This article will use a known Windows backdoor to grant access to cmd prompt on Windows login screen. The process temporary replaces the ‘sticky key’ function and instead triggers cmd prompt, therefore allowing changes to the user account before login.
- USB Drive, formatted before use
- An additional computer with Windows 10 installed
A) Create a Windows 10 repair drive on another Windows 10 computer. Use a USB for the recovery drive. This is the longest portion of the guide.
1. Start menu > ‘Create a recovery drive’
2. Follow the wizard.
B) Enable USB as boot priority in the computer’s BIOS settings. This feature is different for each motherboard manufacturer. Google your motherboard model for specific information regarding BIOS access and settings.
C) Connect the repair drive created earlier into the computer with the lost password while it is powered off. Power on the PC and boot into the repair drive (USB).
D) When booted into the repair drive:
1. Choose your keyboard layout. ‘US’ is typically the first on the list
2. Choose the ‘Troubleshoot’ option
3. Choose the ‘Advanced Options’
4. Choose the ‘Command Prompt’ option
E) Determine which letter drive the Windows 10 OS is installed. If you know where Windows is located skip to step F.
If unsure of which letter drive the Windows OS is installed:
1. In cmd prompt type:
wmic logicaldisk get name
to get a list of letter drives in use. Write these down.
2. Start with the first letter on your list and in your cmd prompt type the drive name e.g. ‘E:’ and hit Enter. The command prompt will change the drive directory to E: then you will want to enter ‘dir’ to see the contents of the drive. If the list of contents does not contain a ‘Windows’ folder, move to the next letter on the list using the same commands in this paragraph.
F) Once we have the correct letter drive for the Windows 10 OS, we can start running commands in the command prompt. Note: Change ‘LETTERNAME’ to the letter of actual drive.
copy LETTERNAME:\windows\system32\sethc.exe LETTERNAME:\
Cmd prompt should give you the notice that a file has been copied.
copy /y LETTERNAME:\windows\system32\cmd.exe LETTERNAME:\windows\system32\sethc.exe
Cmd prompt should notify you of a file change once again.
3. Exit the command prompt, turn off the computer (through windows, on the previous ‘Troubleshoot’ screen), and remove the USB repair drive when fully powered down.
G) Boot up the computer and go to the login screen.
1. In the bottom-right corner of the screen should be the ‘ease of access’ button. Click the button and enable ‘Sticky Keys’.
2. Hit the Shift key five times.
3. A cmd prompt should pop up. In the command prompt run this last command:
net user $USERNAME $PASSWORD
where $USERNAME is the user account that needs recovery and $PASSWORD is the new password that will be set.
4. Exit the command prompt.
5. Log into the user account with the new password created.
Congratulations, you should have restored access to your computer!
H) Once booted in, restart the computer and log in to ensure the change stays in effect. It is recommended to run windows updates and update drivers. After the first reboot, the sethc.exe and cmd.exe should return back to normal.