Hello World,
Today, we will speak again about Windows Core editions and lost passwords :<. In the past, we have published already some tips about resetting passwords on Windows Core edition but the instructions provided are not working against Windows 2016 and later Core Server Edition. This is time to update the instructions and make the tip working against these new Operating systems.
If you are interested, you can have a look at the old posts we have published about lost password….
- Tip : How to Reset Lost Password on a Core Server
- Tip : reset admin password or create a new Admin account with system privileges
So, let do this….
Overview
Disclaimer
These instructions are provided AS IS ! Use it at your own risk !!! We are not encouraging you to crack or hack systems where you have no authorized access. This post is intended for educational purposes.
Our Scenario
We came across a situation where a critical Windows core server was having serious issue and there was a need to logon into it. The Server was out of the domain, no cache credentials and obviously nobody knew the local admin password. To make it a little bit more complicated, Internet was not available and it was not possible to download all the possible free tools (will not mentioned them, I’m sure you all know them) and software that could have helped in resetting the local admin password.
So, the only thing available on this network was the Windows ISO file and a broken Server where nobody can connect. So, immediately, we think about the possibility to boot from the Windows ISO, go to the WinPE Environment and do the trick to reset the password on the server…. But then, reading through our old post, we are realizing that the login screen on Windows Core Server 2016 and above has changed. There is no more the Windows Login (blue background) shell from which you can call some known exe like Utilman.exe or sethc.exe
Click on Picture for Better Resolution
So, we have this new login “shell” on modern Windows Core Operating System. We also know that known exe are not even available on a Core server since this one is shrink down version of Windows Operating System
Click on Picture for Better Resolution
So, we had to find a way to still get access to the system and basically bypass the login screen prompt presented to us…. It took us a some time before realizing that the solution was just in front of our eyes….
Our Approach…
So, now it’s time to explain what we did in order to recover this server…Basically, we have used the standard approach when you are in such situation. You either have a WINPE and you boot from it. Alternatively, you have Windows ISO file (bootable) and you boot from it. We have used the second option because this was the only option available for us at this specific moment in time
Step 1 – Boot from Window ISO
Depending your scenario (physical machine or virtual machine), you will need to boot from you Windows ISO Bootable image. When the installation wizard start, set your settings as required and press Next
Click on Picture for Better Resolution
In the next installation screen, click on the Repair your Computer link in order to have access to the command line tool we will use to perform the necessary change
Click on Picture for Better Resolution
In the Choose an option screen, Select the option Troubleshoot (so the second option on the screenshot !!!)
Click on Picture for Better Resolution
Finally, in the Advanced Settings Page, select the option Command Prompt
Click on Picture for Better Resolution
After clicking on the command Prompt, you can see that indeed we have access to a nice command line interface
Click on Picture for Better Resolution
Step 2 – Modify “Offline Registry”
In the command prompt, you will issue the follow command : regedit. This will open the registry editor.
Click on Picture for Better Resolution
In the registry editor, Select on the HKEY_LOCAL_MACHINE Node and from the File menu, Select Load Hive
Click on Picture for Better Resolution
In the dialog box, find your os partition and navigate to c:\Windows\System32\config. From the location, select the file Software (not the software.txt file but the software file)
Click on Picture for Better Resolution
Provide a new name to the hive and press OK
Click on Picture for Better Resolution
Expand the newly created folder (i.e. PWD_HACK) and browse to the following location : HKLM\<%Name of loaded HIVE>\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Click on Picture for Better Resolution
Under the Image File Execution options, create a new key called LogonUI.exe
Click on Picture for Better Resolution
Click on Picture for Better Resolution
Select the LogonUI.exe key and create a new REG_SZ (String Value) called Debugger. Select the String Value Debugger, double-click on it and put as value the following c:\Windows\system32\cmd.exe.
Click on Picture for Better Resolution
When done, you can reboot your machine….
Step 3 – Recover your Password !
The change we have made in the registry will basically start a command prompt with Admin rights instead of the login shell where you would need to enter your username and password… You have to do nothing, the prompt is there and you are ready to reset or create a new user account with admin rights in order to restore your lost access….
Click on Picture for Better Resolution
To reset the password of the administrator; type in the command prompt net user administrator <%newPassword%>
Step 4 – Revert your Changes while logged in
Since we are already on the machine and since we have reset the admin password, we can already revert the changes we have made. We simply need to start registry again and delete the key we have created under HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Option
Click on Picture for Better Resolution
Wait a few minutes and normally the standard Login shell will be displayed.
Click on Picture for Better Resolution
At this stage, you can try to login into your system with the newly password you have set and you can perform whatever action is needed to restore services on this specific machine
And Voila !
Final Notes
In the past, we already investigated how to reset password on Windows Servers (with or without Desktop interfaces). They are plenty of tools that can help you reset passwords on windows machines. However, in some specific situation, you have no access to these tools and you would need to use what you have in front of you (i.e. windows source files)
In this post, we have described a way to reset password using only Windows files (LogonUI.exe) and Windows techniques (File image execution options). This tip could be used on a Full Version or on a Core Version of Windows. This approach is really nice one because it’s relatively simple to use and it’s clean as well. You simply need to delete a registry key to revert back to a normal situation.
If you use this tip on a Full Version of Windows, obviously, the registry key would be something different (something like sethc.exe or Utilman.exe)
Hope you enjoyed this post
Till next time
See ya
This extremely helped me. Absolutely 💯 for the information. I had luck resetting my password and getting in.
@Roman,
thank you for visiting our blog and providing feedback. This tip really helped us a lot and we are happy to see that other people can benefit from it
Till next time
See ya