Windows – On Windows 7, how can I retrieve/set system (not administrator) password

passwordswindowswindows 7

Ok, so I know on many unix variants, you can set up a root / admin user, a standard user, etc. And by default sometimes on some distros of Linux the 'root' superuser is known to have a default password. For example (example only) on an Oracle Linux distro the default password could be just 'oracle'.

Now on the Windows side, I'm trying to get into the system account as apparently access is being denied even running things as 'Administrator' on the computer, like regedit, can still deny me access.

I notice in task scheduler and a few other areas, there seems to be some special or encrypted password for the 'LocalService' & 'NetworkService' users, that by Microsoft were programmed to do things like start the task scheduler, run background processes, etc. So if there's a way to find out the default passwords used for these accounts, that would offer a lot of help. If not able to just de-encrpyt them, then I'll reset them if anything.

Either way, is there a default system password for Windows? I essentially need super-user access to my local machine so if there's any way you can, I'd appreciate it.

P.S. I know in the past there were some exploits I used to take advantage of (for my own use) in Windows on my machine to run things at a higher privilege level. On Windows XP, killing explorer through task manager, then starting it again via schedtasks due to a security hole that allowed this, etc.

So if at all, (and this is for my machine only, I'm not trying to do this on someone else's machine) I need to gain access to the (a?) superuser account on the machine. My best bet at this point would be to use LocalService, or SYSTEM, as it'd be far powerful enough to get the stuff I need to do done.

Thanks for your help!

Regards

Best Answer

The SYSTEM and NETWORK SERVICE accounts are not real account and do not exist in the SAM – in other words, they cannot have a password set, and you cannot login into them. They only exist as "well-known SIDs" (security identifiers) – Windows simply gives special treatment to such SIDs as S-1-5-18 or S-1-5-20, similar to how uid 0 is special in Unix, and privileged programs can use this account by creating tokens themselves (similar to calling setuid()+capset() in Unix).

An easy way of running programs with SYSTEM privileges is via PsExec from Sysinternals:

psexec -dsi cmd

However, unlike Unix root, not even SYSTEM is allowed to bypass object ACLs – that's why all registry entries, system files and other things explicitly show SYSTEM in their ACLs. Instead, if an administrator needs for some reason to override an object's ACL, they can take ownership of that object using SeTakeOwnershipPrivilege¹ (granted by default to all Administrators). This works because an object's owner is always allowed to change its ACLs, even if they explicitly deny it; this is the only² exception Windows makes.

Sometimes access is being denied due to other reasons – many antivirus programs come with "self defense" kernel drivers, which patch various functions in the Windows kernel itself and make them reject modifications to specific keys or files based solely on their name; the block is before the original ACL checks take place, and no permission or privilege can override it. The only way to bypass such protection is to undo the kernel modifications; any kernel debugger can be used for this. Such tools as Kernel Detective can list all entries in the SSDT, which kernel driver has modified which function, and even have commands to reset the default values.

¹ If curious, you can use Process Explorer to view all SIDs and privilege bits assigned to a particular process. You'll see that not even the system processes have any sort of generic "override security" privilege; instead, only specific privileges such as SeImpersonate, SeTakeOwnership or SeCreateToken exist.

² For files, someone holding SeBackupPrivilege can read a file in "backup mode" – an archive containing the data, metadata, ACLs, ownership... – then optionally modify it, and restore it to the filesystem again. That is, assuming someone has reverse-engineered the structure of these backup archives. This is not available for other kinds of objects.

Related Solutions

How to Change Password of Another User in Windows 7 Without Using ‘Set Password’

First log into Administrator on command line:

runas /user: localmachinename \administrator cmd

Then change password with this command (edit it a little bit for your specific instance):

net user user_name  new_password

Windows – no administrator password for Windows 7

In a nutshell, the solution is to get into command prompt with elevated permissions The command line prompt is...

 net user <account> <new password> /active:yes

example:

net user Administrator MySuperSecretPassword /active:yes

... but how the hell do you do that if you don't know the administrators password? You can leverage the installation process...

