How to crack windows passwords in 5 minutes

I’ve been meaning to write about this for a long time. Windows 7 at its core has a huge security flaw that can easily be exploited to log into any machine you have physical access to.

It all starts at the password-protected login screen (winlogon.exe). There you find 2 important information:
– The user names
– The accessibility shortcuts still work (try hitting leftalt+leftshift+printscr from the login screen)

To enable those, winlogon.exe executes another exe: sethc.exe (you may have already the sticky-keys dialog popup that it triggers)

The flaw comes from the fact that winlogon executes c:\windows\system32\sethc.exe no matter what the file actually is.
If you can replace that file with a command prompt, this means that you can access the prompt from the login screen.
this can easily be exploited to change the user’s password and bypass the login screen:

Anyways, here is the 5 minutes procedure:
1/ Reset the computer, hit F8 for boot options and select “Repair your computer”
2/ Start a Command Prompt
3/ Make a backup of sethc.exe:
move c:\windows\system32\sethc.exe c:\windows\system32\sethc.exe.bck
4/ Copy your cmd prompt:
copy c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe
5/ Restart computer
6/ At login screen, trigger the sticky keys helper (ie. sethc.exe) by hitting shift 5 times
7/ With the new prompt, change the password:
net user [username] [pasword]

Don’t forget to restore the original sethc.exe file once you are done.

The downside of this method is, of course, the fact that you need physical access to the machine.
Still, the flaw has been existing for so long you wonder how come it’s still not patched up…

5 thoughts on “How to crack windows passwords in 5 minutes

  1. I am so hoping you are able to help! I forgot my user password for my only admin account, no disks or third party software available…
    And i tried this fix but didn’t make a backup of cmd or sethc before changing it, and when i pressed shift 5 times the sticky keys request was there and not cmd. Now when i redo the process, to do it correctly, i cannot find any sethc. I had renamed it to sethc-copy but it isn’t I’m the system32 folder.

    I already unchecked read only and the hidden files box was already unchecked. I would very much appreciate your help!

  2. Will this method work with Windows 10? I usually use the password utilities such as PCUnlocker, Ophcrack and Offline NT Password & Registry Editor.

Leave a Reply

Your email address will not be published. Required fields are marked *