~~NOCACHE~~ <fc #a0a0a0><fs small>[This page last changed ~~LASTMOD~~;
visits {{counter|today| time| times}} today, {{counter|yesterday| time| times}} yesterday, and {{counter|total| time total| total times}}]</fs></fc>

The information on this page is publicly available, much of it came from ChatGPT and Claude.ai.  It is your responsibility to use this information appropriately.

====== Regaining Access to a Windows Computer Without a Known Password ======

If you have the *legal right* to access a Windows computer but don’t know the password, here are safe and effective ways to regain access.

===== 1. Use a Password Reset Disk (if available) =====
  * Boot to Windows login screen.
  * Insert the password reset disk.
  * Click **"Reset Password"** and follow the wizard.

> Note: Only works if the disk was created beforehand.

===== 2. Use Safe Mode with Built-in Administrator (Windows 7 or earlier) =====
  * Reboot and press **F8** to access **Advanced Boot Options**.
  * Select **Safe Mode**.
  * Log in as the built-in **Administrator** account (if enabled and no password).
  * Change the user's password via **Control Panel → User Accounts**.

> Note: The Administrator account is disabled by default in Windows 10/11.

===== 3. Use Bootable Utilities =====

==== Offline NT Password & Registry Editor ====
  * Free and open-source (text-based).
  * Download: https://pogostick.net/~pnh/ntpasswd/
  * Burn the ISO to a USB using **Rufus** or similar.
  * Boot the target machine from the USB.
  * Follow on-screen instructions to clear or reset the local account password.

==== Hiren’s BootCD PE ====
  * GUI-based rescue environment.
  * Download: https://www.hirensbootcd.org/
  * Burn ISO to USB (e.g. with **Rufus**).
  * Boot from the USB drive.
  * Use **NTPWEdit** or **Lazesoft Password Recovery** to blank or change a local password.

===== 4. Use Command Prompt via Recovery Console (Local Accounts) =====
  * Boot into **Windows Recovery Environment** (Shift + Restart or via installation USB).
  * Open **Command Prompt**.
  * Replace ''Utilman.exe'' with ''cmd.exe'':
    <code>move c:\windows\system32\utilman.exe c:\windows\system32\utilman.bak
copy c:\windows\system32\cmd.exe c:\windows\system32\utilman.exe</code>
  * Reboot the machine.
  * On the login screen, click the **Ease of Access** button to open a command prompt.
  * Reset the password:
      <code>net user <username> newpassword</code>
  * Restore the original `utilman.exe` file:
      <code>copy c:\windows\system32\utilman.bak c:\windows\system32\utilman.exe</code>

===== 5. Reset Microsoft Account Password (Online Accounts) =====
  * Go to: https://account.live.com/password/reset
  * Follow the steps to reset the password via email, phone, or authenticator.

===== 6. Third-Party Tools (GUI-Based) =====
  * **Lazesoft Recovery Suite Home** (Free): https://www.lazesoft.com/
  * **PassFab 4WinKey** (Commercial): https://www.passfab.com/
  * **iSunshare Windows Password Genius** (Commercial): https://www.isunshare.com/



====== Bypassing Windows Login with osk.exe ======

This page explains a legacy method for bypassing the Windows login screen using the `osk.exe` accessibility feature. Note: This method is largely blocked on modern systems and should only be used with proper authorization.

===== What is osk.exe? =====

`osk.exe` is the **On-Screen Keyboard** executable in Windows. It is part of the **Ease of Access** tools that are available even on the login screen, intended to help users with physical limitations.

===== How the Exploit Works (In Theory) =====

The idea behind the exploit is to replace `osk.exe` with `cmd.exe` so that launching the On-Screen Keyboard at the login screen actually opens a command prompt with **SYSTEM-level privileges**. From there, one can reset a password or create a new administrative account.

==== Steps (assuming admin or physical access): ====

  - Boot into Windows Recovery Environment (WinRE) or from a Windows installation USB/DVD.
  - Open a command prompt from the recovery options.
  - Rename the original ''osk.exe'':\\ ''move C:\Windows\System32\osk.exe C:\Windows\System32\osk_backup.exe''
  - Replace it with ''cmd.exe'':\\ ''copy C:\Windows\System32\cmd.exe C:\Windows\System32\osk.exe''
  - Reboot the machine.
  - At the login screen, click the On-Screen Keyboard icon.
  - A command prompt opens instead.
  - Reset the password or create a new user:
    * For example, to reset a password:\\ ''net user [username] [newpassword]''
    * Or to create a new admin user:\\ ''net user newuser newpassword /add''\\ ''net localgroup administrators newuser /add''

===== Limitations and Warnings =====

  * Most **modern Windows systems block this method** using security features like Windows Defender, Secure Boot, and Trusted Platform Module (TPM).
  * This method **does not work if BitLocker is enabled** and the drive is locked.
  * It may trigger **security alerts or logs**, especially on domain-joined machines.
  * **Using this method without permission is illegal**.
  * For legitimate recovery, use tools such as:
    * Offline NT Password & Registry Editor
    * Microsoft Account password recovery tools

===== Bottom Line =====

The `osk.exe` method is a creative example of leveraging accessibility features for privilege escalation, but it is mostly ineffective on secure, up-to-date systems. It's useful from a **security awareness or forensic analysis** perspective, but not recommended for practical use today.

----

**Note:** Use these techniques only on machines you own or are authorized to service.

===== Notes and Cautions =====
  * Use these methods only if you are *legally authorized* to access the system.
  * These approaches will not help if the system drive is encrypted with **BitLocker** and you don’t have the recovery key.
  * Antivirus software may flag some password reset tools.