Exploiting Utilman.exe to recover Windows passwords

Sometimes you must do bad things to regain control of Windows. Yes, I know there are simpler ways, but this laundry list does work.

  1. Boot the computer from a DVD or a USB stick.
  2. Begin the installation procedure.
  3. Select Repair your computer in the lower left corner.
  4. Select the right Windows installation and make note of the drive letter.
  5. Select the command prompt.
  6. Navigate to the proper drive letter, e.g. N:.
  7. Change to the \Windows\System32 directory.
  8. Rename the existing Utilman.exe to Utilman.exe.original.
  9. Copy cmd.exe to Utilman.exe.
  10. Reboot the computer.
  11. Click on the accessibility icon in the lower left corner.
  12. Use the command net user username password to change the password of the user indicated, or
  13. Use the command net user Administrator /active:yes to activate the local Administrator account, and if necessary
  14. Use the command net user Administrator new-password to set the password to a known value.
  15. Boot the computer once more from the DVD or USB stick.
  16. Begin the installation procedure.
  17. Select Repair your computer in the lower left corner.
  18. Select the right Windows installation and make note of the drive letter.
  19. Select the command prompt.
  20. Navigate to the proper drive letter, e.g. N:.
  21. Change to the \Windows\System32 directory.
  22. Delete the existing Utilman.exe.
  23. Rename the existing Utilman.exe.original back to Utilman.exe.
  24. Reboot the computer and remove the DVD or USB stick

In fact, I’m amazed that most people don’t realise the huge benefit of having a separate administrative account purely for the maintenance of the system, their own account with a low set of privileges for day to day use, and the local Administrator as a standby recovery account, all with good and known passwords. Do such owners find it confusing having three account icons on the login screen?