The "To Keep Up" Wiki

A collection of information we find useful

User Tools

Site Tools

Trace:
bypassing_the_login_password

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
bypassing_the_login_password [2025.08.01 08:36] – [4. Use Command Prompt via Recovery Console (Local Accounts)] Steve Isenbergbypassing_the_login_password [2025.08.02 15:38] (current) Steve Isenberg
Line 1: Line 1:
 ~~NOCACHE~~ <fc #a0a0a0><fs small>[This page last changed ~~LASTMOD~~; ~~NOCACHE~~ <fc #a0a0a0><fs small>[This page last changed ~~LASTMOD~~;
 visits {{counter|today| time| times}} today, {{counter|yesterday| time| times}} yesterday, and {{counter|total| time total| total times}}]</fs></fc> visits {{counter|today| time| times}} today, {{counter|yesterday| time| times}} yesterday, and {{counter|total| time total| total times}}]</fs></fc>
 +
 +The information on this page is publicly available, much of it came from ChatGPT and Claude.ai.  It is your responsibility to use this information appropriately.
  
 ====== Regaining Access to a Windows Computer Without a Known Password ====== ====== Regaining Access to a Windows Computer Without a Known Password ======
Line 40: Line 42:
   * Boot into **Windows Recovery Environment** (Shift + Restart or via installation USB).   * Boot into **Windows Recovery Environment** (Shift + Restart or via installation USB).
   * Open **Command Prompt**.   * Open **Command Prompt**.
-  * Replace `Utilman.exewith `cmd.exe`+  * Replace ''Utilman.exe'' with ''cmd.exe''
-    <code> +    <code>move c:\windows\system32\utilman.exe c:\windows\system32\utilman.bak 
-    move c:\windows\system32\utilman.exe c:\windows\system32\utilman.bak +copy c:\windows\system32\cmd.exe c:\windows\system32\utilman.exe</code>
-    copy c:\windows\system32\cmd.exe c:\windows\system32\utilman.exe +
-    </code>+
   * Reboot the machine.   * Reboot the machine.
   * On the login screen, click the **Ease of Access** button to open a command prompt.   * On the login screen, click the **Ease of Access** button to open a command prompt.
   * Reset the password:   * Reset the password:
-      <code> +      <code>net user <username> newpassword</code>
-    net user <username> newpassword +
-      </code>+
   * Restore the original `utilman.exe` file:   * Restore the original `utilman.exe` file:
-      <code> +      <code>copy c:\windows\system32\utilman.bak c:\windows\system32\utilman.exe</code>
-    copy c:\windows\system32\utilman.bak c:\windows\system32\utilman.exe +
-      </code>+
  
 ===== 5. Reset Microsoft Account Password (Online Accounts) ===== ===== 5. Reset Microsoft Account Password (Online Accounts) =====
Line 64: Line 60:
   * **PassFab 4WinKey** (Commercial): https://www.passfab.com/   * **PassFab 4WinKey** (Commercial): https://www.passfab.com/
   * **iSunshare Windows Password Genius** (Commercial): https://www.isunshare.com/   * **iSunshare Windows Password Genius** (Commercial): https://www.isunshare.com/
 +
 +
 +
 +====== Bypassing Windows Login with osk.exe ======
 +
 +This page explains a legacy method for bypassing the Windows login screen using the `osk.exe` accessibility feature. Note: This method is largely blocked on modern systems and should only be used with proper authorization.
 +
 +===== What is osk.exe? =====
 +
 +`osk.exe` is the **On-Screen Keyboard** executable in Windows. It is part of the **Ease of Access** tools that are available even on the login screen, intended to help users with physical limitations.
 +
 +===== How the Exploit Works (In Theory) =====
 +
 +The idea behind the exploit is to replace `osk.exe` with `cmd.exe` so that launching the On-Screen Keyboard at the login screen actually opens a command prompt with **SYSTEM-level privileges**. From there, one can reset a password or create a new administrative account.
 +
 +==== Steps (assuming admin or physical access): ====
 +
 +  - Boot into Windows Recovery Environment (WinRE) or from a Windows installation USB/DVD.
 +  - Open a command prompt from the recovery options.
 +  - Rename the original ''osk.exe'':\\ ''move C:\Windows\System32\osk.exe C:\Windows\System32\osk_backup.exe''
 +  - Replace it with ''cmd.exe'':\\ ''copy C:\Windows\System32\cmd.exe C:\Windows\System32\osk.exe''
 +  - Reboot the machine.
 +  - At the login screen, click the On-Screen Keyboard icon.
 +  - A command prompt opens instead.
 +  - Reset the password or create a new user:
 +    * For example, to reset a password:\\ ''net user [username] [newpassword]''
 +    * Or to create a new admin user:\\ ''net user newuser newpassword /add''\\ ''net localgroup administrators newuser /add''
 +
 +===== Limitations and Warnings =====
 +
 +  * Most **modern Windows systems block this method** using security features like Windows Defender, Secure Boot, and Trusted Platform Module (TPM).
 +  * This method **does not work if BitLocker is enabled** and the drive is locked.
 +  * It may trigger **security alerts or logs**, especially on domain-joined machines.
 +  * **Using this method without permission is illegal**.
 +  * For legitimate recovery, use tools such as:
 +    * Offline NT Password & Registry Editor
 +    * Microsoft Account password recovery tools
 +
 +===== Bottom Line =====
 +
 +The `osk.exe` method is a creative example of leveraging accessibility features for privilege escalation, but it is mostly ineffective on secure, up-to-date systems. It's useful from a **security awareness or forensic analysis** perspective, but not recommended for practical use today.
 +
 +----
 +
 +**Note:** Use these techniques only on machines you own or are authorized to service.
  
 ===== Notes and Cautions ===== ===== Notes and Cautions =====
bypassing_the_login_password.1754062562.txt.gz · Last modified: by Steve Isenberg