Anyway, here is a quick explanation of how you do it:
Use a separate boot device to boot up your computer, it is probably easiest to use a Linux live environment with a GUI, like Linux Mint.
You need to make sure that the local drive is mounted to the live environment, it was a while since I last ran the Linux Mint live environment, but it should auto mount the local drive and put a shortcut on the desktop.
Go to Windows -> System32 on the local drive.
Rename the file sethc.exe to sethc.exe.backup then copy cmd.exe file to sethc.exe
Reboot back into windows.
You have now created a backdoor into the machine.
At the logon screen, press the Shift key five times, this normally opens a dialog box about enabling sticky keys, but since we replaced the normal sethc.exe file with a copy of cmd.exe, we will get a command line window, running as administrator, giving us unlimited access to make changes to the computer!
Now, to reset the admin password we need to use the net user command.
The syntax is this:
net user<username> <password>
So, if you want to set the password for the default Administrator account to “LemmyTest123”, you enter the following:
net useradministrator LemmyTest123
And press enter.
The password is now changed.
However, in some cases this may not be enough to get in as the default Administrator account is disabled.
Then you also need to enter this command:
net useradministrator /active:yes
Done, you should now be able to logon as the default admin user.
Remember, to restore this loophole, you need to boot thw Linux live environment again, go to Windows -> System32, delete the file called sethc.exe and rename the file sethc.exe.backup to sethc.exe
Its only possible if the machine doesnt have bitlocker enabled which requires a tpm and i believe its a feature only available on windows pro not windows home iirc.
Does the sethc workaround work in windows 11?
Anyway, here is a quick explanation of how you do it:
Use a separate boot device to boot up your computer, it is probably easiest to use a Linux live environment with a GUI, like Linux Mint.
You need to make sure that the local drive is mounted to the live environment, it was a while since I last ran the Linux Mint live environment, but it should auto mount the local drive and put a shortcut on the desktop.
Go to Windows -> System32 on the local drive.
Rename the file sethc.exe to sethc.exe.backup then copy cmd.exe file to sethc.exe
Reboot back into windows.
You have now created a backdoor into the machine.
At the logon screen, press the Shift key five times, this normally opens a dialog box about enabling sticky keys, but since we replaced the normal sethc.exe file with a copy of cmd.exe, we will get a command line window, running as administrator, giving us unlimited access to make changes to the computer!
Now, to reset the admin password we need to use the net user command.
The syntax is this:
net user <username> <password>
So, if you want to set the password for the default Administrator account to “LemmyTest123”, you enter the following:
net user administrator LemmyTest123
And press enter.
The password is now changed.
However, in some cases this may not be enough to get in as the default Administrator account is disabled.
Then you also need to enter this command:
net user administrator /active:yes
Done, you should now be able to logon as the default admin user.
Remember, to restore this loophole, you need to boot thw Linux live environment again, go to Windows -> System32, delete the file called sethc.exe and rename the file sethc.exe.backup to sethc.exe
It does still work, and my gut says it’s going to work for a long time. Unless they majorly re-kajigger the way windows works in future versions
Its only possible if the machine doesnt have bitlocker enabled which requires a tpm and i believe its a feature only available on windows pro not windows home iirc.