Resetting a Windows guest’s Administrator password with guestfish

I recently found myself with a Windows guest for which I didn’t have the Administrator password, or any way of getting it. Nevertheless, I needed to make configuration changes to it. As I had no need to recover the old password, I was looking for a way to simply replace the Administrator password with one of my choice.

I came across this excellent post on the topic at Option 4, the Sticky Keys trick, worked for me, and is exceptionally simple to do with guestfish in Fedora.

Windows has a feature called Sticky Keys which is part of its suite of accessibility features. As such, and critical to this method, it’s available before login. In short, pressing a certain sequence of keys will invoke the Sticky Keys program. We will use guestfish to temporarily replace that program with a command shell, use the command shell to change the Administrator password, log in, and then put everything back how it was.

N.B. As pointed out in the above post, Windows uses your password to encrypt various bits of data, including the Windows Vault and passwords stored in IE. Changing the Administrator password using this mechanism will make that data permanently inaccessible.

First, we assume we have local access to the disk image from our Fedora box, and that libguestfs is installed. Also note that this is an offline process, so the guest must be shut down at this point. Attempting to do this while the guest is running will almost certainly result in data corruption.

# guestfish -i guest.img

Welcome to guestfish, the libguestfs filesystem interactive shell for
editing virtual machine filesystems.

Type: 'help' for a list of commands
'man' to read the manual
'quit' to quit the shell

><fs> mv /Windows/System32/sethc.exe /Windows/System32/sethc.exe.bak
><fs> cp /Windows/System32/cmd.exe /Windows/System32/sethc.exe
><fs> exit

You may find that the capitalisation of the paths is different in your guest, but guestfish’s tab completion should help you sort this out quite easily.

Start your guest again. When the login screen appears, press the SHIFT key 5 times. Instead of Sticky Keys, a command shell will be displayed:

Windows login screen with command shell window
Change the local Administrator password with the command:

net user Administrator <password>

Close the command shell window and login as Administrator with your new password. Put sethc.exe back how it was, and you’re done.

This entry was posted in Uncategorized and tagged . Bookmark the permalink.

5 Responses to Resetting a Windows guest’s Administrator password with guestfish

  1. rich says:

    I’m wondering what sort of voodoo was behind the discovery of “press the SHIFT key 5 times…”

    Looks good though, thanks for this nice tip.

  2. Pingback: Matt on Resetting a Windows guest’s Administrator password with guestfish « Richard WM Jones

  3. Jamie Fargen says:

    I have a pretty good solution on my blog if you want to check it out.

  4. Ronan says:

    Found myself locked out of a Windows 7 (KVM) guest after a series of automatic updates. Followed the steps above & boom ! Access restored, thanks 🙂

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s