Resetting a Windows guest’s Administrator password with guestfish

Posted on October 18, 2010 by mdbooth

I recently found myself with a Windows guest for which I didn’t have the Administrator password, or any way of getting it. Nevertheless, I needed to make configuration changes to it. As I had no need to recover the old password, I was looking for a way to simply replace the Administrator password with one of my choice.

I came across this excellent post on the topic at 4sysops.com. Option 4, the Sticky Keys trick, worked for me, and is exceptionally simple to do with guestfish in Fedora.

Windows has a feature called Sticky Keys which is part of its suite of accessibility features. As such, and critical to this method, it’s available before login. In short, pressing a certain sequence of keys will invoke the Sticky Keys program. We will use guestfish to temporarily replace that program with a command shell, use the command shell to change the Administrator password, log in, and then put everything back how it was.

N.B. As pointed out in the above post, Windows uses your password to encrypt various bits of data, including the Windows Vault and passwords stored in IE. Changing the Administrator password using this mechanism will make that data permanently inaccessible.

First, we assume we have local access to the disk image from our Fedora box, and that libguestfs is installed. Also note that this is an offline process, so the guest must be shut down at this point. Attempting to do this while the guest is running will almost certainly result in data corruption.

# guestfish -i guest.img

Welcome to guestfish, the libguestfs filesystem interactive shell for
editing virtual machine filesystems.

Type: 'help' for a list of commands
'man' to read the manual
'quit' to quit the shell

><fs> mv /Windows/System32/sethc.exe /Windows/System32/sethc.exe.bak
><fs> cp /Windows/System32/cmd.exe /Windows/System32/sethc.exe
><fs> exit

You may find that the capitalisation of the paths is different in your guest, but guestfish’s tab completion should help you sort this out quite easily.

Start your guest again. When the login screen appears, press the SHIFT key 5 times. Instead of Sticky Keys, a command shell will be displayed:

Windows login screen with command shell window
Change the local Administrator password with the command:

net user Administrator <password>

Close the command shell window and login as Administrator with your new password. Put sethc.exe back how it was, and you’re done.

Advertisement
This entry was posted in Uncategorized and tagged . Bookmark the permalink.

5 Responses to Resetting a Windows guest’s Administrator password with guestfish

  1. rich says:
    October 18, 2010 at 2:40 pm

    I’m wondering what sort of voodoo was behind the discovery of “press the SHIFT key 5 times…”

    Looks good though, thanks for this nice tip.

    Reply

  2. Pingback: Matt on Resetting a Windows guest’s Administrator password with guestfish « Richard WM Jones

  3. Jamie Fargen says:
    December 28, 2012 at 7:47 pm

    I have a pretty good solution on my blog if you want to check it out.
    http://jfargen.blog.usf.edu/2012/12/21/kvmreset-windows-guest-password/

    Reply
  4. Ronan says:
    June 22, 2015 at 4:32 pm

    Found myself locked out of a Windows 7 (KVM) guest after a series of automatic updates. Followed the steps above & boom ! Access restored, thanks 🙂

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s