Utilman.exe is a built in Windows application that is designed to
allow the user to configure Accessibility options such as the Magnifier,
High Contrast Theme, Narrator and On Screen Keyboard before they log onto the system.
This was designed to help people who are hard of sight, hearing or
mobility to log onto Windows themselves without the need of outside
help. Its a great feature for disabled people but it opens up a security
hole that we can take advantage of to bypass Windows logons.
Bypassing the Windows logon comes in handy if our clients have forgotten their logon password, their user profiles were corrupted or malware was interfering with the system before login.
This works because the user can trigger Utilman by pressing Accessibility Icon before Windows logon. This will load up the Utilman.exe executable which resides in the Windows\System32 directory. If you swap the Utilman.exe file with something else like cmd.exe, you have access to the command prompt running SYSTEM privileges. SYSTEM is an account with the highest possible privileges on Windows which similar to the root account on Unix systems.
The Hack works on all versions on windows from Windows 7 to Windows 11
Here are the step by step instruction on how to do this.
Reset Windows passwords without any tool
First of all, we will need a way to access the file system to swap out Utilman.exe with cmd.exe. We need Windows 10 or 11 ISO file
Step-1 Download Windows ISO
Download Windows ISO image from official Windows websites. (You do not need any license key)
Step-2 Download Rufus
- https://rufus.ie/en/
Step-3 Make a bootable USB drive
Step-4 Boot from USB
Plug in your USB, Reboot into USB. Press Esc or F-12 to enter into boot menu and then choose the option to boot from USB.
Step-5 Enter into Recovery Mode and then open command prompt
Once Windows Setup start choose the option to repair Windows.Choose the option to troubleshoot and in troubleshoot menu choose advanced options. In advanced menu, choose to open Command Prompt.
Step-6 Make Windows Drive Available
Now, we need to make the Windows drive available for manipulation. Use Diskpart to assign letter to Windows drive. Use the commands in the sequence as below:
Step-7 Replace Utilman with cmd
Rename utilman.exe (accessibility tool) to some other file name and copy cmd as utilman.exe (windows/system32)
cd windows\system32
ren utilman.exe utilmanold.exe
copy cmd.exe utilman.exe Step-7 Reboot and Open Accessibility Options
Remove the USB and reboot the system. Click on the accessibility icon in the right corner and a command prompt will appear. From here, you can run many (if not all) of the commands you can normally use in Command Prompt.
Step -8 Resetting an Existing Users Password
Step-9 Creating a New User Account (Optional)
net user NewGuy abc123 /add
net localgroup Administrators NewGuy /add
Again, you should be able to login straight away with this new account.
Step- 10 Reverting Changes
cd windows\system32
del utilman.exe
ren utilman.exe.bak utilman.exeThen reboot the system.
To remove the new user account you just created earlier, type in:
net user NewGuy /delete
Note
On Windows 11, instead of net user commands use this instead.
control userpasswords2
net user Administrator /active:yes
To deactivate to this administrator do this.
net user Administrator /active:no
And also to replace your users password, you can use the commands like this.
net user TheUserName *
re-type the password
re-type the password again