• stoy
    link
    fedilink
    arrow-up
    57
    ·
    edit-2
    4 months ago

    Does the sethc workaround work in windows 11?

    Anyway, here is a quick explanation of how you do it:

    Use a separate boot device to boot up your computer, it is probably easiest to use a Linux live environment with a GUI, like Linux Mint.

    You need to make sure that the local drive is mounted to the live environment, it was a while since I last ran the Linux Mint live environment, but it should auto mount the local drive and put a shortcut on the desktop.

    Go to Windows -> System32 on the local drive.

    Rename the file sethc.exe to sethc.exe.backup then copy cmd.exe file to sethc.exe

    Reboot back into windows.

    You have now created a backdoor into the machine.

    At the logon screen, press the Shift key five times, this normally opens a dialog box about enabling sticky keys, but since we replaced the normal sethc.exe file with a copy of cmd.exe, we will get a command line window, running as administrator, giving us unlimited access to make changes to the computer!

    Now, to reset the admin password we need to use the net user command.

    The syntax is this:

    net user <username> <password>
    

    So, if you want to set the password for the default Administrator account to “LemmyTest123”, you enter the following:

    net user administrator LemmyTest123
    

    And press enter.

    The password is now changed.

    However, in some cases this may not be enough to get in as the default Administrator account is disabled.

    Then you also need to enter this command:

    net user administrator /active:yes
    

    Done, you should now be able to logon as the default admin user.

    Remember, to restore this loophole, you need to boot thw Linux live environment again, go to Windows -> System32, delete the file called sethc.exe and rename the file sethc.exe.backup to sethc.exe