Windows Password Cracking Without External Tools

July 14, 2017 | Views: 9052

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Imagine if you will, a 17 hour work day, some idiot unplugged the main switch to your server rack (at the end of your 8 hour work day) and causes the entire server rack to go catatonic.  Zoom ahead forward, you finally have gotten almost everything fixed, the last server comes up and you are greeted with the lovely error: The Trust Domain relationship between this “workstation” and primary domain failed ( yes this happened on a server). Not only that but now your local admin account is completely locked out as well, and in order to fix the situation you must get back into the local admin account.

What you will learn:

This article will hopefully help you kill 2 birds with one stone: Fix a trusted domain relationship issue, and more importantly teach you how having physical access to any windows based system is all you need to get into the admin account.

Things you will need:

~Physical access to the laptop, desktop, or server you want to get into.

~A Windows install DVD or flash drive formatted and setup with the Windows content (as far as I am aware PE images won’t work). Does not matter if it is the same edition of Windows you currently have or not, as long as it is Windows 7 or Windows Server 2008 R2 or higher it will work.

~Snacks, because why not!

Start with the system completely turned off, put in your flash drive or make sure to put the DVD in before shutting down the system. Use the correct key for your particular system to bring up the boot menu (most popular is F12 for most brands) and boot off the disk or flash drive. You will eventually come to the Windows installer screen, and in the bottom left corner, you should see the option that says repair your computer, chose that and you will see a few options once that screen loads.

Here we are going to choose ‘Command Prompt’. This will allow us to make the needed changes to gain what would be considered root level access without having to log into windows, but more on this later on.

Once the command prompt opens up you will need to find what your C: drive has been renamed too, in most cases it’s D: but in the rare case it’s not, or your setup is odd, make sure you do the work to find out by running ‘diskpart’ and running the “List vol” command to see what drive letters have been used.

Once you have the correct drive lettering and have switched to that drive in command prompt we need to navigate to the /windows/system32 folder and do the following:  

Command copy utilman.exe utilman.exe.bak   then we need to overwrite utilman by doing the following command: copy cmd.exe utilman.exe  hit y for yes and then enter to accept, once you get the 1 file(s) copied message you can close out of cmd and reboot your system. Let it boot all the way to the windows login screen.


What we have just done is copied an unrestricted level of command prompt to run when the utilman.exe file runs, in case you are not aware, this is the name for the accessibility settings that show up on every windows login screen, you might not have ever used them, in most Windows systems it is either bottom left or bottom right corner.

Once you have opened the backdoor we just made, it’s time to do the following: net user username password     In this example I’ve used generic entries, but you could either reset an existing account that has admin rights or do the administrator account, if you wish to make a new account you would do the following:  net user /add username password  

One last thing we need to do is make sure we have admin rights, to do this we want to use net localgroup administrators username /add

Now you should be able to log into the local admin account, and in the instance of trust domain relationship, removing and re-adding to the domain is the best fix if you are in a corporate environment where you don’t have control over things like user accounts or domain controllers.   Hope this helps!

NOTE* once you are done make sure you open command prompt and clean up your backdoor by copying the original utilman back to its rightful place by doing the following from an admin level command prompt: copy utilman.exe.bak utilman.exe

Hope this helps!


Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. Should try this before close of day.

  2. Could this not be done without the install media, but merely starting in safe mode with command prompt?

    • So in the situation as discribed no, as the commands we need to run need to be at admin level, the Issie that comes into play with safe mode with cmd, just like the windows recovery environment if the admin account has been locked out and no other accounts exist in the local users with admin rights you won’t be able to complete the process, I. E. The cmd copy over top of utilman wouldn’t complete or it would but in a way that could possibly brick the operating system. I’m sure in some cases smwcp would be a slightly quicker method but it does leave a wider gap for possible errors and issues. Using an external media allows you to not have to worry about that, and thus making the process garenteed to work

    • Now if there were multiple local admin accounts, they weren’t disabled and were able to provide the password for said account in the WinRE environment, then sure it could work.

  3. I couldn’t log in into my window server 2008 account

    given an error message password and username in correct I need help to access my domain account tried all possible means but all wasn’t working

    • So this process is only for local access, If the domain controller is your own, and you don’t have the admin password you could use this method to gain access to the local machine, and then make adjustment needed to having an account in the admin group. If this is not your server or if you are on a corporate environment, you may run into some issues with GPO that your admin’s have put into place. Give me some more details and I’d be happy to do what I can to help 🙂

  4. Gracias! Maraming salamat po!

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?