How can I reset a PC if I forgot the administrator password?


Suppose you found a PC in a closet and you want to reset it, but you forgot the administrator password. What can you do?

There is an emergency reset button that you can activate like this:

  • Turn off the computer.
  • Turn on the computer, but while it is booting, turn off the power.
  • Turn on the computer, but while it is booting, turn off the power.
  • Turn on the computer, but while it is booting, turn off the power.
  • Turn on the computer and wait.

After three failed reboot attempts, Windows goes into recovery mode and one of the options there is to reset the computer. One of the reasons for that option is to address this specific problem of finding an old machine that you forgot the password to, and you want to just reset the PC and start over clean.

Note that doing this requires physical access to the computer, so we're still covered by Law 3 of the Ten Immutable Laws of Security.

Update: Clarified that this resets the PC and starts over with a fresh install of Windows, erasing any data that had been on the PC. This is not a password reset.

Comments (52)
  1. kantos says:

    Hopefully this can be turned off in Group Policy, otherwise this could be a security risk for stolen hardware.

    1. Not really. If your hardware is stolen, the security risk is someone pulling out the hard drive, plugging it into a different machine, and then reading the files directly while ignoring the ACLs (or stomping over them, if you want). The risk here is data loss when you reset Windows, but that's kind of a given.

      1. kantos says:

        I was thinking more in the bitlocker case where that isn't as applicable.

        1. In the Bitlocker case, your entire hard drive is encrypted, so the PC won't boot unless you keep the hard drive in the machine that has the key in TPM or if you enter in the BitLocker password. I don't know how Bitlocker responds when you reset Windows, but I would be very surprised if it ended up in allowing a nefarious actor to bypass security.

          1. In case of BitLocker, Windows Setup or Windows PE will give you a chance to mount the partitions using their respective recovery keys.

          2. kantos says:

            I suspect that the 3rd rule applies here. If they are a Nation State Actor then they can probably brute force it. If they are just criminal elements then they will probably just wipe the machine and reinstall assuming they can physically remove the hard drive or get into bios and change the boot device. They'd probably be relying on Windows 10's hardware associated activation keys to give them a serviceable machine. All of this assumes that corporate hasn't configured Intel ME etc. which would allow the device to phone home and send the cops.

          3. smf says:

            "In case of BitLocker, Windows Setup or Windows PE will give you a chance to mount the partitions using their respective recovery keys."

            Allowing someone access to your hardware and the bitlocker recovery keys, is like locking your front door and then hanging the key on a hook next to the door.

            Storing your bitlocker recovery keys on a bitlocker to go usb stick is a reasonable compromise.

    2. Joshua says:

      Wouldn't help much. There are instructions floating around the internet to install a batch file as a service that resets the administrator password.

    3. wouldn't matter... live CD's have been able to crack open the ntlm database and reset passwords for years (at least as far back as XP, if not 2000/NT4)

      1. Andy Balholm says:

        I've done it on NT 4. (On one of a lot of 3 computers that I bought for one cent at an auction.) But the hard disk failed shortly thereafter, so I didn't really gain anything.

      2. cheong00 says:

        And I've done it for Vista in order to reset the password of a notebook computer of neightbour.

      3. operagost says:

        LM and NTLMv1 security isn't really relevant in this day and age.

      4. Bryan W says:

        Definition goes back to Win 2000 - in college I used to make $50 - $90 a pop doing admin password resets for insurance sales people who had lost their passwords and needed to get their desktops/laptops back up & running.

        That and clearing viruses off XP pre-SP2 were huge money makers.

    4. smf says:

      What risk do you want to mitigate?

      If you want to protect your privacy then use bitlocker. However the thief can still remove the hard drive and wipe it, then replace it, install an OS and wipe the TPM. You can't prevent the thief destroying your data as they could just crush it.

      If your bios can display a bootup message then you can add your name and phone number, which can make it harder for the thief to sell the equipment on (or ensure they are caught quite quickly). If you have signature checking enabled in the bios then this can make it very tricky to remove.

      It's a pity that https://en.wikipedia.org/wiki/LoJack_for_Laptops opens up it's own security issues, it's also a pity that Microsoft haven't included something in Windows where you can report your computer stolen and then any identifiable parts from it would flag up when Windows phones home for updates.

  2. henke37 says:

    Seems complicated. But hey, at least it doesn't require having any alternative bootable media on hand (PXE is my favorite), that might in turn require fiddling with a password protected bios.

    Or hey, just be the NSA and use the Intel management engine.

    1. Intel Management Engine?

      Wow. This conspiracy theory is new. Hadn't heard this one before.

  3. Piotr says:

    About the ten immutable laws of security page: what's the date on that one?

    1. Scarlet Manuka says:

      Also, if those laws of security are immutable, why is it version 2.0?

      (I know, I know, but I couldn't resist the cheap shot. Sorry.)

    2. If my memory is to be trusted, the date of publication is around the time of Windows Vista.

  4. mikeb says:

    I can't believe I had never heard about this before,

  5. ZLB says:

    Is there a reason (other than computers are really fast now!) that F8 doesn't work anymore?

    1. How do you hit F8 on a keyboardless tablet?

      1. Joshua says:

        That market failed you. Stop constraining desktop because of it.

        1. Nathaniel says:

          If you're really bothered by it, I see quite a few reasonable-looking results from searching for "enable f8 windows 10" that suggests you can bring back the menu by running the command "bcdedit /set {bootmgr} displaybootmenu yes" in an elevated command prompt.

          Given the number of times I restart dwarfs the very few times I need the boot menu, I'm pretty okay with the tradeoff in the direction of faster boot times, even on desktops with a functioning F8 key.

          1. Joshua says:

            The timing's too tight for F8 to work properly. Hold Ctrl while booting works better, but Windows 10 has it not.

      2. Zan Lynx' says:

        How do you reset the power before a tablet finishes booting? My Surface Pro boots before I could hold down the power button long enough to force power off.

        1. cheong00 says:

          Agreed. It's much like you can't possibly press F5/F8 fast enough to boot into safe mode now if you're running an old version of Windows.

          So instead, you do hard reset to reown access to it. (Note that Surface has BitLocker enabled by default so if you lost your password, the data there is considered gone)

          Or if your login is binded to Live account... would you forgot your Live account password you use everyday? :O

        2. Sébastien Sevrin says:

          Maybe you're not powering off your tablet. By default, latest versions of windows are entering a specific kind of sleep mode instead of shutting down. This behavior can be changed in the settings, or by holding shift while clicking to shut down (not sure if it can be done on a tablet).

      3. Piotr says:

        The same way you press it on a keyboardless PC - you connect a keyboard to it. It's just a peripherial device.

    2. Because fast SSD + fast BIOS/EFI = near-instant on. You can't reliably press F8 in that time window anymore.

      The new normal is to hold down shift while you reboot the system from the login screen's power icon. That'll bring up the startup option screen the same way F8 used to.

      1. ender says:

        How do you hold Shift on a keyboardless tablet? :)

        1. Jonathan says:

          You write shift on the screen.
          You swipe left.
          You shake the screen.
          Or non of the above.

    3. smf says:

      One simple trick to make F8 display the bootmenu in windows 10.

      https://www.windows10forums.com/articles/enable-f8-safe-mode-boot-menu.8/

      bcdedit /set {bootmgr} displaybootmenu yes

  6. You're not constrained. You can let the PC boot, then do a Shift+Restart at the login screen. If the PC has the shutdown option disabled, then rebooting three times isn't so hard to do for such an extraordinary situation.

    I guess the only thing I don't understand is why they didn't allow a user to just hold down F8 on the keyboard during boot and just check and see if the key is depressed during the boot process. Seems like an easy way to support the keypress even with a small interrupt window.

    1. Was a reply to Joshua's comment, and then fell out somehow. Hooray for front-end problems!

    2. Ari Pernick (MSFT) says:

      IIRC, Some UEFI\BIOS's didn't bother enumerating USB in Win8 hyberboot boot path, and we really didn't want to make them pay the perf cost to do so (fast boot FTW). So even if we continued to look for F8, it would appear to only sometimes work (full reboots vs. hyberboot). We settled on having the new boot menu \ shift-power glyph as the normal path and the failed boot heuristic as a failsafe, both of which worked consistently.

      1. Klimax says:

        At least on Intel's mainboards it is configurable. When full FastBoot is enabled one can't get even into UEFI. (In fact, in many cases LCD won't turn-on before Windows Logo...)

  7. Azarien says:

    By the way, I really really like the "bootmenupolicy legacy" option so I can get rid of this graphical menu that takes ages to load only to reboot the machine because I selected something different than default.

  8. Harry Johnston says:

    It looks like this seriously breaks the usual security model for shared machines, e.g., in a teaching environment, and probably needs to be more widely disseminated. I'm thinking Slashdot, but if anyone else has any better ideas, please go ahead.

    (I figure you can solve the problem by deleting the C:\Recovery folder?)

    1. I think "bcdedit /set bootstatuspolicy ignorebootfailures" will do the trick.

      1. Harry Johnston says:

        Looks like either approach works. I'll probably do both. :-)

        (Might use IgnoreAllFailures rather than IgnoreBootFailures.)

        Thanks.

  9. nitrofurano says:

    easy solution: from GNU/Linux, just enter "sudo rm -rf /mnt/sda1/Windows" (of course the windoze partition must be mounted at sda1 before...)

    1. DWalker07 says:

      What's the purpose of calling it Windoze? Just to be rude? What do you gain by that?

      1. Beldantazar says:

        He's gotta show how much of an "elite" "edgy" linux "pro" "hacker" he is, obviously.

      2. Ray Koopa says:

        The same reason why some interesting people call a software company "Microshaft" or abbreviate it with "M$".

    2. smf says:

      "easy solution: from GNU/Linux, just enter “sudo rm -rf /mnt/sda1/Windows” (of course the windoze partition must be mounted at sda1 before…)"

      Now you have two problems. https://en.wikiquote.org/wiki/Jamie_Zawinski

      Linux has a place, but it's not a universal panacea like the zealots will have you believe.

  10. Wilczek says:

    I had an interesting case with a test/dev Surface Pro 3 some months ago running I think TH2 brach of Windows 10.
    I changed the password of the user while signed in via remote desktop. As a result: the old password of course no longer worked but the new one either. Now I could have reinstalled the whole thing, but setting up Win + VS etc. takes some time.
    So I booted the device using an installer media and using a recovery console I replaced sethc.exe with cmd.exe. Then I restarted the computer and on the login screen I pressed shift 5 times resulting in showing cmd with system privileges. So the magic was "net user ". And voila I could access my account again (and then I put back the original sethc.exe to its proper place). Of course I have to admit that bitlocker was off, otherwise this would have not worked. Just a hint if someone also faced this issue....

    1. smf says:

      You should be able to do it with bitlocker enabled too, as long as you typed in the recovery key.

      The main problem with bitlocker is that if you have admin access to the computer before you turn it off then you can just disable it. Most people still run with admin access.

  11. Stu says:

    I've never heard of this method.

    Can anyone clear-up which Windows versions this applies to, given this blog is around legacy versions of Windows? I've tested it on a Windows 7 PC but wasn't able to replicate this, either on real hardware or VM.

    1. Klimax says:

      Windows 8 and up

  12. Lars Viklund says:

    It took me a bit of confused reading to grok that the meaning of "reset" has changed from "restart the machine" to "soft pave the machine". I guess that this nomenclature appeared somewhere in Windows 10 or so?

    1. Erkin Alp Güney says:

      That other kind of reset is now ineffective due to complex initialisation procedures and will not fix underlying problem anyway.
      What is "hard pave"?

Comments are closed.

Skip to main content