Reset Forgotten Windows Password (Educational Guide)

⚠️ Disclaimer
This tutorial is for educational purposes only. The method described here demonstrates how an attacker or technician could reset a Windows password if they have physical access to the machine.

  • Do not attempt this on any device you do not own or do not have explicit permission to test.
  • The purpose is to learn how such attacks work and how to protect your own systems.

Overview

If you forget your Windows password, it is possible to reset it without losing data.
This method does not require coding skills and can be performed by almost anyone with physical access to the device.

The technique works by replacing the Windows Sticky Keys Utility (sethc.exe) with cmd.exe during boot. When Windows starts, you can open a system-level command prompt from the login screen and reset the password.

Requirements

  • A Windows machine (can be a VM or an actual laptop)
  • Physical access to the target machine.
  • Basic knowledge of using the command prompt.

πŸ“ This tutorial is demonstrated on Windows 11, but the same method can also be applied to Windows 10.

Steps to Reset Password

1. Turn on Windows machine and Boot it to Windows Recovery Environment (WinRE)

  • On your lock screen, hold SHIFT and press RESTART to enter WinRE mode:
Guide Image

2. Go to Recovery Settings and File Systems

  • Choose Troubleshoot.
Guide Image
  • Choose Advanced options.
Guide Image
  • Choose Command Prompt.
Guide Image

Then, a black command prompt interface will popup.

Guide Image
  • Type notepad to the command prompt.

Note: We’re not gonna create any new files, but to rename files.

Guide Image
  • In the notepad interface, choose File > Open.
Guide Image

3. Modify System Files via File Explorer

  • Go to This PC > Local Disk (:C).
Guide Image
  • Go to folder Windows > System32.
Guide Image
  • Change the options: Files of type: All Files.
  • Search the file: has name sethc.
  • Change its name to sethc-netvn.

Note: After changing the name, you may still see the name sethc but it is okay, just make sure you have changed the name.

Guide Image
  • Search the file: has name: cmd.
  • Change its name to sethc.

Note: After changing the name, you may still see the name cmd but it is okay, just make sure you have changed the name.

Guide Image

4. Reboot the Windows Machine and Reset the Password

  • Close File Explorer, Notepad and Command Prompt.
  • Click Continue.
Guide Image
  • After rebooting, on your lock screen, press the SHIFT key on your keyboard 5 times.
  • It will trigger a command propmt pop up.
  • Type net localgroup administrators.
Guide Image
  • You should see the Administrator: <Your username>
  • Type net user <your username> *
  • Type your new password 2 times, and if you see the successfull messsage, you have completed resetting the password:
C:\Windows\System32> net user <username> *
Type a password for the user:
Retype the password to confirm:
The command completed successfully.

_Note: If your username has space such as Michael Jackson, add double quote to the command: net user "Michael Jackson" _*

  • Close the command prompt and type your new password to login to your Windows machine.

Key Takeaways

This method works because Windows allows replacing system utilities in recovery mode.

No user data is lost β€” only the password is reset.

Disk encryption (BitLocker, VeraCrypt) prevents this attack, since the drive would be locked in recovery mode.

Author & Credits

This tutorial was written by James Cao