in case)
net localgroup Remote Desktop Users UserLoginName /add
Net User Syntax Reference:
net user commands
Domain i.e. Servers:
net user for domain
That is it now you could login in to any windows password protected ones.
646 total views, 2 views today