Use Kon-Boot to Login to Windows Without Knowing or Changing the Current Password

One of the most obvious and easiest ways to add another layer of protection to your computer is protecting your account with a password. It’s easy enough to do and you can either supply a new password during install, on first run of your new computer or later on through User Accounts in Control Panel. Although not quite as important on a single user machine, passwords are essential when multiple users have access to the same computer or when trying to lock down your child’s user account with parental controls etc.

One of the most common and also frustrating problems you’ll encounter when attempting to troubleshoot or repair a computer, is either the user has forgotten or doesn’t know the logon password or they’re not available to give you that important piece of information. Knowledgeable users will know this actually isn’t as big a problem as it seems and there are various ways to get around a Windows logon password without knowing what it is.

incorrect password during login

For example, if no-one knows or remembers it, the password can be removed from the user account and reset by using a utility from a boot CD. If you want to find out what the password is without resetting it first, you can try to crack it with a tool such as Ophcrack. A few years back we also wrote about a program called DreamPack PL where you can hack into a Windows XP computer without changing the password. Each method has its plus and minus points, but there’s also another way to login to a computer where you don’t actually make any permanent changes to the computer or need to reset/remove the password at all.

Kon-Boot is one of the best tools around which can log you into Windows without knowing the password. It works by hooking into the system BIOS and temporarily changing the contents of the Windows kernel while booting. It then allows you to enter anything as the password during login. The next time you start the computer without Kon-Boot, the original password will be back, the temporary changes will be discarded and the system will behave as if nothing has happened. Kon-Boot has been around a while and updates have brought new features such as privilege escalation and the sticky keys workaround while adding compatibility for more recent operating systems such as Windows 8, 64-bit architecture and UEFI support. The program is split into 2 distinct versions; Kon-Boot free version 1.1 and the paid version (currently 2.2) which has newer features.

Kon-Boot Free Version

Because the last free version of Kon-Boot is 1.1, it lacks some features found in subsequent versions and is a bit limited regarding which Windows operating systems it can work with. For instance, it does not work with any type of 64-bit Windows and is also not compatible with any versions of Windows 8. There is some good news however, the website lists Windows 7 as not compatible either, but we’ve tested extensively and used Kon-Boot on several occasions without issue in any 32-bit version of Windows 7. XP, Vista and Server 2003/2008 are officially supported.

Using Kon-Boot free is easy and you just burn the downloaded ISO file to CD. There is also the possibility to write the image onto a USB flash drive although you don’t use the ISO file to do it. We have covered this procedure in our “Create a Kon-Boot USB Flash Drive” article. Alternatively, if you want a bit more value out of your CD/USB, Kon-Boot is available on the main menu in more recent versions of our favorite bootable repair disc Hiren’s Boot CD.

booting Kon-Boot 1.1

After you Download Kon-Boot Free and write it onto CD or USB, simply boot your computer to that device (you will need to set the boot device in the BIOS) and a white screen will popup. Press any key and a black screen will popup showing the process of hooking BIOS functions (the version number 1.0 appears to be an oversight by the developer). After a few more seconds the computer will start to boot normally.

enter anything for the password

Now when the Logon to Windows screen appears, simply type anything in the password box or leave the password field blank and you’re in! It really is that easy and you simply remove the USB drive or disc so on next reboot Kon-Boot won’t bypass the password again. It is known that not every computer’s BIOS will allow Kon-Boot to work but the majority will be fine if the operating system is compatible.

Kon-Boot Commercial Version

As the free version of Kon-Boot slowly becomes less useful over time because users are moving to 64-bit operating systems or Windows 8, looking at the commercial version is something that begins to make more sense. Currently a personal license for your own use is $15 and for businesses or budding technicians, a commercial license is required at $75. Kon-Boot is now also available for Mac OS X (same price as the Windows version) which allows you to bypass the password or create a new root account to change other user’s passwords.

Kon-boot 2.2 starting up

Besides the 64-bit support and compatibility with Windows 8 (when tested, Windows 8.1 did not work with Kon-Boot 2.2), the commercial version also has better support for systems with a UEFI BIOS when you run Kon-Boot from USB flash drive. If you have a UEFI BIOS, make sure the “Secure Boot” option inside the BIOS is turned off. Kon-Boot is known to not work on domain controllers and it also can’t get past hard drive encryption. In the full Kon-Boot package is a simple installer frontend which gives the options of writing the program to CD or USB (with UEFI support). The ImgBurn burning software is required to burn the ISO file to disc.

