In D7 v4.7.9 (currently available only as a pre-release update) I’ve added a sweet new feature!
D7 Locksmith – a function to remove passwords from offline Windows installations.
What you do:
- You can either slave the HDD to your Tech Bench Computer, or boot the client’s PC to a WinPE based boot CD with D7 on your flash drive.
- Run D7 Locksmith from the D7 > Offline tab, and click the Make Modifications button.
- Boot the Windows installation to the login screen.
- in Vista/7/2008+, click the Accessibility icon lower left corner of the screen; the D7_Locksmith GUI starts enabling you to remove selected or all user passwords, then login!
- in Windows XP/2003, simply wait. Passwords will be removed in the background within seconds. Then login with a blank password!
- Cleanup: None necessary! However note on XP that D7_LocksmithD7_Locksmith.cmd will be left behind, which you can delete – or if you forget, no biggie, as the modifications created to run it will automatically be undone.
For Windows Vista/7/Server 2008+: The D7 Locksmith function installs a file (of course named D7_Locksmith.exe) in the WindowsSystem32 directory. Then an IFEO is installed in the registry of the offline Windows installation (see my IFEO Modifier page if you don’t know what this is) which causes D7_Locksmith.exe to run in place of utilman.exe.
(Similar techniques you’ve seen on the internet may involve renaming cmd.exe to utilman.exe, but an IFEO is a far more clean solution than backing up and renaming files that you’ve got to put back later…)
When the modification is complete and you boot up Windows to the login screen, you’ll simply click the Accessibility icon in the lower left corner of the screen. Thanks to the IFEO, instead of utilman.exe which normally launches, instead D7_Locksmith.exe starts! Within the GUI, you have the option to select which user accounts you wish to remove the passwords for, and hit the Do It button. No more typing command prompt stuff!
Clicking the Do It button not only removes the passwords, but it ALSO removes the IFEO modification which made this all possible, and schedules itself (D7_Locksmith.exe) to be deleted next time Windows restarts. So there is no cleanup involved in the process!
For Windows XP/Server 2003: Fully patched systems no longer allow “net user” commands to manipulate user accounts from the login screen; it seems that security hole was fixed, so now you will receive access denied errors if you invoked cmd.exe at the login screen. Additionally, when tested, D7_Locksmith.exe cannot remove the passwords on these earlier-yet-fully-patched OSes. So I take a different approach.
First a temporary service (named .D7_Locksmith, of course) is installed in the registry of the offline Windows installation. Next a D7_Locksmith directory is created on that Windows partition to house temporary files for the service, which are srvany.exe and D7_Locksmith.cmd. Srvany.exe is a Microsoft file (more info here) required to launch a “user-defined” service. Note the MS article also mentions instsrv.exe, which is not used by D7 as it won’t work on offline partitions, naturally – so D7 does this work itself.
When the modification is complete and you boot up Windows to the login screen, you’ll need to wait a few seconds for the temporary service to start up.
(Once the service starts up, it will fail [no errors, except in the event logs] but that doesn’t matter. Before it fails, it will launch D7_Locksmith.cmd, which removes all user account passwords on the system. It also removes the temporary service from the registry. So no cleanup there…)
Once the service has run it’s course, you’ll still be staring at a user account with a password prompt. But never fear, you can now login with a blank password! If Windows doesn’t let you in, then the service hasn’t run it’s course. Wait a few more seconds, and try again. It will work!
The only downside with the XP/2003 method is that the D7_Locksmith directory isn’t cleaned up, and you would need to delete it manually. Forgetting to do this will do no harm, as I mentioned earlier D7_Locksmith.cmd also removes the temporary service from the registry. So there is minimal cleanup, but it’s no big deal if you forget as system functionality will return to normal automatically.
Why not use password cracker disks you ask? It’s always nice to have multiple ways to skin the proverbial cat. Besides, sometimes you just can’t for various reasons. Other times it’s just easier to do it while you’ve already got your HDD slaved to a tech bench computer, or are already booted to a WinPE based CD.
Good real-world example, I have a client’s computer with no password – it’s in for a virus scan or other behavior that makes it suspect, and I have it attached to my tech bench computer for a full virus scan. At some point I’ll need to boot into the OS and finish cleanup. But as long as I have it on my TBC, why not go ahead and use D7 Locksmith on it. Maybe I don’t even know if it is password protected or not, doesn’t matter – in this situation, using D7 Locksmith won’t do any harm, so go ahead.
Domain usage notes: Untested. Let me know how it works! LOL