IT administrators sometimes lose access to admin rights. This usually happens when devices are inherited from departed staff at short notice and without an accessible central system to catalogue all these assets. Not having administrative privileges can limit your ability to perform debugging and other important tasks on your device, especially for IT professionals. Previously, I described how to regain access for Linux systems and this post is now for Windows based systems.
Regaining admin access is not an issue when you have physical access. The best way to do so is by using a bootable Windows installation USB stick. To create a bootable Windows installation USB stick, you will need a Windows ISO file and a USB drive with at least 8GB of space. You can download the Windows ISO file from the official Microsoft website. Once you have downloaded the ISO file, use something like Rufus to burn the ISO onto the USB stick to make the ISO bootable.
The second step is to boot from the USB. Restart the computer and enter the BIOS menu by spamming the keys (F2, F10, or Delete) during the boot process. If you know the correct key to press, you can also more gracefully press that specific key once at the appropriate time during the boot process. From the BIOS menu, change the boot order so that the first boot device is the USB stick. If there is a forgotten BIOS password, note that the BIOS password can be cleared by accessing jumpers or the CMOS battery on the motherboard.
In step 3, at the setup screen, avoid the “Install Now” and click “Repair your computer”. In the command prompt that appears, we are going to rewire some of the programs on the hard disk so that we can access privileged programs before logging in as an administrator. This is the sole purpose of using this command prompt since we need to modify these programs offline without being blocked by Windows security. Through this, we can then use the privilege to regain admin rights on the device.
Replace the sethc.exe file with cmd.exe through the following commands,
cd /D C:\windows\system32
move sethc.exe sethc_backup.exe
copy cmd.exe sethc.exe
What this achieves is to replace the sticky keys program (sethc.exe) with a command prompt. Exit the command prompt and restart your computer without the USB stick. You will now boot into your Windows start-up screen.
In step 4, press the Shift key five times to trigger the stick keys program. Instead of the default “Do you want to turn on Sticky Keys?” prompt, you now get a command prompt. This command prompt is elevated because the command prompt is spun out by the Winlogon process which takes care of login process. Begin a system-level process, Winlogin runs with high privileges and so the command prompt inherits the high privilege.
In step 5, admin rights can be restored by adding a new user account and granting admin privileges to it,
net user newusername newpassword /add
net localgroup administrators newusername /add
Admin access to your Windows device is now restored through the newly created account.