Tip : How to Reset Lost Password on a Core Server 2016 and later

Hello World, 

Today, we will speak again about Windows Core editions and lost passwords :<.    In the past, we have published already some tips about resetting passwords on Windows Core edition but the instructions provided are not working against Windows 2016 and later Core Server Edition.  This is time to update the instructions and make the tip working against these new Operating systems.

If you are interested, you can have a look at the old posts we have published about lost password…. 

So, let do this…. 

Overview

Disclaimer 

These instructions are provided AS IS !  Use it at your own risk !!!   We are not encouraging you to crack or hack systems where you have no authorized access.  This post is intended for educational purposes.

Our Scenario  

We came across a situation where a critical Windows core server was having serious issue and there was a need to logon into it.  The Server was out of the domain, no cache credentials and obviously nobody knew the local admin password.  To make it a little bit more complicated, Internet was not available and it was not possible to download all the possible free tools (will not mentioned them, I’m sure you all know them) and software that could have helped in resetting the local admin password.  

So, the only thing available on this network was the Windows ISO file and a broken Server where nobody can connect.  So, immediately, we think about the possibility to boot from the Windows ISO, go to the WinPE Environment and do the trick to reset the password on the server…. But then, reading through our old post, we are realizing that the login screen on Windows Core Server 2016 and above has changed.   There is no more the Windows Login (blue background) shell from which you can call some known exe like Utilman.exe or sethc.exe

Click on Picture for Better Resolution

So, we have this new login “shell” on modern Windows Core Operating System.  We also know that known exe are not even available on a Core server since this one is shrink down version of Windows Operating System 

Click on Picture for Better Resolution

So, we had to find a way to still get access to the system and basically bypass the login screen prompt presented to us….  It took us a some time before realizing that the solution was just in front of our eyes….

Our Approach…  

So, now it’s time to explain what we did in order to recover this server…Basically, we have used the standard approach when you are in such situation.  You either have a WINPE and you boot from it. Alternatively, you have Windows ISO file (bootable) and you boot from it.  We have used the second option because this was the only option available for us at this specific moment in time

Step 1 – Boot from Window ISO

Depending your scenario (physical machine or virtual machine), you will need to boot from you Windows ISO Bootable image.  When the installation wizard start,  set your settings as required and press Next 

Click on Picture for Better Resolution

In the next installation screen, click on the Repair your Computer link in order to have access to the command line tool we will use to perform the necessary change 

Click on Picture for Better Resolution

In the Choose an option  screen,  Select the option Troubleshoot (so the second option on the screenshot !!!)

Click on Picture for Better Resolution

Finally, in the Advanced Settings Page,  select the option Command Prompt 

Click on Picture for Better Resolution

After clicking on the command Prompt, you can see that indeed we have access to a nice command line interface 

Click on Picture for Better Resolution

Step 2 – Modify “Offline Registry”

In the command prompt, you will issue the follow command  : regedit.  This will open the registry editor.

Click on Picture for Better Resolution

In the registry editor, Select on the HKEY_LOCAL_MACHINE Node and from the File menu, Select Load Hive

Click on Picture for Better Resolution

In the dialog box, find your os partition and navigate to c:\Windows\System32\config.  From the location, select the file Software (not the software.txt file but the software file)

Click on Picture for Better Resolution

Provide a new name to the hive and press OK

Click on Picture for Better Resolution

Expand the newly created folder (i.e. PWD_HACK) and browse to the following location : HKLM\<%Name of loaded HIVE>\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Click on Picture for Better Resolution

Under the Image File Execution options, create a new key called LogonUI.exe

Click on Picture for Better Resolution

Click on Picture for Better Resolution

Select the LogonUI.exe key and create a new REG_SZ (String Value) called Debugger. Select the String Value Debugger, double-click on it and put as value the following c:\Windows\system32\cmd.exe. 

Click on Picture for Better Resolution

When done, you can reboot your machine…. 

Step 3 – Recover your Password ! 

The change we have made in the registry will basically start a command prompt with Admin rights instead of the login shell where you would need to enter your username and password… You have to do nothing, the prompt is there and you are ready to reset or create a new user account with admin rights in order to restore your lost access….

Click on Picture for Better Resolution

To reset the password of the administrator; type in the command prompt net user administrator <%newPassword%>

Step 4 – Revert your Changes while logged in 

Since we are already on the machine and since we have reset the admin password, we can already revert the changes we have made.  We simply need to start registry again and delete the key we have created  under HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Option

Click on Picture for Better Resolution

Wait a few minutes and normally the standard Login shell will be displayed.   

Click on Picture for Better Resolution

At this stage, you can try to login into your system with the newly password you have set and you can perform whatever action is needed to restore services on this specific machine 

And Voila !

Final Notes

In the past, we already investigated how to reset password on Windows Servers (with or without Desktop interfaces).  They are plenty of tools that can help you reset passwords on windows machines.  However, in some specific situation, you have no access to these tools and you would need to use what you have in front of you (i.e. windows source files) 

In this post, we have described a way to reset password using only Windows files (LogonUI.exe) and Windows techniques (File image execution options).  This tip could be used on a Full Version or on a Core Version of Windows.  This approach is really nice one because it’s relatively simple to use and it’s clean as well.  You simply need to delete a registry key to revert back to a normal situation. 

If you use this tip on a Full Version of Windows, obviously, the registry key would be something different (something like sethc.exe or Utilman.exe) 

Hope you enjoyed this post 

Till next time 

See ya  

 

2 thoughts on “Tip : How to Reset Lost Password on a Core Server 2016 and later

  1. This extremely helped me. Absolutely 💯 for the information. I had luck resetting my password and getting in.

  2. @Roman,
    thank you for visiting our blog and providing feedback. This tip really helped us a lot and we are happy to see that other people can benefit from it
    Till next time
    See ya

Leave a Reply