How To Hack Your (Friend’s) Windows 7 Password

DISCLAIMER – The purpose of this post is to show how vulnerable Windows 7 is. The writer disclaim all the charges for any damages caused by this post. You MUST address the claim to Microsoft® for developing such a bad security on their operating system.

Recently I just told that I could hack the password on Windows 7 by the infamous NET command from command prompt. I tried it when I’m on Samarinda last sunday when configuring the laptop for computer training participant. It failed. I was told using NET USER command from the command line console in Windows Recovery Tools. I found it very ridiculous which the NET USER commands return the users on the Windows 7 installer environment, which are Administrator and Guest only. It is not linked to the Administrator account on your installed Windows on your hard drive.

While today, when I consider that “myth” is busted, my friend Ken Danniswara told me that that is not how you do it. You use the recovery command line console to perform some “magic” trick to Windows system files, before you can actually hack a password in less than 10 minutes. And then he explained to me how he performed it. So here it is:

  1. Start Windows Recovery Tools by inserting and boot Windows installation DVD or flash drive, and click Repair Your Computer.
  2. Select the OS, and click Next. Choose Command Line tools to show command line console.Hack-Win-7
  3. Change the current drive of the console to your Windows 7 drive. Usually it is the D: drive not C:. That’s because of the default partition structure of Windows 7 installation is divided into two different partition which the first partition (with 100 MB size) is the System Reserved partition for booting, which is assigned to C: in the recovery tools.
  4. Go to WindowsSystem32 directory, then rename Magnify.exe to Magnify.exe.bak. You could also use executable other than Magnify.exe, such as OSK.exe and Narrator.exe. You can guess what they do: the accessibility tools which is highly usable to access our victim computer. 😛Hack-Win-7-2
  5. After backing up one of those programs, copy cmd.exe and name it Magnify.exe or the respective executable you renamed on step 4.
  6. Restart and boot to Windows 7. Proceed until login screen appears. Choose the accessibility tools from the left down corner and chose the respective tools such as Magnify, On-Screen Keyboard, or Narrator by check the box.Hack-Win-7-3
  7. Hack-Win-7-4Then you click Apply or OK, voila!
  8. And to hack the password, use NET USER [USERNAME] *. It will ask the new password for the user. You can enter a new password or leave it blank to remove it by click Enter immediately after prompted.Hack-Win-7-6
  9. At last you can enter the protected Windows 7 account!

As you can see, you can apparently start a command line tools on your login screen just by renaming an accessibility tool and run it from accessibility button on the login screen. It is so cheap eazee for a dummy with a little skill on Windows command line basics such as COPY, MOVE, REN, and CD command. You are not required to buy a very expensive program to recover your lost password. You can even hack the password of your friend’s PC. For free!


Start menu on login screen

Not only that. You can try to run EXPLORER.EXE from the console, and see how it goes. It starts the task bar and you can click Start in your log on screen. You can also start the Task Manager from the task bar. You might be able to run another application such as Windows Media Player, Office, etc. But of course, never wish that it will successfully run or perform beautifully. Almost all application run from this console will perform prematurely. But at least, the infamous powerful NET command perform very slick and beautiful.

And the worst is, the console is run in elevated mode. It means that it runs on SYSTEM user, which is might be higher or at least same with Administrator user, which you can almost do anything to destroy your system, just like what we’ve done previously. This way, you can make the system even more vulnerable by modifying, say, the firewall, group policy, services, etc.

The Accessibility tools actually should not be that “accessible”. From here, I could conclude some of Windows 7 administration process, such as start up process. It seems that after Windows 7 finishes booting its kernel, it loads the login processing under the SYSTEM user. SYSTEM user itself is not a “normal” user. It is used by Windows 7 to load certain OS specific application which needs to be run at highest access level such as SVCHOST (A service host for Windows), or some drivers and services. You cannot log in to SYSTEM because in fact it is not a real user, but a built in user and (might be) hard coded to Windows kernel.

And because the login processing is under the SYSTEM user, and even the login screen IS under the SYSTEM user, if the login screen tries to execute another program or create a new process, it will be created under the SYSTEM user. That is what happen to those accessibility tools. Once the tool is renamed, it just stupidly load the executable with the respective names such as OSK.EXE for On Screen Keyboard or MAGNIFY.EXE for Magnifier. The accessibility launcher does not check if the executable is not the right executable. If it isn’t the right executable but it has the right name, it will still be executed by the launcher. That’s how we got command line after clicking OK or Apply. We got a command line with elevated privileges, which means we can run NET command under elevated privileges. NET command under elevated privileges for bad user is BAD.

At last, it’s up to you how you judge Windows 7 security. I find it the security is stupidly very vulnerable and very risky for large scale application. This password hacking method is only plausible for local users, not a domain users. For a company which uses Active Directory for domain and user management, this method is (should be) not working. I will do some research on MIC computer next Monday. But of course, this does not means that your PC which use Active Directory service is safe. In fact it is still unsafe at all! By using that command prompt, the bad user can create a user account to access the PC directly, and of course perhaps making some changes, stealing data, etc.

This vulnerable perhaps created from bad Windows 7 coding and architecture. This must be a total concern for Microsoft® to fix it as it is a stupidly dangerous for critical system and critical data. You don’t want dummies can steal your data easily while you are a System Administrator, or at least, a total geek. Windows is just too stupid to protect your data from bad person.

But of course, I still use Windows! I cannot leave Windows because there are so many things I could do with this stupid OS while I can do only a little things on other OSes. 😛

At last, I’d like to thanks Ken Danniswara for sharing his knowledge to me, and Raka for sharing his knowledge to Ken Danniswara. It is just a simple hack almost anyone can do but I never think about it before. 😀

You may also like...

4 Responses

  1. lets go tell IBM about these stupidities

  2. Raka says:

    i remember this tuts
    you are welcome 😀

Leave a Reply

Your email address will not be published. Required fields are marked *