I recently found myself with a Windows guest for which I didn’t have the Administrator password, or any way of getting it. Nevertheless, I needed to make configuration changes to it. As I had no need to recover the old password, I was looking for a way to simply replace the Administrator password with one of my choice.
I came across this excellent post on the topic at 4sysops.com. Option 4, the Sticky Keys trick, worked for me, and is exceptionally simple to do with guestfish in Fedora.
Windows has a feature called Sticky Keys which is part of its suite of accessibility features. As such, and critical to this method, it’s available before login. In short, pressing a certain sequence of keys will invoke the Sticky Keys program. We will use guestfish to temporarily replace that program with a command shell, use the command shell to change the Administrator password, log in, and then put everything back how it was.
N.B. As pointed out in the above post, Windows uses your password to encrypt various bits of data, including the Windows Vault and passwords stored in IE. Changing the Administrator password using this mechanism will make that data permanently inaccessible.
First, we assume we have local access to the disk image from our Fedora box, and that libguestfs is installed. Also note that this is an offline process, so the guest must be shut down at this point. Attempting to do this while the guest is running will almost certainly result in data corruption.
# guestfish -i guest.img
Welcome to guestfish, the libguestfs filesystem interactive shell for
editing virtual machine filesystems.
Type: 'help' for a list of commands
'man' to read the manual
'quit' to quit the shell
><fs> mv /Windows/System32/sethc.exe /Windows/System32/sethc.exe.bak
><fs> cp /Windows/System32/cmd.exe /Windows/System32/sethc.exe
You may find that the capitalisation of the paths is different in your guest, but guestfish’s tab completion should help you sort this out quite easily.
Start your guest again. When the login screen appears, press the SHIFT key 5 times. Instead of Sticky Keys, a command shell will be displayed:
Change the local Administrator password with the command:
net user Administrator <password>
Close the command shell window and login as Administrator with your new password. Put sethc.exe back how it was, and you’re done.