Recover Windows 7 password of admin account with auto-logon enabled

16

7

I have a Windows 7 installation with just one (admin) account (guest is disabled). It is set to auto-login so I can get in without any problems and I can also 'right click' -> 'run as administrator' things without having to type any password, just by clicking 'yes' when the UAC prompt appears.

I forgot the password and I'd like to recover it.

I've read that (because of auto-logon) I should have this keys:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon = "1"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName = username
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword = password

I have AutoAdminLogon and DefaultUserName but not DefaultPassword.

How can the system auto-logon if the password is not there? Can it be somewhere else?

Having that I can run things as administrator I feel like there should be a way to change the password without entering the old one, but can't figure how...

EDIT I don't think my password is blank because if I try to change it in the account settings leaving the old password field black it tells me the password is wrong

EDIT2 ophcrack finds 4 hashes and yelds no error but the .txt where it is supposed to put the password is empty. I'm really starting to think that the admin password is indeed empty... Is there a way to be sure of it? And if it's really empty, shouldn't there be a not-hacky way to set one?

EDIT3 As suggested by the user @abhishekkannojia i tried the command:

net user *account name* *new password*

But before going through the steps to get a super user shell I tried it on a shell runned as administrator and surprise surprise... it worked! It did not ask me the previous password and I've cheked that the new one is effectively active. Out of curiosity I tried that command again and it still let me change the password of the account I'm logged into without asking me the previous one. This is kind of strange but... it worked.

So, I'm accepting @abhishekkannojia answer but I recommend anyone who will read this question to try my "soft" version firt (using administrator shell). A special thank to @Jason C who posted the software: http://securityxploded.com/windows-autologin-password.php which would have been perfect for me if I had configured the auto-logon like this

flagg19

Posted 2014-06-17T14:44:29.923

Reputation: 373

Just an off the top of my head thought is the correct registry setting hiding within the wow64 section instead? – CharlesH – 2014-06-17T14:52:20.073

HKEY_LOCAL_MACHINE\Software\Wow6432Node... – CharlesH – 2014-06-17T14:53:30.400

@CharlesH I don't think so, at that path I don't even have AutoAdminLogon and DefaultUserName – flagg19 – 2014-06-17T14:58:18.727

Ah fair enough sorry was sitting on a train on my phone so could not check myself. Just a thought as the AutoLogon tool from sysinternals is 32 bit. Hopefully you've sorted this now anyway. – CharlesH – 2014-06-18T08:08:09.673

Answers

12

I remember when I forgot my Windows Admin Password and how tried various methods to recover password. The following method worked for me.
You cannot recover password by following method but you can reset it. The idea behind the method is that somehow obtain Super User Privilege (System User in Windows) to modify admin's user account.

Steps:

  1. First of all rename this file located in system32 sethc.exe to sethc.exe.old and create a copy of cmd.exe located in same directory. Now rename the new copied cmd.exe to sethc.exe. These files are locted in C:\Windows\System32\ .
    Note that Windows 7 does not allow you to modify system files. To do that you can get any Live Bootable Linux which can be booted through USB. There are tons of them, choose any of them. Now when system is booted in Linux mount Windows Parition and perform above task.

  2. Now Reboot into Windows. At the login Screen. Press Shift Key 5 times. A Command Window will appear (This Prompt will be having System User privileges). Now type following command to change password.

    C:\> net user admin new-password

    Replace admin with your username and new-password with the new desired password.

  3. You can now Login with New password. You also need to revert back the changes you made in 1st step. You can again login through live bootable media and change the files to their original state.

Hope It helps. Let me know if this worked for you. :)

abhishekkannojia

Posted 2014-06-17T14:44:29.923

Reputation: 871

make use of windows 7 recovery cd to boot & then edit them! – Vignesh Nedunchezhiyan – 2014-12-11T12:49:36.933

Since he already mentioned he has auto-login and can do 'right click' -> 'run as administrator', your first step is unnecessary. All he needs to do is right-click command prompt -> 'run as administrator' -> 'net user admin new-password' – Chris – 2014-12-30T17:25:51.843

This sounds similar in concept, but way more convenient, than the method described at http://pcsupport.about.com/od/windows7/ht/reset-password-windows-7.htm (that one uses utilman instead of sethc).

– Jason C – 2014-06-17T15:33:22.247

I've tried this and it is a very neat hack. You need something like a Windows or Linux CD/DVD to do it though - if you can't log in to the machine. – Kinnectus – 2014-06-17T15:35:34.047

Yeah very neat trick, saved me from lot of time cracking the password. Instead of sethc.exe utilman.exe can also be replaced as they both are available on login screen. – abhishekkannojia – 2014-06-17T15:40:29.193

very clever idea... but if the point of it is just obtain a super user shell can't i just run a prompt as admin and run "net user admin new-password"? – flagg19 – 2014-06-17T15:44:02.000

@flagg19 You can try it, but I'm not sure if it will work. I think to change current password you need to provide your old password. Which is not the case with Super user privilege which change any account without the requirement of their password. – abhishekkannojia – 2014-06-17T15:47:08.163

@abhishekkannojia is a super user privilege shell different from a shell runned as administrator? – flagg19 – 2014-06-17T15:50:08.683

@flagg19 Yes, they are different super user (System User in Windows) is above Administrators. Refer here http://support.microsoft.com/kb/120929

