Note: This is a revision of the original post 'Creating backdoor at Windows login to reset password after losing it.' found here.
Over the years I have had many people ask me how to get into their computer after they have forgotten their password. There are a few ways to do this either with a bootable cd or usb stick with a 3rd party application, but to be honest this is very unsafe as anyone can get the cd and break into a computer and at the same time you or anyone else that uses such software can cause users or admins to lose data.
The only really safe way to do it is through your command prompt, but without knowing your password to get into the profile to use the console then you are screwed. Recently I have discovered a way to be able to access your command prompt from the Windows login screen by adding a value to the registry. Now you can create a registry file (.reg) to do this, but today we will just add it via the command prompt:
1. You must open your cmd (command prompt) as administrator so you can't open it from run. You must go to your start screen type "cmd" in the search bar and when you see it right click on it and select "Run as administrator".
I have created a batch file to automate this process so you don't have to do half of this. You can either download it here (Outdated V1.0 old script for archives) or if you are scared of downloading files you can just copy and paste the text below into a batch you create.
Right click on your desktop and select New>TXT File.
Rename the file from "New Text Document.txt" to "whateveryouwant.bat" (if you can't see the extension just go into folder options and uncheck "Hide extensions of known applications" or something like that.
Once it's a bat file right click on it and select "Edit". and paste the code below into it and save the file
Right click on the bat file you have created and select "Run as administrator" and it will run.
Code to paste in your batch file:
Title Windows Login Backdoor Creator
echo Checking to see if script or registry value exist...
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger>nul
if [%errorlevel%]== if not exist "%_bscript%" (
if [%errorlevel%]== if not exist "%_bscript%" (
echo Registry value exists, but the script does not.
echo Writing script file now...
if [%errorlevel%]== if exist "%_bscript%" (
echo Script exists, but the registry value does not.
echo Writing registry value now...
echo Both the script and registry value were found,
echo no need to do anything.
echo Backdoor was not found, writing both the
echo regsitry value and the script file....
echo Creating script^: %_bscript%...
if exist "%_bscript%" del "%_bscript%"
echo Creating backdoor.cmd file...
echo @echo off > %_bscript%
echo title Creat New User Password >> %_bscript%
echo echo Enter username to reset your password: >> %_bscript%
echo set name= >> %_bscript%
echo set pass= >> %_bscript%
echo set /P name="Username:" >> %_bscript%
echo set /P pass="New Password:" >> %_bscript%
echo net user "%%name%%" "%%pass%%" >> %_bscript%
echo timeout /t 3 ^>NUL >> %_bscript%
echo exit >> %_bscript%
mode 36, 10
echo To run:
echo At the login screen either press
echo shift+ctrl+printscreen (or prtsc)
echo or hit shift 5 times. This will
echo bring up the command prompt. At
echo the prompt type "backdoor" into
echo the new password screen and follow
echo the instructions.
timeout /t 3 >nul
New icon I made for it:
Once it starts it will enter the registry entries as provided above to create the access to the command prompt at Windows login and it will also create a batch file located in you System32 fold called "backdoor.bat" which will start you through an automated easy process to change your password, so no need to type the commands yourself just run the backdoor file. This batch files is run from your command prompt by typing "backdoor" or "backdoor.bat" and it
Run this batch file from the command prompt bay typing "backdoor" or "backdoor.bat" and hit "Enter".
It will easily guide you through the process of changing your password in just a couple of steps
No matter what OS you use, if you use any console or command line interface then you know that if your script or executable isn't in a path the computer can read or if the cli is not in the direct path of the said file then it can not be run/found.
In most Linux systems there is a user bin system usually located in $HOME/bin where you can drop any of your user installed programs or scripts and they can be run form the terminal just like any system command.
In Windows it's not so simple (although, not so hard either) as any path read by Windows must be declared in the PATH(%PATH%) variable.
The problem with Windows is that the preset paths are all in system folders and there can be some permission and security issues with some utilities you may use. So it is best to just stay away from system folders when possible. The way to do this is by adding a custom directory designated for the user and adding the directories location to the PATH variable.
For example I create a directory: C:\Bin and then enter this location into the variable from cmd this: setx /m PATH "%PATH%;C:\Bin". And now I can drop whatever scripts or executable into the C:\Bin folder and run them from anywhere on the computer from cmd or any other cli.
I do this on every Windows rig I have and so I have created a quick bat to exe script to automate this process with slight error checking. WinBin V1.0 when started will check for a Bin folder and if exist warns the user that the old folder should be moved or deleted to complete the process. If no folder is found it continues to add the new directory and adds the location to the PATH variable. It then checks to makes sure the two functions were executed successfully and if so you can then use the system, if not you either have two many characters in your PATH variable (usually mostly from installed software) or the folder wasn't created successfully.
After the system is installed successfully then just drop anything at all that can be run from a cli into the C:\Bin folder and run from the cli!!! Very simple and quick and portable!
Like most people I am constantly downloading files and installing software to my computer and because, like most people, I am busy all the time I don't have as much time as I would like to keep my system clean and so I like to write scripts to automate as much as I can to give me more free time away from my computer.
Over the years after cleaning, optimizing and fixing countless computers I have learned that most files that eat up disk space that can comfortably be removed are usually media and installation files; things you download from the internet pretty much. Lots of archived files like zips, rars etc... can end up taking up lots of space and even the most organized of us end up having files spread throughout our system and half the time we forget about them.
Recently I wrote a script (Collector V1.1) to copy all files of specific passed extension types to a folder on the desktop so that I can easily analyze the total file size of all said files. Doing this I also found files I forgot I even had and files I knew could be deleted I found the source files and deleted. I have converted my script to exe for easy portability and an administrative manifest.
Collector V1.1 is a command line utility (cli/clu) used by passing file extensions to it via a command line such as MS-DOS CMD.
E.g.: collect.exe pdf txt log
will search your whole computer for all files with those extensions and then copy them to individual folders inside of a folder on your desktop named "Collection". There is no limit to the amount of passed extensions as it shifts each to %1 until [%1]==.
Note: As with all bat to exe conversions this might come up as a false positive in your AV, just exclude in your AV. The collect.exe file must be placed in a folder that can be read from %PATH% such as C:\Windows\System32 or if you've added your own custom paths. You can also just cd to the path of your stored collect.exe.
Version 1.0 - Initial release. No known bugs.
Version 1.1 - Add log file with locations of original files.
A lot of us who use both Windows and Linux find Windows cli commands lacking at times. Linux is best ran by the command (terminal) line in my opinion and almost everything you can do on a computer in Linux can and should be done via the terminal. One of the most annoying things I have found in Windows is the horrible way you have to reboot your computer from Windows CMD. In Linux it's as simple as typing 'reboot'.
In Windows in order to reboot your computer from a command line you must type 'shutdown /r /t 0' to reboot your computer. While this comes in handy for some things it is annoying for normal every day usage. I have created a batch to exe (for portability and easy use with administrative priveledges) script to emulate this feature in Windows. Simply place the reboot.exe in your C:\Windows\System32\ or any path in Windows %PATH% variable and run from command line with 'reboot'.
The difference between Linuxs 'reboot' and my Windows version is that an amount of time to wait before reboot can be passed to it as you would any passed parameter: reboot 30
will wait 30 seconds before the reboot.
This is available in 3 versions; the original cmd script, reboot with admin manifest and a reboot without admin manifest (rename to reboot) for use on public computers: