I don’t often need to hack into a computer now, and definitely resist doing it to a new Windows 8.1 machine, the manufacturers have made it so hard.
But, a good customer came in with a machine he had been given by his sister, who had owned the PC for a few months, but had never really used it and had forgotten the password. As she lives in Australia, using the normal password recovery processes of cellphone or alternate email address would be particularly onerous. There was no COA on the PC, and removing the disk to run recuva keys on another PC was going to be difficult, a complete strip down of the PC would be required.
I could have just done a Windows reset from the recovery options, but waiting for all those updates to download and install was not something I wanted to do.
So I decided to exploit the one windows logon weakness which has been present since windows Vista, that of the accessibility option which is available before logon, from the lock screen (the button down on the lower left of the screen which normally allows options for impaired vision users to be set up). In Vista and win 7 it is a fairly simple process, boot using a recovery disk, or an Ubuntu live disk if you prefer, take a copy of the exe file that is executed by that button, and then overwrite the same file with a copy of CMD.exe. When started normally, the button then gives you the CMD dialog box, and you can do whatever you like. The simplest way is to use NET USER username newpassword, which sets the password on the chosen user to whatever you want it to be. Upon completion, use the recovery disk to restore the contents of the original file. Easy, eh?
It all gets a bit trickier in Windows 8 and 8.1 on a UEFI machine. How tricky depends on the manufacturer, Toshiba and Acer are my least favourite at the moment. The steps are roughly as follows.
1. Boot in the UEFI firmware settings. You may need to use Shift Restart in Windows to get to this boot option. Hold shift while clicking restart, choose trouble shoot and advanced options, and choose the option to boot in UEFI firmware settings. On the Toshiba, holding 0 down as you boot is one option, as is holding F2 down while you boot. I had to use both of these at different times.
2. Change three options in UEFI, a) disable Secure Boot in Security b) change the Boot Mode from UEFI boot to CSM boot in System Configuration (you may need to hunt around for this one) and c) change boot priority to the optical drive (this may not be really necessary, but as I was in there, I did it anyway).
3. Boot using a Windows 8 install or recovery disk. make sure you select the correct keyboard on the first screen, then select Repair your computer on the next. In the cmd box that pops up, do the normal file copying as described above, and exit.
4. On the Toshiba I was using, it would not boot into the UEFI disk as it was, so I needed to go back into the UEFI settings, and reverse the three changes in point 2 above.
5. Boot normally, and at the lock screen, use the Accessibility button to bring up the command line dialog, and use the net user command to do your stuff. In this case, net user would not let me change the password on a user name which was in the form of an email address, so I used these two commands to create a new admin user. NET USER newuser newpassword /add and NET LOCALGROUP Administrators newuser /add.
6. Reboot so that the new user appears on the lock screen, and login with the newuser and newpassword. You can now set up your new user, delete the existing user, or perform whatever fix you need to do.
7. Repeat steps 1 to 4, but restore the exe file to its original state.
All done, windows 8.1 on a locked down computer broken.