Backdoor to Reset Administrator Password or Add New User in Windows 7

As long as there is physical access to a computer, it is always possible to gain access to the operating system even if it is password protected. For example, you can use Kon-Boot to login to any user account in Windows with any password by booting up the computer with the CD or USB. If BIOS is secured with a password to prevent changing of boot order, you can change the jumpers or remove the battery from the motherboard to clear the CMOS settings. As long as you can boot up the computer with CD or USB, there are quite a lot of tools that allows you to reset the user account password even if you don’t know the original password.

Here is an interesting method which I recently discovered that allows you to plant a backdoor to your Windows 7 operating system so that you can always reset or even add a new user account without even first logging in to Windows. This method is a bit restrictive because it requires an administrator privilege to the computer in order to make changes to the system but it does not involve installing any third party software or changing any system files like the old DreamPackPL. This backdoor allows you to run command prompt (cmd.exe) with system privilege from the Windows 7 login screen. So with a system privilege command prompt in your hands, you can actually do a lot of stuff including creating new accounts to resetting administrator password to gain access to the password protected Windows. Check out these step-by-step instructions:

1. First, make sure you are logged in as an administrator. Click on the start button, type cmd in the Search programs and files bar, right click on the cmd.exe that is displayed on the list and select “Run as administrator”.

2. Copy the command below and paste it to the command prompt.

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"

If you see the message that says “The operation completed successfully”, that means you have installed the backdoor. If not, make sure you are logged in to a user account with administrator privilege and also run the cmd as administrator.

Image File Execution Options

3. When you are at the login screen, you can either press the SHIFT key continuously for 5 times or Alt+Shift+PrintScreen which will open a command prompt with system privilege. You can now do whatever you want with it such as typing:

Explorer – To launch explorer and give you access to Start menu and taskbar. Any attempt to run Windows Explorer will prompt an error saying “The server process could not be started because the configured identity is incorrect. Check the username and password”. If you need to check the files and folders on the sytem, use the dir command instead in cmd.

Launch Command Prompt CMD before login

Net user user_name new_password – This command allows you to set a new password to any username without knowing the current password.

Net user user_name password /add – This command allows you to add a new user to the system so you can login to Windows without touching the existing user accounts.

This proof of concept has been around for a very long time and is not really an exploit which is why Microsoft does not intend to patch and block it. To remove or uninstall the backdoor, simply delete the registry value that you have added or paste the command below to an elevated command prompt followed by pressing the Y key to confirm the deletion.

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe"

Here is a simple explanation on how this backdoor works. In the Windows login screen, you are allowed to turn on sticky keys or high contrast using the hotkeys (Shift x 5 OR Alt+Shift+PrintScreen). Attempting to turn on either one with launch the sethc.exe file. Adding the provided registry will tell Windows that you want to run cmd.exe as a debugger for sethc.exe but the problem is Windows does not check if it is a valid debugger. So whenever you try to launch sticky keys or high contrast in the Windows 7 login screen, you will run the command prompt instead.

Below is a video demo to show how the whole thing works.

20 Comments - Write a Comment

  1. JACK 2 weeks ago
  2. Jason 4 months ago
    • Hayden 3 months ago
  3. vishal srivastava 5 months ago
  4. SHUBHAM SRIVASTAV 6 months ago
  5. Alex 1 year ago
  6. roman 1 year ago
  7. Hello 2 years ago
  8. Rajesh 4 years ago
  9. kevin 4 years ago
  10. mohamed 4 years ago
  11. Murphy 4 years ago
  12. Lateralus 4 years ago
  13. Raymond 4 years ago
  14. Mann 4 years ago
  15. Hector Osorio 4 years ago
  16. ublaze 4 years ago
  17. AMIT CHANDRA 4 years ago
  18. kiya 4 years ago
  19. TheBest 4 years ago

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Your comment is subject to approval. Read our Terms of Use. If you are seeking additional information on this article, please ask in our forum or contact us directly.