Kon-Boot installer utility

Bypassing a password is done the same way as the free version, boot with Kon-Boot and type anything for the password. Kon-Boot paid is also capable of performing privilege escalation which allows you to perform administrative tasks as a non administrative user or Guest. For example, you can boot up the computer with Kon-Boot, log in as a Guest and add a new user or even reset the administrator password! Here’s how it works:

1. Boot the computer with Kon-Boot and select to login as a Guest user or with your standard user account.

2. Open a Command Prompt (Win key+R -> cmd) and type these commands in turn:

copy c:\windows\system32\cmd.exe cmk.exe
cmk
whoami

If the whoami command result is “nt authority\system”, then you have elevated privileges and can run commands such as “net user”:

net user {admin} newpassword – resets the named admins password
net user /add {user} {password} – creates a new user with optional password

Kon-Boot Privilege Escalation

Another paid version feature is “Sticky keys” which is a type of escalation somewhat similar to the privilege escalation above, but this one allows you to open a Command Prompt with System administrator privileges before any users have logged on. The console window will show on the user selection or password entry screen and will allow you to execute similar commands to the desktop privilege escalation function.

privilege escalation using Kon-Boot sticky keys

To bring up the Command Prompt, all you have to do is boot your computer using Kon-Boot and when you reach user selection or password entry, simply tap the Shift key 5 times in quick succession. The new console window has “Administrator” in the title bar and a path of “C:\Windows\System32” which tells you this is an elevated command prompt. Do note that the Sticky Keys function needs to be enabled in Windows, and it should be on by default unless you have turned it off manually. Sticky Keys escalation also works in Windows XP but privilege escalation does not.

Although the free version of Kon-Boot is losing it’s effectiveness as time progresses and users move away from 32-bit Windows, it’s still a useful tool to have around while XP, and Vista/7 32-bit is still frequently used. It’s a shame Kon-Boot free will probably not receive any more major updates to make it more compatible with newer operating systems, but all good things come to an end eventually.

For pretty much the ultimate in Windows password bypassing that works on 32-bit, 64-bit and UEFI equipped computers, and does so quickly and easily without changing files, cracking or removing current passwords, the paid version of Kon-Boot is well worth looking at.

Visit Kon-Boot website

58 Comments - Write a Comment

  1. jishnu 2 months ago
    • HAL9000 2 months ago
  2. Charles 2 years ago
  3. Dana 2 years ago
    • HAL9000 2 years ago
  4. Huy Phan 2 years ago
    • HAL9000 2 years ago
  5. Dan w 3 years ago
  6. Cmonster 3 years ago
  7. Deepanshu Arora 3 years ago
    • HAL9000 3 years ago
  8. guest 3 years ago
    • HAL9000 3 years ago
  9. Nischal 4 years ago
  10. Lineage 7 years ago
  11. rayan 7 years ago
  12. ASagar 7 years ago
  13. Alex 7 years ago
  14. Geo 7 years ago
  15. FlashSpec 8 years ago
  16. TheTeZ 8 years ago
  17. Samson B 8 years ago
  18. tecmage 8 years ago
  19. Nazim 8 years ago
  20. thomas 8 years ago
  21. Alan 8 years ago
  22. Hong Meng 8 years ago
  23. R3SiEViL 8 years ago
  24. lm01 8 years ago
  25. Dnyanesh 8 years ago
  26. sul2005tan 8 years ago
  27. hanan 8 years ago
  28. not it guru 8 years ago
  29. webcadre 8 years ago
  30. Junn 8 years ago
  31. mcgr5 8 years ago
  32. stanly7 8 years ago
  33. Girmi Schouten 8 years ago
  34. Alex 8 years ago
  35. nishant 8 years ago
  36. ha14 8 years ago
  37. mk 8 years ago
  38. Ahinigami 8 years ago
  39. DY 8 years ago
  40. Myron 8 years ago
  41. Roy Raay 8 years ago
  42. mike 8 years ago
  43. Leon 8 years ago
  44. Azfar 8 years ago
  45. TatesMan 8 years ago
  46. mafia87 8 years ago
  47. grage 8 years ago
  48. riyaz 8 years ago
  49. Kumar gaurav 8 years ago
  50. James Kim 8 years ago
  51. denzel 8 years ago

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Your comment is subject to approval. Read our Terms of Use. If you are seeking additional information on this article, please ask in our forum or contact us directly.