Windows Server | Forgotten Administrator Password

Overview

Whilst carrying out an in-place upgrade I found myself locked out of the OS. It was a virtual machine on VMWare and I had to uninstall the VMWare tools which removed the networking and I didn’t know the local administrator password.

A method I’ve used before is to create a new user via CMD on the logon script by replacing the ‘Ease of Access’; utilman.exe with cmd.exe. The steps below are what I did to get myself back logged in.

Tested On:

• Windows Server 2012/R2
• Windows Server 2019 Std

Process

1. Make sure you either have a VMWare that isn’t encrypted (or you have access to the recovery key) or a physical box where you have physical access, again, not encrypted. In this scenario I’ll be using a virtual machine.
2. Insert a windows installer ISO in the CD drive
   
3. Boot the ISO, I do this by enforcing the next boot to automatically load to EFI and then choosing CD Drive from the boot menu
   
4. On the main installer menu, press SHIFT + F10 keys to open a command prompt window
   
5. From the command line, view the current disks attached by entering:

   wmic logicaldisk get name

   

6. Drive X: is usually the boot disk your currently using so won’t have anything to do with the OS where trying to access. Switch to C: by entering:

   C:

7. On C: enter ‘dir’ to show the current directory structure
   
8. The directory structure looks very familiar as a normal windows directory tree. This will be our OS directory which we need to manipulate to gain access
9. Change directory to system32 using the following command:

   cd Windows\System32

10. Next we need to change the ‘Ease of Access’ application to launch CMD instead of the normal application, utilman.exe. We’ll do this by firstly taking a backup of the utilman application by running following command:

    ren utilman.exe utilmanBAK.exe

11. Next we’ll rename cmd.exe to utilman.exe which will replace the ‘Ease of Access’ button to launch cmd. We’ll do this with the following command:

    ren cmd.exe utilman.exe

    

12. At this point we can restart the machine and boot into the normal operating system. If you need eject the CD, we can do at this point. To reboot the machine via command line, use:

    shutdown -r -t 0

13. Once we get to the logon screen, select the ‘Ease of Access’ button in the bottom right hand corner:
    
14. A administrator CMD window will appear, from here we can create a new local user and add it to the local administrators group
    
15. We’ll firstly create a new local user called backdooradmin with the following command:

    net user backdooradmin mypassword /add

    

16. Next we’ll add backdooradmin to the local administrators group with the following command:

    net localgroup administrators backdooradmin /add

    

17. We can now close our cmd window, restart and try logging in with our new user ‘backdooradmin’
    
18. Success! We can login. At this point we now have a local user with local administrator permissions. We can now create more users if needed.
    

Conclusion

From the steps we can see how easy it is to get into a windows server without the local administrator password. These types of workaround can easily be blocked by the use of EFI/BIOS passwords and restricted boot menu’s to stop users booting to a USB/CD. The most secure way to prevent this, is to encrypt your fixed drives with Bitlocker or another tool. This way not files can be edited on the server without the decryption key.