Check out this answer by Alan Pine at http://community.spiceworks.com/how_to/show/59673-windows-7-8-local-admin-password-reset

He suggests to capitalize on the inherit nature of Admin privs during the installation process as a means of recovery. Summary of steps...

Use the installation media - DVD or Thumb drive - boot to this - press any key to install...
Get into the command prompt, and replace the c:\windows\system32\sethc.exe with cmd.exe
restart the installation process and get back into a command shell. Using the net use command reset
password and/or reset account activation.

I tried his steps and they worked fine. I had trouble with step 3 - exit and restart and wait for the logon screen. I wasn't sure if I was supposed to enter setup again or not. As it turns out, I entered setup again and did the step 4 sticky key thing. The command prompt did in fact show up for me. I was surprised..

Here are Alan's steps in details...

The following will guide on how to reset a password on a Windows 7/8 machine where you have no/forgotten the local administrator password.

WARNING: Resetting a password of a Windows account means that data that has been encrypted, such as Windows EFS or stored Internet Explorer passwords, will be history. Avoid this by resetting the password of an account that hasn’t been used, such as the built in "administrators" account (none of use that.... right?). Do you use BitLocker to encrypt the drive? If so you will first have to unlock the the drive/partition. If you didn’t use any Windows-based encryption you are safe to reset your password with this information.

1. Boot from Windows 7/8 setup Be sure that your BIOS boot order has your DVD/USB device as first boot device (for Dell, press F2 to enter BIOS) or if you have the ability to select a boot menu (F12 for Dell), then select the appropriate device listing for your case. If not using a Dell machine please refer to your manufactures directions for changing boot order. Using your Windows 7/8 setup DVD or flash drive, turn on the computer, and wait for the message "Press any key to boot from CD or DVD" and press any key.

2. Close Windows Setup Close the Language windows by clicking the X in the in the corner and confirm to cancel the Windows installation. Wait until you see the Windows 7/8 start screen.

3. Getting the CMD Prompt Windows 7/8 setup should greet you and encourage you to configure your language settings at this point Press SHIFT+F10 to open a command prompt, which should show you "X:\Sources" In the CMD Window enter (without " 's) "copy d:\windows\system32\sethc.exe d:\" If you get the error message along the lines of "The system cannot find the specified path" try replacing “d:” in the command above with different drive letters (possibly "e:" or "f:") until the error message disappears Were now going to replace the "Sticky Keys" app on your machine with a CMD prompt, enter "copy /y d:\windows\system32\cmd.exe d:\windows\system32\sethc.exe" (without " 's) Once accepted exit and restart and wait for the logon screen.

4. Sticky Keys power... Activate Press the SHIFT key five times. You should now see the command prompt If your wondering what Sticky Keys are ... http://en.wikipedia.org/wiki/Sticky_keys

5. Find local users Type "net user' to get a listing of user names that reside on your machine.

6. Pick a user to reset From the list, choose a user name that you wish it reset and type "net user user_name new_password", user_name is the one you picked from the table (net user) and new_password is.... something you can remember If the user name or password contains blanks, you have to set it in quotes I.E C:\Windows\system32> net user “Alan Pine” “My Remembered Password”

7. TA DA! You just reset your Windows 7/8 password. Close the CMD window and log on with the aforementioned set "net user" Name and password. If you want to restore your "Sticky Keys" app, return to step one and walk through the process again and use this command in step 2: "copy /y d:\sethc.exe d:\windows\system32\sethc.exe" IN REPLACE OF "copy /y d:\windows\system32\cmd.exe d:\windows\system32\sethc.exe"

Summary

Thanks Alan!

Best Answer

Related Solutions

How to Change Password of Another User in Windows 7 Without Using ‘Set Password’

Windows – no administrator password for Windows 7

Related Question