– abhishekkannojia – 2014-06-17T15:53:53.873

@abhishekkannojia An admin shell should work just as well, incidental when doing the trick you mentioned before logging in will give you a shell under system as this is the user that the WinLogon runs, however once you are logged in you can just open a CMD window without the need for all the hassle, which is just a trick when not logged in – yoel halb – 2014-06-17T20:59:54.943

1Also windows 7 indeed allows you to modify any file including system files, but you have first to take ownership of the file via right click -> security -> edit -> Owner -> Change owner – yoel halb – 2014-06-17T21:03:35.967

5This doesn't change the password, this resets the password. And you can do it from any Administrator-privileged user (though not to the account you are currently logged in as, usually). Note the distinction for resetting the password: you will also lose any saved credentials for network shares, etc., and EFS (NTFS encryption) certificates permanently. – Bob – 2014-06-18T04:51:48.060

6

There are plenty of ways to recover a Windows 7 password, most can be found by searching for "windows 7 recover password".

There is a tool specifically for recovering auto-login passwords. I have not tried it but if it works it is likely the quickest option:

See "windows 7 recover autologin password" for more options along that line.

The easiest, failing that, is probably to use one of the 8 password recovery tools found here, which include:

There is also a less convenient but slightly more legit (still hacky) way here. Although I do not know if that one will work with auto-login enabled. It is likely quicker than the above, however. Another answer below (or above as the case may be) describes a similar technique.

Once you are done, if you feel this may happen again, consider creating a password reset disk.

Jason C

Posted 2014-06-17T14:44:29.923

Reputation: 8 273

Thanks, I've googled alot before posting this question and found many of those "hacks" but I thought that having the auto-login and the chanse to run things as admin would have made possible some less-hacky ways... – flagg19 – 2014-06-17T15:21:21.597

1

@flagg19 Try this: http://securityxploded.com/windows-autologin-password.php

– Jason C – 2014-06-17T15:27:06.767

that tool from securityxploded run but tells me exactly what I see in the registry keys I posted: "username:myusername password:" can't understand if it can't get it or it belives it to be blank – flagg19 – 2014-06-17T15:39:42.507

@flagg19 Is it possible your password is indeed blank? That is, are you sure you enabled auto-logon with a password rather than just setting a blank password? When you go Start -> Run -> netplwiz, is the "users must enter a user name and password to use this computer" box checked? – Jason C – 2014-06-17T15:46:10.603

edited question about the blank password possibility – flagg19 – 2014-06-17T15:47:46.713

@flagg19 I would try abhishekkannojia's method first, then. If that fails try the third method I posted above (the "slighty more legit" technique), then the crackers. – Jason C – 2014-06-17T15:52:08.393

3

Contrary to micwallace, another SO/SU question (here) confirms that this CAN be done in Windows 7 (and, actually, we do it on some machines where I work and the steps are identical). This should work on non-domain installs too.

Returning to your question: If the "password" box is empty then, at a guess, the admin password is blank. Especially if the machine logs in automatically and the registry keys don't have password containing any text.

Kinnectus

Posted 2014-06-17T14:44:29.923

Reputation: 9 411

If the password is black (i don't think so but it can be), it should be possible to change it in the account settings just by leaving the "old password" field black right? It tells me that the password is not correct – flagg19 – 2014-06-17T15:29:08.203

Yes, but (as you have found) the "old" password is incorrect which means the registry settings aren't working or they are stored elsewhere... What I would probably suggest you do - if you are desperately trying to reset the password - is to download a LiveCd containing, for example, NTPasswd that can reset the local user account password. – Kinnectus – 2014-06-17T15:33:25.313

1

Another easy way to change the password without needing to know it first would be via the Local Users and Groups section in Computer Management.

Just right click on the user and select Set Password.

Its possible that some editions of Windows don't have this though - I can't remember which.

Note that you'll need to reset your auto login afterwards so that it continues to auto-login.

Jon Egerton

Posted 2014-06-17T14:44:29.923

Reputation: 399

0

Those registry values aren't supported after windows XP :(

I think the only way is to use a recovery boot cd to reset or crack the password hash. This one looks like the go: http://pogostick.net/~pnh/ntpasswd/

micwallace

Posted 2014-06-17T14:44:29.923

Reputation: 182

I've seen many guides using them in windows 7, but I can't remember what I exactly did long ago to set-up auto-logon. Hash craking is not an option, can't remember the password but it was long more than an affordable rainbow table can handle ;) – flagg19 – 2014-06-17T14:59:47.493

You don't need a huge rainbow table you can use http://pcsupport.about.com/od/toolsofthetrade/gr/ophcrack.htm which is a boot CD, otherwise your just left with resetting. Alot of computers come from the manufacturer like that.

– micwallace – 2014-06-17T15:06:43.840

Thanks I'm gonna try Ophcrack but isn't it just using a small (<700mb) rainbow table? – flagg19 – 2014-06-17T15:11:11.320

Yes I think it has a rainbow table but also does CPU rule-based cracking. – micwallace – 2014-06-17T15:12:33.187

@micwallace http://securityxploded.com/windows-autologin-password.php is specifically designed for recovering auto-login passwords quickly.

– Jason C – 2014-06-17T15:31:50.543

@micwallace - I have a tool the can reset the password on any modern version of Windows. The better solution is a tool that will literally load the HIVE then change the password for you. Its called PasswordResetKey

– Ramhound – 2014-06-17T15:33:17.127