Adventures In Computing: Locked myself out of my Computer
A few years back I was having difficulties with remotely accessing my computer. The details of which are a different story altogether. What is relevant here, is that I was attempting to copy files from one computer to another over the network. In the process of trying to get this done, I removed my ability to log on to one computer.
Actually took me a few hours to notice the mess I had caused. Wasn’t until the screen saver kicked in and I had to log back in to get past it. Instead of logging in I received the message “You cannot log on because the logon method you are using is not allowed on this computer. Please see your network administrator for more information.”
While the error could be worded better, when I saw this message I knew what I had done. Years back I had modified the “User” group so that it’s members couldn’t log on locally, but could access the file shares. People were added to that group, so they could view files but not directly log on to the computer. In my attempts to connect the two systems, I had added myself to the “User” group. As “Deny” overrides “Allow”, I had lost the ability to log on to my own machine.
“You cannot log on because the logon method you are using is not allowed”
Not something you want to see, as it means your password is right but you are still can’t login. My computer was working fine, but I couldn’t use it. So research time.
As a temporary fix, I pulled the drive and plugged it directly into the other computer. That would allow me to copy files, while figuring out how to get around the problem. Was actually a useful step towards fixing it too.
In my research, it turns out that the login interface is running with admin authority. Which makes sense, as it controls who can use the computer. Not immediately useful, as the things that can be done are rather limited. But if one of those things can be changed…
If you copy cmd.exe onto sethc.exe (making a backup first, so you can restore it later), then you end up with an admin level command prompt instead of activating high contrast. And high contrast is one of those things you can do without logging in.
Once my personal files had finished copying, I copied those two files and put the drive back where it belonged. Booted up as normal and entered high contrast mode. Which, due to my modifications, gave me an admin level command prompt.
From that command prompt, you can do just about anything. In this case, I used ‘Net User‘ to change groups on my account (needed to remove ‘User’ group). With that done the problem was solved, and I could once again log on.
Repeated use
This particular trick is rarely useful, at least for me. But every once in a while I have physical access to a computer that is otherwise working fine, but can’t login. Not often, but not ‘never’.
Probably other uses for this general method. The command prompt is a very powerful tool, and the ability to use it without logging in could certainly be put to other creative uses.
Steps to take a working Windows system
and login without knowing the password:
First Boot:
Start up windows as normal. Intent is to make sure it is booting as it should be. Also, make note of which key needs to be pressed to change boot order. Probably an F key (F2 and F12 seem to be popular).
Second Boot:
Using the alternate boot media of your choice, start the system up. Once that is loaded, rename /Windows/System32/sethc.exe (I like sethc_original.exe). Then copy cmd.exe to sethc.exe
If alternate boot media isn’t working, physically move the hard drive to another system, and do the file swapping there.
Third Boot:
Start up as normal, going back into windows. At the login prompt, use the accessibility menu to go into ‘High Contrast’ mode. Key stroke is ALT + Left SHIFT + PRINT SCREEN. At the command prompt do your work. To change an existing accounts password: “net user [username] [password]”. To make a new account: “net user /add [username] [password]”. To make an existing account an administrator: “net localgroup administrators [username] /add” to make that account an admin.
Fourth Boot:
Back to the alternate boot media of your choice. Assuming you kept a backup, delete the current sethc.exe and rename the backup from whatever it was to sethc.exe. If you didn’t keep a backup… Shame on you.
Fifth Boot:
Start windows as normal. Enter ‘High Contrast’ mode, to make sure you returned it to normal (don’t want to let anyone else exploit your trick). Login with the account you made on the third boot and do whatever you want with the system.
Limitations
This only works on Windows systems that will already go to a standard login prompt. If there is a BIOS password, the drive is encrypted, or the system won’t boot, then this won’t work.
Also only impacts the local computer. Has no impact on any network/domain accounts.
All in all, of limited use. But at the time, it was an Adventures In Computing.