Tip : How to Reset Lost Password on a Core Server

Griffon

ResetLostPwdCoreLogo

 

Hello World,

Today, we will speaking about how to reset a lost password on a Windows 2008/2012/R2 Core Edition. Recently, we have encountered such situation. We have been asked to reset a lost password on a hyper-v core edition. This was a critical situation as nobody was able to work anymore.  all the virtual machines were running but considered out of the domain (you know the famous trust relationship failure…)

So, our customer just called us and ask us if there is a “Quick and Dirty” way to reset this password.  We have immediately though about one of our post explaining how to hack the system and have a command prompt showing up at the login screen (see this post : Tip : reset admin password or create a new Admin account with system privileges)

So, the customer tried out the provided procedure and surprisingly didn’t worked !. The problem here was that the sethc.exe file is not present on the system when installing a core version of the operating system. So, the procedure could not be used. The customer had no access to internet and had only a Windows installation media on site.

Well, that becomes challenging, isn’t it ?   What would you do ?

The Solution

In our post about resetting password, we were using the sethc.exe file to gain system rights before even login into the system. There is another utility (utilman.exe) that can be used as well and perform basically the same kind of hack.  You can find a procedure description on this location.

As you can see, there is a lot of different procedure to reset a lost admin password.   There is also a third option that we can use and we actually like to use because it’s a little bit cleaner.  To reset our lost password of a Core Edition of Windows 2008/R2 or Windows 2012/R2 server, we will use this third approach. 

Ready…. Here is what we have done….

Recovery Step 1 -Copy Utilman.exe to your core server

Note :

We have performed this procedure on a Windows 2012 R2 (Core Edition). The process should be similar for a Windows 2008 R2 but the screenshots or the screens you will see might be slightly different.

Step 1 – Boot the server from your Windows media (to have access to the winpe environment).  You might need to inject additional drivers based on your situation. This can be done on the fly with winpe

Step 2 – When the Windows Setup page is displayed. Press Next

ResetLostPwd1

Click on Picture for Better Resolution

Step 3 – In the Page where you see the Install Now button, Click on the left down corner on Repair your Computer

ResetLostPwd2

Click on Picture for Better Resolution

Step 4 – In the Choose an option, click on Troubleshoot icon

ResetLostPwd3

Click on Picture for Better Resolution

Step 5 – in the Advanced Options, click on the Command prompt icon

ResetLostPwd4

Click on Picture for Better Resolution

Step 6 – you should see the command line displayed

ResetLostPwd5

Click on Picture for Better Resolution

Step 7 – Identify the OS partition of the machine by issuing the following commands :  diskpart, then type list vol

ResetLostPwd6

Click on Picture for Better Resolution

Step 8 – In our example the OS partition is the c drive.  The Windows Media file is the D drive.  We need to get a copy of the utilman.exe file. This file will be the trigger for starting the command prompt at login screen.  To get this file, we will need to perform the following actions :

1. create an empty directory (we will use the name mount) on the root of the os partition by issuing the following command mkdir c:\mount 

2. issue the following command to mount the install.wim file : dism /mount-wim /wimfile:d:\sources\install.wim /index:2 /mountDir:c:\mount /readonly 

3. copy the utilman.exe to the correct location by issuing the following command copy c:\mount\windows\system32\utilman.exe c:\windows\system32\utilman.exe

Note:   You will need to adapt your drive letters to your current infrastructure. 

Step 9 – Check that the file is present on your OS drive and you have completed the first part of the Recovery

Recovery Step 2 – Call the Utilman.exe at login Screen

So far, you have simply copied a file (Utilman.exe) to your core server.  The question now is how do we call this file from the login screen.  If you click on the Utility icon or if you press winkey+U, you will just see something like the screenshot below.  The cmd.exe is not showing up yet.

ResetLostPwd8

Click on Picture for Better Resolution

To display the command prompt at login, we will use a quite well known approach as well.  We will be using a registry key called image file execution options.  This key is used normally for debugging purposes.  If you need to debug an application at startup, you would populate this key accordingly.

We will use this key in order to have the command prompt displayed at login screen when we invoke the utilman.exe utility. You have read it correctly, we will need to modify the registry (in an offline mode) in order to inject the correct values for the image file execution options to work.  In a previous post, we already explained how to perform a offline edit registry operation and we will use exactly the same approach as described in the post.

You should still be in your WINPE environment (from Recovery Step 1). You should still have the command prompt open.  In the command prompt, you will issue the follow command  : regedit.  This will open the registry editor.

ResetLostPwd9

Click on Picture for Better Resolution

In the registry editor, click on the HKEY_LOCAL_MACHINE Node and from the File menu, Select Load Hive

ResetLostPwd10

Click on Picture for Better Resolution

In the dialog box, find your os partition and navigate to c:\Windows\System32\config.  From the location, select the file Software (not the software.txt file but the software file)

ResetLostPwd11

Click on Picture for Better Resolution

Provide a new name to the hive and press OK

ResetLostPwd12

Click on Picture for Better Resolution

Expand the newly created folder (i.e. PWD_HACK) and browse to the following location : HKLM\<%Name of loaded HIVE>\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

ResetLostPwd13

Click on Picture for Better Resolution

Under the Image File Execution options, create a new key called Utilman.exe

ResetLostPwd14

Click on Picture for Better Resolution

ResetLostPwd15

Click on Picture for Better Resolution

Select the utilman.exe key and create a new REG_SZ (String Value) called Debugger. Select the String Value Debugger, double-click on it and put as value the following c:\Windows\system32\cmd.exe. 

ResetLostPwd16

Click on Picture for Better Resolution

When done, you can reboot your machine in normal mode

Recovering your Password

With all the changes we have made, we should be now able to display this command prompt window and change the lost password.  If you press the utilman icon or if you press WinKey + U, you should see the nice command prompt that you need to reset the password.

ResetLostPwd17

Click on Picture for Better Resolution

To reset the password of the administrator; type in the command prompt net user administrator <%newPassword%>

Close the Command prompt and you should be able to login into your system running a core edition.

And Voila !

Final Notes

Resetting a lost password on a Windows Core Edition is not easy but it’s not impossible.  There are plenty of tools out there that can be used to reset password (Free and commercial tools). In this post, we have described a way to reset password using only Windows files (utilman.exe) and Windows techniques (File image execution options).  This tip could be used on a Full Version or on a Core Version of Windows.

We thought that even on Windows Core editions sethc.exe or utiltman.exe would be present on the system.  Actually, this is not the case.  So, you cannot use the procedure described in the post : Tip : reset admin password or create a new Admin account with system privileges.  We had to come up with an alternative way.

However, you have also seen that with a little bit of creativity and by re-using old recipes to reset lost password, we were able recover password on a Core Edition Server.   

Now, it’s up to you to choose your solution…..

Disclaimer : 

Use this tip on system where you have legal access.  I’m not encouraging you to crack or Hack systems where you have no authorized access. This post is intended for educational purposes

2 thoughts on “Tip : How to Reset Lost Password on a Core Server

  1. Or in short (a little bit more simple):
    – Boot From Recovery CD
    – Press “F10″
    – Type ‘copy D:\Windows\System32\cmd.exe D:\Windows\System32\utilman.exe” (replace driveletter)
    – Reboot and press the utility manager symbol
    – Type ‘net user Administrator *’
    – Enter the password
    Done

  2. @Tilj

    Thank you for sharing this information and providing different ways to perform the same workaround
    Till next time
    See ya

Leave a Reply