How to use Sticky Keys to change/unlock a forgotten password

Last Updated on December 4, 2015 by Dave Farquhar

This isn’t a particularly new trick, nor did I invent it. But it’s a good trick for breaking into a Windows system when you don’t have a lot of tools at your disposal, and have legitimate reason to do so–like a lost or forgotten local administrator password. I’ve talked about some of those reasons before. I’d also add someone locking themselves out of their own computer to the list. It happens, just like people locking themselves out of their cars, or their houses.

Not every writeup I’ve seen of this trick goes into what I would call sufficient detail. So I’ll take a shot at it.

The first step is to boot off either a Linux rescue CD or a Windows installation CD. When you boot off the Windows CD, go into the recovery options and select a command prompt.

If you used a Linux CD, open a terminal window. The first step is to mount the C drive. Usually mount /dev/sda1 /mnt does the job, unless whoever owns the system got too fancy with partitions for his own good.

Next, make a backup copy of sethc.exe:

cp /mnt/windows/system32/sethc.exe /mnt/windows/system32/sethc.bak

And then copy cmd.exe over the old sethc.exe:

cp /mnt/windows/system32/cmd.exe /mnt/windows/system32/sethc.exe

From a Windows command prompt, the commands are similar:

copy c:\windows\system32\sethc.exe c:\windows\system32\sethc.bak

copy c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe

Now shut down the system cleanly. Usually a simple shutdown command from a Linux CD does the trick. From Windows, exit may do the trick, or you may have to hit ctrl-alt-delete, bring up Task Manager, and shut down from it, depending on the version of Windows.

Once the system is down, boot off the hard drive. Hit the shift key five times, and now, instead of the annoying Sticky Keys dialogue, you get a command prompt. Now the little-known net user command can save the day.

Type net user to list the usernames.

Type net user username password to reset the password.

If you don’t want the five-shift sequence to bring up a command prompt window with administrator rights forevermore, boot off your recovery/rescue CD again and issue the appropriate command sequence:

From Linux:

mount /dev/sda1 /mnt

cp /mnt/windows/system32/sethc.bak /mnt/windows/system32/sethc.exe

From Windows:

copy c:\windows\system32\sethc.bak c:\windows\system32\sethc.exe

The specifics can vary slightly depending on what you’re using to boot from, but this should give you enough detail to work out the rest.

If you see this as a vulnerability, rather than a tool, you can reinstall Windows using a tool like nlite or 7customizer, and leave out Accessibility Options. But keep in mind that anyone who can exploit this can get in another way too.

If you found this post informative or helpful, please share it!