While this is not a newly discovered hack, I feel that we can not stress the importance of using Bitlocker to encrypt our hard drives.

If you like me encounter customers that still runs their computers unencrypted, and don’t see the need for encryption. just use the following guide to show them how easy it is to activate the local administrator account and reset its password.

Step 1

Show the customer that the local administrator account is disabled. (or that you don’t know the password).

2014-09-26 13_40_16-WIN 8.1 BUILD -GEN1 on CTHRA-W530 - Virtual Machine Connection2014-09-26 13_39_55-WIN 8.1 BUILD -GEN1 on CTHRA-W530 - Virtual Machine Connection

Step 2

Boot from any bootable media, such as the original installation media, Ultimate Boot CD, WinPE boot media. Just any media where you can get a command prompt and access the local drive.

If you booted from original installation media, just press SHIFT+ F10 when prompted for language settings.

Now do the following:

  1. Change to the local disk and change directory to the \Windows\system32 directory
  2. Copy cmd.exe sethc.exe and confirm the overwrite
  3. Reboot the computer into the installed operating system.

2014-09-26 13_42_52-WIN 8.1 BUILD -GEN1 on CTHRA-W530 - Virtual Machine Connection

Step 3

Now let the magic begin!

While at the login-screen press the SHIFT five times, this will launch a command prompt

Now if you use the WHOAMI command, you will find that the command prompt is executed in the SYSTEM context.

Now all you have to do is execute the following commands to activate and reset password of the admin account:

net user administrator /active:yes

net user administrator *

Once you have executed the commands, reboot the computer.

2014-09-26 13_46_23-WIN 8.1 BUILD -GEN1 on CTHRA-W530 - Virtual Machine Connection

Step 4

Login to the computer with your newly activated administrator account!

2014-09-26 13_47_19-WIN 8.1 BUILD -GEN1 on CTHRA-W530 - Virtual Machine Connection

Well, this should raise some eyebrows and make your customer think once again about the need for encryption.

This little tip can also be used during deployment tests where the domain join fails, and you need to login with the disabled admin account to try a manual join etc.