FOR~GO
(For Geeks Only)
By Joe Callison
23 January 2021
I ran across a pretty useful trick for unlocking a Windows computer with a forgotten password for the only local account with administrator access, assuming file encryption had not been enabled. For a locked Microsoft account, see the instructions in https://support.microsoft.com/en-us/account-billing/reset-a-forgotten-microsoft-account-password-eff4f067-5042-c1a3-fe72-b04d60556c37).
There is no need for any free or purchased utility designed for this purpose. Unlocking a local account simply requires any bootable media that has the command prompt option, such as Windows installation media or Windows recovery/repair media created for any Windows version from XP to Windows 10. It does not matter that it is different from the version on the computer as long as it will boot and you can run the command prompt (https://www.digitalcitizen.life/how-start-command-prompt-when-windows-doesnt-boot/). Just booting into the recovery options for the installed system will not allow access to the command prompt without entering the correct password. The trick is to somehow gain access to the command prompt of the already installed and running system.
The ease of access icon on the Windows sign-in page has a few functions that can be selected to run after booting but before even entering a password. By renaming one of those functions to be the command prompt function instead, you can run it without entering a password. This is done by using the command prompt of the bootable media to access the Windows\system32 directory of the installed operating system (the drive letter may be different than normal after booting from the media, such as D: or F: instead of C:) and renaming one of the executable files for the functions appearing in the ease of access, such as magnify.exe for the magnifier function, to magnify1.exe and then renaming the cmd.exe file to magnify.exe.
For example: Suppose entering dir c: in the command prompt and pressing enter shows the files and folders for the installed version of Windows. Change to drive c if not already shown by the prompt by entering c: and pressing enter. Then change the current directory of the command prompt c: drive by entering cd \windows\system32 and pressing enter. Now the magnify.exe file can be renamed by entering rename magnify.exe magnify1.exe and pressing enter. Rename the cmd.exe file by entering rename cmd.exe magnify.exe and pressing enter. Now when you boot the installed operating system to the sign-in page, select the ease of access icon located between the network and power icons, and then select Magnifier, the command prompt will open instead. In the command prompt of the installed and running system, you can use the net user commands to add or change passwords, add or remove users, change account types, or whatever you want to do.
The user account with the forgotten password can be changed with the following command:
net user USERNAME *
Leave a space between the username and the asterisk. This will prompt for a password to be entered. It will not display or move the cursor as you enter the new password, so enter it carefully. You will be prompted to confirm the password in the same manner. If you enter both the same, it will succeed in changing to the new password. The usernames can be found by just entering net user in the command prompt and pressing enter.
In each of the following examples, leave a space before the /.
The built-in hidden Administrator account could be made active with the following command:
net user administrator /active:yes
The built-in hidden Guest account could be made active with the following command:
net user guest /active:yes
A new user with an administrator account can be added by doing both of the following two commands:
net user USERNAME PASSWORD /add
net localgroup Administrators USERNAME /add
After making the desired changes using the command prompt, locking or restarting will show any new or unhidden users at the new sign-in screen.
You will probably want to rename the magnify.exe file to cmd.exe and magnify1.exe to magnify.exe as the original names were, which can be done using File Explorer now that you can sign in. Be sure “File name extensions” and “Hidden items” are checked in the View tab of File Explorer to find the correct files.
For more information, see:
https://www.makeuseof.com/tag/3-ways-to-reset-the-forgotten-windows-administrator-password/