In a nutshell, the solution is to get into command prompt with elevated permissions
The command line prompt is...
net user <account> <new password> /active:yes
example:
net user Administrator MySuperSecretPassword /active:yes
... but how the hell do you do that if you don't know the administrators password? You can leverage the installation process...
Check out this answer by Alan Pine at http://community.spiceworks.com/how_to/show/59673-windows-7-8-local-admin-password-reset
He suggests to capitalize on the inherit nature of Admin privs during the installation process as a means of recovery. Summary of steps...
- Use the installation media - DVD or Thumb drive - boot to this -
press any key to install...
- Get into the command prompt, and replace the
c:\windows\system32\sethc.exe with cmd.exe
- restart the installation process and get back into a command shell.
Using the net use command reset
- password and/or reset account activation.
I tried his steps and they worked fine. I had trouble with step 3 - exit and restart and wait for the logon screen. I wasn't sure if I was supposed to enter setup again or not. As it turns out, I entered setup again and did the step 4 sticky key thing. The command prompt did in fact show up for me. I was surprised..
Here are Alan's steps in details...
The following will guide on how to reset a password on a Windows 7/8 machine where you have no/forgotten the local administrator password.
WARNING: Resetting a password of a Windows account means that data that has been encrypted, such as Windows EFS or stored Internet Explorer passwords, will be history. Avoid this by resetting the password of an account that hasn’t been used, such as the built in "administrators" account (none of use that.... right?). Do you use BitLocker to encrypt the drive? If so you will first have to unlock the the drive/partition.
If you didn’t use any Windows-based encryption you are safe to reset your password with this information.
1.
Boot from Windows 7/8 setup
Be sure that your BIOS boot order has your DVD/USB device as first boot device (for Dell, press F2 to enter BIOS) or if you have the ability to select a boot menu (F12 for Dell), then select the appropriate device listing for your case. If not using a Dell machine please refer to your manufactures directions for changing boot order.
Using your Windows 7/8 setup DVD or flash drive, turn on the computer, and wait for the message "Press any key to boot from CD or DVD" and press any key.
2.
Close Windows Setup
Close the Language windows by clicking the X in the in the corner and confirm to cancel the Windows installation.
Wait until you see the Windows 7/8 start screen.
3.
Getting the CMD Prompt
Windows 7/8 setup should greet you and encourage you to configure your language settings at this point Press SHIFT+F10 to open a command prompt, which should show you "X:\Sources"
In the CMD Window enter (without " 's) "copy d:\windows\system32\sethc.exe d:\"
If you get the error message along the lines of "The system cannot find the specified path" try replacing “d:” in the command above with different drive letters (possibly "e:" or "f:") until the error message disappears
Were now going to replace the "Sticky Keys" app on your machine with a CMD prompt, enter "copy /y d:\windows\system32\cmd.exe d:\windows\system32\sethc.exe" (without " 's)
Once accepted exit and restart and wait for the logon screen.
4.
Sticky Keys power... Activate
Press the SHIFT key five times. You should now see the command prompt
If your wondering what Sticky Keys are ... http://en.wikipedia.org/wiki/Sticky_keys
5.
Find local users
Type "net user' to get a listing of user names that reside on your machine.
6.
Pick a user to reset
From the list, choose a user name that you wish it reset and type "net user user_name new_password", user_name is the one you picked from the table (net user) and new_password is.... something you can remember
If the user name or password contains blanks, you have to set it in quotes I.E C:\Windows\system32> net user “Alan Pine” “My Remembered Password”
7.
TA DA!
You just reset your Windows 7/8 password. Close the CMD window and log on with the aforementioned set "net user" Name and password.
If you want to restore your "Sticky Keys" app, return to step one and walk through the process again and use this command in step 2: "copy /y d:\sethc.exe d:\windows\system32\sethc.exe" IN REPLACE OF "copy /y d:\windows\system32\cmd.exe d:\windows\system32\sethc.exe"
Summary
Thanks Alan!
Best Answer
The
SYSTEM
andNETWORK SERVICE
accounts are not real account and do not exist in the SAM – in other words, they cannot have a password set, and you cannot login into them. They only exist as "well-known SIDs" (security identifiers) – Windows simply gives special treatment to such SIDs asS-1-5-18
orS-1-5-20
, similar to how uid 0 is special in Unix, and privileged programs can use this account by creating tokens themselves (similar to callingsetuid()
+capset()
in Unix).An easy way of running programs with SYSTEM privileges is via PsExec from Sysinternals:
However, unlike Unix root, not even
SYSTEM
is allowed to bypass object ACLs – that's why all registry entries, system files and other things explicitly showSYSTEM
in their ACLs. Instead, if an administrator needs for some reason to override an object's ACL, they can take ownership of that object using SeTakeOwnershipPrivilege1 (granted by default to all Administrators). This works because an object's owner is always allowed to change its ACLs, even if they explicitly deny it; this is the only2 exception Windows makes.Sometimes access is being denied due to other reasons – many antivirus programs come with "self defense" kernel drivers, which patch various functions in the Windows kernel itself and make them reject modifications to specific keys or files based solely on their name; the block is before the original ACL checks take place, and no permission or privilege can override it. The only way to bypass such protection is to undo the kernel modifications; any kernel debugger can be used for this. Such tools as Kernel Detective can list all entries in the SSDT, which kernel driver has modified which function, and even have commands to reset the default values.
1 If curious, you can use Process Explorer to view all SIDs and privilege bits assigned to a particular process. You'll see that not even the system processes have any sort of generic "override security" privilege; instead, only specific privileges such as SeImpersonate, SeTakeOwnership or SeCreateToken exist.
2 For files, someone holding SeBackupPrivilege can read a file in "backup mode" – an archive containing the data, metadata, ACLs, ownership... – then optionally modify it, and restore it to the filesystem again. That is, assuming someone has reverse-engineered the structure of these backup archives. This is not available for other kinds of objects.