If you have the *legal right* to access a Windows computer but don’t know the password, here are safe and effective ways to regain access.

• Boot to Windows login screen.
• Insert the password reset disk.
• Click "Reset Password" and follow the wizard.

Note: Only works if the disk was created beforehand.

• Reboot and press F8 to access Advanced Boot Options.
• Select Safe Mode.
• Log in as the built-in Administrator account (if enabled and no password).
• Change the user's password via Control Panel → User Accounts.

Note: The Administrator account is disabled by default in Windows 10/11.

• Free and open-source (text-based).
• Download: https://pogostick.net/~pnh/ntpasswd/
• Burn the ISO to a USB using Rufus or similar.
• Boot the target machine from the USB.
• Follow on-screen instructions to clear or reset the local account password.

• GUI-based rescue environment.
• Download: https://www.hirensbootcd.org/
• Burn ISO to USB (e.g. with Rufus).
• Boot from the USB drive.
• Use NTPWEdit or Lazesoft Password Recovery to blank or change a local password.

• Boot into Windows Recovery Environment (Shift + Restart or via installation USB).
• Open Command Prompt.
• Replace Utilman.exe with cmd.exe:

move c:\windows\system32\utilman.exe c:\windows\system32\utilman.bak
copy c:\windows\system32\cmd.exe c:\windows\system32\utilman.exe

• Reboot the machine.
• On the login screen, click the Ease of Access button to open a command prompt.
• Reset the password:

net user <username> newpassword

• Restore the original `utilman.exe` file:

copy c:\windows\system32\utilman.bak c:\windows\system32\utilman.exe

• Go to: https://account.live.com/password/reset
• Follow the steps to reset the password via email, phone, or authenticator.

• Lazesoft Recovery Suite Home (Free): https://www.lazesoft.com/
• PassFab 4WinKey (Commercial): https://www.passfab.com/
• iSunshare Windows Password Genius (Commercial): https://www.isunshare.com/

This page explains a legacy method for bypassing the Windows login screen using the `osk.exe` accessibility feature. Note: This method is largely blocked on modern systems and should only be used with proper authorization.

`osk.exe` is the On-Screen Keyboard executable in Windows. It is part of the Ease of Access tools that are available even on the login screen, intended to help users with physical limitations.

The idea behind the exploit is to replace `osk.exe` with `cmd.exe` so that launching the On-Screen Keyboard at the login screen actually opens a command prompt with SYSTEM-level privileges. From there, one can reset a password or create a new administrative account.

1. Boot into Windows Recovery Environment (WinRE) or from a Windows installation USB/DVD.
2. Open a command prompt from the recovery options.
3. Rename the original osk.exe:
   move C:\Windows\System32\osk.exe C:\Windows\System32\osk_backup.exe
4. Replace it with cmd.exe:
   copy C:\Windows\System32\cmd.exe C:\Windows\System32\osk.exe
5. Reboot the machine.
6. At the login screen, click the On-Screen Keyboard icon.
7. A command prompt opens instead.
8. Reset the password or create a new user:
   • For example, to reset a password:
     net user [username] [newpassword]
   • Or to create a new admin user:
     net user newuser newpassword /add
net localgroup administrators newuser /add

• Most modern Windows systems block this method using security features like Windows Defender, Secure Boot, and Trusted Platform Module (TPM).
• This method does not work if BitLocker is enabled and the drive is locked.
• It may trigger security alerts or logs, especially on domain-joined machines.
• Using this method without permission is illegal.
• For legitimate recovery, use tools such as:
  • Offline NT Password & Registry Editor
  • Microsoft Account password recovery tools

The `osk.exe` method is a creative example of leveraging accessibility features for privilege escalation, but it is mostly ineffective on secure, up-to-date systems. It's useful from a security awareness or forensic analysis perspective, but not recommended for practical use today.

Note: Use these techniques only on machines you own or are authorized to service.

• Use these methods only if you are *legally authorized* to access the system.
• These approaches will not help if the system drive is encrypted with BitLocker and you don’t have the recovery key.
• Antivirus software may flag some password reset tools.