How To Temporarily Change Password for Windows User and Restore It Back
If your are servicing somebody other's PC, you may have need to access the local administrator account for a short time. But sometimes it's not possible to get in touch with PC owner (e.g. late at night), and it's undesireable to reset password permanently, because people don't like their things broken.
This article explains how to change Windows password temporarily, gain access to the user account for a short time, perform system maintenance, and restore original password back.
1. Intended audience and formulation of the problem
This feature is for computer technicians and support personnel, who need to have temporary access to the local administrator account only for the servicing time. This is only needed when the owner has password protected all local admin accounts, and it's not possible to get in touch with PC owner at the time of servicing of their PC (i.e., late at night or during their work hours).
Also, it's not desireable to reset user's password permanently in this situation: People don't like their things broken.
So, the problem is how to change password of Windows user temporarily, perform system maintenance, and restore original password back.
2. Theory of the solution
Windows passwords are stored in HKEY_LOCAL_MACHINE\SAM registry hive in hashed and encrypted form: one-way function is applied to the plaintext password, then it's encrypted with SYSKEY stored in HKEY_LOCAL_MACHINE\SYSTEM registry hive and stored on disk.
So, it's possible to decrypt password hash (SYSKEY is stored nearby), but it's not possible to dehash the password because of one-way function. Also, it's not possible to take SAM file from another PC with the same user names, because SYSKEYs will not match, so decrypted password hashes will contain random garbage and Windows will reject login attempts for all users.
But it's possible to backup local SAM file with unknown password and restore it back later when needed. Entire algorithm of setting temporary password:
3. Step by step guide
1) Download EBCD and burn it to CD/DVD according to the instructions, then set up your BIOS to boot from CD. You need full EBCD version to actually write changes to the disk, but it's recommended to try demo version first to make sure there are no hardware incompatibilities.
2) Boot EBCD and run File Manager from the main menu:
3) File Manager will open disk Z: on both panels:
4) Press Alt+F2 and choose your Windows system partition on the right panel (D: in this example):
5) Press ENTER and make sure that list of files and folders look familiar. Navigate to the Windows folder using arrow cursor keys and then press ENTER:
6) Inside Windows folder, navigate to the system32 subfolder using arrow cursor keys and then press ENTER:
7) Inside system32 subfolder, navigate to the config subsubfolder using arrow cursor keys and then press ENTER:
8) Make sure SAM and SAM.LOG files are there:
9) Press Alt+F1 and choose your Windows system partition on the left panel (D: in this example):
10) Press ENTER and make sure that list of files and folders look familiar. Press TAB to switch input focus to the left panel:
11) Press F7 to request folder creation. Enter "sam_backup" or other similar name:
12) Press ENTER to confirm operation and make sure sam_backup folder appears on the left panel:
13) Press ENTER to enter sam_backup on the left panel, then press TAB to switch input focus to the right panel, navigate to the SAM file and press INSERT key twice to select it and the next file (SAM.LOG):
14) Press F5 to open file copy dialog, make sure everything is right and confirm with ENTER:
15) Make sure SAM and SAM.LOG files appear on the left panel, then press F10 and ENTER to exit EBCD File Manager:
16) Run "Windows Password Wizard" from EBCD main menu:
17) Please read this carefully. If you don't agree, do not use the software and do not continue to read this guide:
18) Choose user account to change password for. It's called "User" in this example:
19) Enter the new password ("1234" in this example) and press ENTER. You may use empty password if you wish:
20) You should see the following message:
21) Choose "Reboot" in EBCD main menu.
22) Boot into Windows and perform system maintenance as planned. Use "1234" or another temporary password you've set on the step 19 in order to log on into Windows.
23) Boot into EBCD and choose File Manager in the main menu:
24) File Manager will open disk Z: on both panels as usually:
25) Press Alt+F1 and choose your Windows system partition on the left panel (D: in this example):
26) Switch input focus to the left panel with TAB key. Using arrow keys, navigate to sam_backup folder and enter that folder:
27) Press Alt+F2 and choose your Windows system partition on the right panel (D: in this example):
28) Go to Windows folder and press ENTER:
29) Go to system32 subfolder and press ENTER:
30) Go to config subsubfolder and press ENTER:
31) Make sure SAM and SAM.LOG files are there. Press TAB to switch input focus to the left panel, then go to the original SAM file on the left panel and press INSERT twice (in order to highlight SAM and SAM.LOG for copying):
32) Press F5 to open file copy dialog. Make sure target path for copying is right. Confirm with ENTER:
33) Choose "Overwrite All" in this dialog:
34) Screen should look like this after copying. You may go up on the left panel by pressing ENTER on .. item and then press F8 to delete sam_backup folder. Then press F10, ENTER to exit EBCD File Manager
35) Finally, choose "Reboot" in EBCD main menu. Next time Windows boots, the user will be able to log on with his/her original password.