Password-Protected ...
 
Notifications
Clear all

Password-Protected Windows 10

28 Posts
15 Users
1 Likes
5,563 Views
(@mhibert)
Posts: 12
Active Member
Topic starter
 

Hi Guys,

I am struggling to bypass Windows 10 login password. What techniques would you use if you would be on my place?

P.S. BIOS is protected with a strong password and boot priority cannot be changed.

Thank you

 
Posted : 11/03/2018 4:54 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Hi Guys,

I am struggling to bypass Windows 10 login password. What techniques would you use if you would be on my place?

P.S. BIOS is protected with a strong password and boot priority cannot be changed.

Thank you

The usual ones, of course if you can access the disk. (i.e. it is not encrypted and you have not the password or if it is a laptop with integrated encryption, etc.)

OSK.EXE or similar, direct patching of msv1_0.dll if 32 bit (cannot say if a patch for 64 has been found/published for "your" Windows 10 version, and surely that depends on the exact version of the .dll)

jaclaz

 
Posted : 11/03/2018 5:30 am
(@mhibert)
Posts: 12
Active Member
Topic starter
 

what are the usual ones? Maybe i missing something

 
Posted : 11/03/2018 5:54 am
benfindlay
(@benfindlay)
Posts: 142
Estimable Member
 

Can you pull the disk? If so, cracking the password in the relevant Registry hives would be a good place to start!

Failing that, what about a password reset tool like NTPASSWD (I've not actually tried this myself on Windows 10 - hopefully someone can confirm that it still works)?

Ben

 
Posted : 11/03/2018 9:34 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

@benfindlay
Reset is different from bypass (and is different from cracking the password).

@mhibert
As above, reset is different from bypass (and is different from cracking the password via ophcrack or similar).

To bypass there are historically three ways, in order of more intrusive to less intrusive
1) rename (a copy of) cmd.exe to osk.exe (or to other executable accessible from the logon screen), this is not strictly speaking a bypass, but it allows to create a new user, leaving the original account untouched or change (reset) the password for the existing user
2) open a console on the Winsta0 desktop, this is actually a bypass as you will have a session as System, besides having the same possibility as above
3) modify the msv1_0.dll (this is trivial/universal on 32 bit, version specific on 64 bit), this is a real bypass, as you can login with *any* password on the existing local user account

Whether each and every of this will work on Windows 10, particularly on the specific version you have and/or whether the patch for your specific version in case of #3 exists is up to you to find.

#1
Google for (without double quotes) "osk.exe cmd.exe reset windows password", or "utilman.exe cmd.exe reset windows password" you will find tens of (mostly copy pasted from one to another and for various windows versions) tutorials with slight variations, the method is the same since Windows XP .
Check anyway
http//reboot.pro/topic/21061-how-to-to-reset-my-forgotten-windows-10-password/

#2
http//reboot.pro/topic/18792-if-anyone-is-up-for-a-challenge/
https://blog.didierstevens.com/2006/08/31/my-second-playdate-with-utilmanexe/

#3
http//reboot.pro/topic/18588-passpass-bypass-the-password/
read the whole thread, get latest chenall's version (but of course in your case you can use any hex editor instead) then look for the right pattern if any

Mind you these are what I would try, and what you could try if you are into learning.

Otherwise, spend a few bucks for a Commercial solution
http//www.piotrbania.com/all/kon-boot/

jaclaz

 
Posted : 11/03/2018 10:10 am
Adewale reacted
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

I remember a bootable Linux CD in which i could modify tbe password at will, even clear it. Forgotten the name of it, worked from XP to Windows 7, never tried it with Win 8 or 10, but i guess it would work.

 
Posted : 11/03/2018 2:32 pm
(@jefferreira)
Posts: 19
Active Member
 

You can use a Linux Live Distribution to access the data on the storage device or working image.

Once you mount the device or image, you are able to access and extract the registry files and any other artefacts.

PS I was on the move when I saw the post and did not read it carefully. You wrote that the Bios is password protected. I haven't done this in a while, but removing the battery from the motherboard should reset/remove the BIOS password.

 
Posted : 11/03/2018 4:24 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I remember a bootable Linux CD in which i could modify tbe password at will, even clear it. Forgotten the name of it, worked from XP to Windows 7, never tried it with Win 8 or 10, but i guess it would work.

Yep ) , and that again is resetting the password, not bypassing it and not cracking it.

A number of recovery/forensic oriented distro's may include the Offline NT Password and Registry Editor
http//pogostick.net/~pnh/ntpasswd/
or chntpw
https://en.wikipedia.org/wiki/Chntpw
Which is included (example) in Kali and SystemRescueCD
https://en.wikipedia.org/wiki/Chntpw#Where_it_is_used

that you can get also for most "standard" distro's
https://pkgs.org/download/chntpw

jaclaz

 
Posted : 11/03/2018 4:38 pm
benfindlay
(@benfindlay)
Posts: 142
Estimable Member
 

@benfindlay
Reset is different from bypass

<SNIP>

Indeed, however the two terms are often used interchangeably as, absent certain situational conditions, they can in fact be equivalent.

It may be, in the case of what mhibert is trying to achieve, that a reset will be sufficient, hence the suggestion.

mhibert, can you provide a little more information please?

 
Posted : 12/03/2018 8:52 am
JimC
 JimC
(@jimc)
Posts: 86
Estimable Member
 

Thank you @Jaclaz for the helpful summary of the different methods.

Methods (1) and (2) both provide a system-level command-prompt at the login screen. This can be used to reset an account password. Method (3) by-passes this and permits login with any password. The end result is the almost same and all 3 methods require file system access to an unencrypted OS volume.

However, something which I don't think has been mentioned yet is that once the password has been changed (or bypassed) you will no longer have access to EFS encrypted data or other secrets protected by the Windows credential manager.

I would be interested to learn from other practitioners if this scenario has come up or is changing/bypassing the password sufficient in practice despite the limitation?

Jim

www.binarymarkup.com

 
Posted : 12/03/2018 11:26 am
Page 1 / 3
Share: