Recovering Built-In Administrator Account Password

When I try to open the built-in administrator account Windows will not
longer accept my password. The prompt is correct and I have the password
saved in my password manager so I know I am entering the right password. Is
there anyway to reset this password? Windows can drive me nuts.

Running Windows 10 Pro 1809; 17763.615.
--
Bill

Brought to you from Anchorage, Alaska

Bill Bradshaw wrote:

Is there anyway to reset this password?

https://pogostick.net/~pnh/ntpasswd

On Thu, 12 Sep 2019 07:54:54 -0800, "Bill Bradshaw"
wrote:

When I try to open the built-in administrator account Windows will not
longer accept my password. The prompt is correct and I have the password
saved in my password manager so I know I am entering the right password. Is
there anyway to reset this password? Windows can drive me nuts.

Running Windows 10 Pro 1809; 17763.615.

Caps lock?

BTDT

Bill Bradshaw wrote:

When I try to open the built-in administrator account Windows will not
longer accept my password. The prompt is correct and I have the password
saved in my password manager so I know I am entering the right password. Is
there anyway to reset this password? Windows can drive me nuts.

Running Windows 10 Pro 1809; 17763.615.

Is your normal Windows account also an administrator-level account; that
is, is your Windows account in the Administrators security group? If
so, use it to change the password on the Administrator account. Of
course, if you permit physical access to your computer and don't protect
your admin-level Windows accounts (by not using the screen saver, or
Win+L when you walk away, or don't require a password to login) then
anyone else could also change the password just like you.

A policy setting can lockout an account if the number of failed logins
exceeds a specified threshold. Has someone else had access to your
computer? How many times did you try and fail to login? Once a Windows
account is locked out, it will get unlocked after awhile (also a policy
setting). I'm not sure about the lockout duration, but I think it is 30
minutes; however, since all policies are registry entries, it is
possible that an admin-level user (a person, a tweaker they used, or
malware) modified the lockout duration. In an elevated command prompt,
run:

net accounts

That will show the lockout threshold and duration. For me, they are
Never and 30 minutes. Although there is a "Maximum password age"
setting, it is not honored unless another setting enforces it. The
"Lockout observation window" must be equal to or shorter than the
"Lockout duration" setting.

https://docs.microsoft.com/en-us/win...lockout-policy
(That has sections for lockout threshold and duration.)

It's also possible the account got disabled. See:

https://www.windowscentral.com/how-t...unt-windows-10

Where it shows the disabled setting is also where you the lockout
setting.

Bill Bradshaw wrote:
When I try to open the built-in administrator account Windows will not
longer accept my password. The prompt is correct and I have the password
saved in my password manager so I know I am entering the right password. Is
there anyway to reset this password? Windows can drive me nuts.

Running Windows 10 Pro 1809; 17763.615.

https://www.howtogeek.com/96630/how-...-the-easy-way/

copy c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe

What that does, is substitutes Command Prompt for some other
innocuous feature, a feature that works early in a session
after the desktop is ready to appear.

Another one might be OSK.exe (the on-screen keyboard).

https://www.myce.com/news/old-loopho...assword-78066/

"navigate to C:\Windows\System32, rename osk.exe
(the onscreen keyboard) to osk.old (placeholder name).

The next step is renaming cmd.exe to osk.exe which
replaces the onscreen keyboard functionality with
the command prompt.

The onscreen keyboard can then be selected in the
accessibility option in the Windows 10 login screen.
"

Note that *both* of the above recipes have poor hygiene.
You can rename the old executable, so as to not upset the
hard link copy in WinSXS. You can copy cmd.exe to take
the place of the old executable name. When finishing up
later, you delete the hack executable, then rename the
original file back to its original name. That way, you
won't lose the hard link. The network cable should be pulled,
because you don't want Windows Update running when you're
half way through the recipe :-/ That would be bad.

It would also be fun to use a tool on Kodi, and crack
the password, instead of merely replacing it. That's fun
if you have a good video card, and you have hours to days
to waste. If the password lacks mixed case, punctuation
and the like, it might crack rather rapidly. Even without
rainbow tables.

*******

The above applies to "local accounts". Breaking into
Microsoft Accounts (the MSA "email address" style
accounts), I don't think these methods are all that
helpful. I don't know what to do with those.

Being administrator is a pretty good deal - a person
who enables the built-in administrator, is just begging
for some "Kodi action". You shouldn't be turning that
on, in the first place. Having a single MSA account that
belongs to the administrator group, sounds just a bit
more secure (until a way can be figured to bust the MSA,
which would only be possible if a local copy is kept or
a token is kept that can be swiped).

Replacing a local password "leaves tracks", and someone
knows then, that the machine has been breached. Whereas
with the careful cracking methods (you don't replace the
password, you just know what the password is), nothing
is going to look out-of-place when they log in. Part of
the Kodi procedure, is getting the encrypted password
entry in a standard format, for the cracking tool to
munch on. Since the format is compact and post-able to
USENET, you could actually give the entry to someone
with a "cracker box", and they could feed you a few
letters as a hint :-)

Paul

Paul wrote:
Bill Bradshaw wrote:
When I try to open the built-in administrator account Windows will
not longer accept my password. The prompt is correct and I have the
password saved in my password manager so I know I am entering the
right password. Is there anyway to reset this password? Windows
can drive me nuts. Running Windows 10 Pro 1809; 17763.615.

https://www.howtogeek.com/96630/how-...-the-easy-way/

copy c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe

What that does, is substitutes Command Prompt for some other
innocuous feature, a feature that works early in a session
after the desktop is ready to appear.

Another one might be OSK.exe (the on-screen keyboard).

https://www.myce.com/news/old-loopho...assword-78066/

"navigate to C:\Windows\System32, rename osk.exe
(the onscreen keyboard) to osk.old (placeholder name).

The next step is renaming cmd.exe to osk.exe which
replaces the onscreen keyboard functionality with
the command prompt.

The onscreen keyboard can then be selected in the
accessibility option in the Windows 10 login screen.
"

Note that *both* of the above recipes have poor hygiene.
You can rename the old executable, so as to not upset the
hard link copy in WinSXS. You can copy cmd.exe to take
the place of the old executable name. When finishing up
later, you delete the hack executable, then rename the
original file back to its original name. That way, you
won't lose the hard link. The network cable should be pulled,
because you don't want Windows Update running when you're
half way through the recipe :-/ That would be bad.

It would also be fun to use a tool on Kodi, and crack
the password, instead of merely replacing it. That's fun
if you have a good video card, and you have hours to days
to waste. If the password lacks mixed case, punctuation
and the like, it might crack rather rapidly. Even without
rainbow tables.

*******

The above applies to "local accounts". Breaking into
Microsoft Accounts (the MSA "email address" style
accounts), I don't think these methods are all that
helpful. I don't know what to do with those.

Being administrator is a pretty good deal - a person
who enables the built-in administrator, is just begging
for some "Kodi action". You shouldn't be turning that
on, in the first place. Having a single MSA account that
belongs to the administrator group, sounds just a bit
more secure (until a way can be figured to bust the MSA,
which would only be possible if a local copy is kept or
a token is kept that can be swiped).

Replacing a local password "leaves tracks", and someone
knows then, that the machine has been breached. Whereas
with the careful cracking methods (you don't replace the
password, you just know what the password is), nothing
is going to look out-of-place when they log in. Part of
the Kodi procedure, is getting the encrypted password
entry in a standard format, for the cracking tool to
munch on. Since the format is compact and post-able to
USENET, you could actually give the entry to someone
with a "cracker box", and they could feed you a few
letters as a hint :-)

Paul

Even though I am replying to Paul this comment is for all. I have 2
accounts. One account is my local account of which I am the administrator.
I also have a 2nd account which is labeled Administrator. Is this
Administrator account referring to the Windows built-in administrator
account? I will probably be asking some basic questions while I try to
figure this out.

Bill

Bill Bradshaw wrote:
Paul wrote:
Bill Bradshaw wrote:
When I try to open the built-in administrator account Windows will
not longer accept my password. The prompt is correct and I have the
password saved in my password manager so I know I am entering the
right password. Is there anyway to reset this password? Windows
can drive me nuts. Running Windows 10 Pro 1809; 17763.615.
https://www.howtogeek.com/96630/how-...-the-easy-way/

copy c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe

What that does, is substitutes Command Prompt for some other
innocuous feature, a feature that works early in a session
after the desktop is ready to appear.

Another one might be OSK.exe (the on-screen keyboard).

https://www.myce.com/news/old-loopho...assword-78066/

"navigate to C:\Windows\System32, rename osk.exe
(the onscreen keyboard) to osk.old (placeholder name).

The next step is renaming cmd.exe to osk.exe which
replaces the onscreen keyboard functionality with
the command prompt.

The onscreen keyboard can then be selected in the
accessibility option in the Windows 10 login screen.
"

Note that *both* of the above recipes have poor hygiene.
You can rename the old executable, so as to not upset the
hard link copy in WinSXS. You can copy cmd.exe to take
the place of the old executable name. When finishing up
later, you delete the hack executable, then rename the
original file back to its original name. That way, you
won't lose the hard link. The network cable should be pulled,
because you don't want Windows Update running when you're
half way through the recipe :-/ That would be bad.

It would also be fun to use a tool on Kodi, and crack
the password, instead of merely replacing it. That's fun
if you have a good video card, and you have hours to days
to waste. If the password lacks mixed case, punctuation
and the like, it might crack rather rapidly. Even without
rainbow tables.

*******

The above applies to "local accounts". Breaking into
Microsoft Accounts (the MSA "email address" style
accounts), I don't think these methods are all that
helpful. I don't know what to do with those.

Being administrator is a pretty good deal - a person
who enables the built-in administrator, is just begging
for some "Kodi action". You shouldn't be turning that
on, in the first place. Having a single MSA account that
belongs to the administrator group, sounds just a bit
more secure (until a way can be figured to bust the MSA,
which would only be possible if a local copy is kept or
a token is kept that can be swiped).

Replacing a local password "leaves tracks", and someone
knows then, that the machine has been breached. Whereas
with the careful cracking methods (you don't replace the
password, you just know what the password is), nothing
is going to look out-of-place when they log in. Part of
the Kodi procedure, is getting the encrypted password
entry in a standard format, for the cracking tool to
munch on. Since the format is compact and post-able to
USENET, you could actually give the entry to someone
with a "cracker box", and they could feed you a few
letters as a hint :-)

Paul

Even though I am replying to Paul this comment is for all. I have 2
accounts. One account is my local account of which I am the administrator.
I also have a 2nd account which is labeled Administrator. Is this
Administrator account referring to the Windows built-in administrator
account? I will probably be asking some basic questions while I try to
figure this out.

Bill

Did you do this ?

net user administrator /active:yes

That enables the built-in administrator account.

*******

Windows doesn't like it when you remove all the administrator
capable accounts.

Whereas at the moment, you might have two of them. Which
is fine. Each can have its own password

Bill (initial account, belongs to "administrators group")

Admin (built-in account) separate password

Jim (limited user, not a member of "administrators group")
(This user cannot install programs)

Some users run as "Jim", as if you were running
Firefox as a "limited user", the chances of machine-wide
exploits is slightly reduced.

For the rest of us, we'd run as "Bill", as we need to be
able to install programs, and it would be a PITA to keep
switching between the Jim and Bill accounts, just to
install a program once in a while.

I presume there is a good reason for enabling the Admin
account, but I haven't found a reason yet.

The belief on many peoples minds, is that this is Windows 98,
and if only a powerful enough account were available, we
could smash everything in sight, and fix every problem
with immediate authority. Which really is not the case.
After a while, the Windows 98 crowd gets bored with
Windows 10, because it makes everything "hard to do".
So while there is a "natural attraction" to turning
on the Admin account, it's about as useful as a wet
paper bag.

wmic useraccount get name,sid

Name SID
Administrator S-1-5-21-3768549767-1934788099-1503758287-500
Mere User S-1-5-21-3768549767-1934788099-1503758287-1000
Guest S-1-5-21-3768549767-1934788099-1503758287-501

The real administrator is account 500.

The first user is account 1000.

I presume Guest is a limited user, but I've not used it
for anything.

A command such as

whoami /user /priv

will tell you what level you're at currently. This
is useful if you've been running psexec64, RunAsToken,
or similar commands, to impersonate another account,
and you want to check whether you've been successful

You could run such a command from either the "Bill"
account, and then from the "Admin" account, and compare
the capabilities. On the Bill account, you would use
the "Run as Administrator" Command Prompt or Powershell
window, as part of the sequence, to see your "full
set of magical powers". Impersonation is the most
valuable permission (the ability to change accounts
and run as the SYSTEM account).

In this picture, go to the top and select "Download original image"
to get the image in sharper rendition. This compared
real admin, to "run as admin" "Bill".

https://s18.postimg.cc/wowci9o95/whoami_user_priv.png

Paul

On 9/13/2019 1:31 PM, Paul wrote:
[big snip]
Windows doesn't like it when you remove all the administrator
capable accounts.

Whereas at the moment, you might have two of them. Which
is fine. Each can have its own password

Â*Â* Bill (initial account, belongs to "administrators group")

Â*Â* Admin (built-in account)Â*Â* separate password

Â*Â* Jim (limited user, not a member of "administrators group")
Â*Â*Â*Â*Â*Â* (This user cannot install programs)

Some users run as "Jim", as if you were running
Firefox as a "limited user", the chances of machine-wide
exploits is slightly reduced.

For the rest of us, we'd run as "Bill", as we need to be
able to install programs, and it would be a PITA to keep
switching between the Jim and Bill accounts, just to
install a program once in a while.

It isn't necessary to be logged into an administrator account to install
programs. One just has to permit changes to the computer by entering the
administrative password when prompted. This process has been in place
since Vista.

--
best regards,

Neil

Neil wrote:
On 9/13/2019 1:31 PM, Paul wrote:
[big snip]
Windows doesn't like it when you remove all the administrator
capable accounts.

Whereas at the moment, you might have two of them. Which
is fine. Each can have its own password

Bill (initial account, belongs to "administrators group")

Admin (built-in account) separate password

Jim (limited user, not a member of "administrators group")
(This user cannot install programs)

Some users run as "Jim", as if you were running
Firefox as a "limited user", the chances of machine-wide
exploits is slightly reduced.

For the rest of us, we'd run as "Bill", as we need to be
able to install programs, and it would be a PITA to keep
switching between the Jim and Bill accounts, just to
install a program once in a while.

It isn't necessary to be logged into an administrator account to install
programs. One just has to permit changes to the computer by entering the
administrative password when prompted. This process has been in place
since Vista.


For a Limited User account, that won't work.

If we didn't have that account type, how would Corporate
IT be able to annoy users by disabling their ability to
"do anything" ? That's what they use in Public School machines,
to make it (marginally harder) for the kids to hack the
machines. (My sister, a school teacher, had to phone the
IT guy to get anything done of that nature. Even she wasn't
given anything with admin privileges.)

Ask J.P. what he thinks of this, because I think his
account at work was locked down like that.

The first account you install, after installing Windows 10,
belongs to the Administrator Group, and that's where your
capabilities stem from. Adding any addition accounts, you
have to decide whether they should belong to any groups
or not. For example, a user who only does backups for you,
can belong to the "Backup Group". And the Backup Group
would not have general Administrator capabilities.

Since it would be easy for someone to use lusrmgr to
modify the groups the accounts use, you could with
a bit of effort, remove the administrator group from
any and all accounts. And that's why Windows is easy to
break into, so it's less difficult for someone to
correct a change of that nature.

How do you fix a machine that has only an MSA ?
Dunno. Not a clue. You could try the sethc or osk
hacks, but I don't know whether the password change
command can reset a password for an account like that.
You would be logged in as some sort of administrator,
but I don't know what your best option would be
past that point. You might be able to create an
account so you could still use the computer. Maybe
that much would work.

Paul

Bill Bradshaw wrote:

I have 2 accounts. One account is my local account of which I am the
administrator. I also have a 2nd account which is labeled
Administrator. Is this Administrator account referring to the
Windows built-in administrator account?

Yes, Administrator is the default or install-time primary admin-level
Windows account. However, it is possible to rename accounts, even the
Administrator account, so the Administrator account could get renamed to
WannaSuckLemons and a MysteryUser named account could be renamed to
Administrator. However, you said you only have 2 account, and
presumably your normal admin-level account is not WannaSuckLemons or
MysteryUser.

https://www.thewindowsclub.com/renam...ccount-windows
https://support.microsoft.com/en-us/...dows-server-20

I know some paranoid users have rename Administrator to something else,
like LocalAdmin or Yagermeister (Jägermeister), and even the Guest
account to deter hacking. I'm not sure that actually helps with
security since it's possible to get a list of all Windows account from
any admin-level account or even with a quiescent OS by booting with a
different OS. You don't even need to know the account's name. The
Administrator account has the same SID (Security ID) in every instance
of Windows; see:

https://www.lifewire.com/what-is-an-sid-number-2626005
https://docs.microsoft.com/en-us/win...ell-known-sids
https://support.microsoft.com/en-us/...rating-systems

The Administrator account has a SID of S-1-5-21domain-500. That
doesn't mean you can see it when inside a running instance of Windows
and using regedit.exe to look at the HKU hive, because Windows will hide
that key (even after using "net user administrator /active:yes"). That
doesn't stop reading the registry files of a quiescent OS (not running
nor even loaded) by another OS that you boot instead.

Since you ARE able to login to your own admin-level Windows account
(i.e., your Windows account is in the Administrators security group),
have you even tried to use that account to change the password on the
Administrator account?

VanguardLH wrote:

Since you ARE able to login to your own admin-level Windows account
(i.e., your Windows account is in the Administrators security group),
have you even tried to use that account to change the password on the
Administrator account?

Don't bother trying to use the crappy Settings app for user account
management. It sucks. Either run "control.exe userpasswords2" or run
"control.exe" and navigate to User Accounts - User Accounts - Manage
another account, select Administrator, and create a password.

Note: You must've already ran "net user administrator /active:yes" in an
elevated command shell to have Administrator listed.

On 9/13/2019 3:12 PM, Paul wrote:
Neil wrote:
On 9/13/2019 1:31 PM, Paul wrote:
[big snip]
Windows doesn't like it when you remove all the administrator
capable accounts.

Whereas at the moment, you might have two of them. Which
is fine. Each can have its own password

Â*Â*Â* Bill (initial account, belongs to "administrators group")

Â*Â*Â* Admin (built-in account)Â*Â* separate password

Â*Â*Â* Jim (limited user, not a member of "administrators group")
Â*Â*Â*Â*Â*Â*Â* (This user cannot install programs)

Some users run as "Jim", as if you were running
Firefox as a "limited user", the chances of machine-wide
exploits is slightly reduced.

For the rest of us, we'd run as "Bill", as we need to be
able to install programs, and it would be a PITA to keep
switching between the Jim and Bill accounts, just to
install a program once in a while.

It isn't necessary to be logged into an administrator account to
install programs. One just has to permit changes to the computer by
entering the administrative password when prompted. This process has
been in place since Vista.


For a Limited User account, that won't work.

I'm not sure what you are referring to as a "limited user", but it works
fine for me when I'm logged in to a non-administrative account, and has
done so on every machine I have running Windows since Vista.

--
best regards,

Neil

Paul wrote:
Bill Bradshaw wrote:
Paul wrote:
Bill Bradshaw wrote:
When I try to open the built-in administrator account Windows will
not longer accept my password. The prompt is correct and I have
the password saved in my password manager so I know I am entering
the right password. Is there anyway to reset this password? Windows
can drive me nuts. Running Windows 10 Pro 1809; 17763.615.
https://www.howtogeek.com/96630/how-...-the-easy-way/

copy c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe

What that does, is substitutes Command Prompt for some other
innocuous feature, a feature that works early in a session
after the desktop is ready to appear.

Another one might be OSK.exe (the on-screen keyboard).

https://www.myce.com/news/old-loopho...assword-78066/

"navigate to C:\Windows\System32, rename osk.exe
(the onscreen keyboard) to osk.old (placeholder name).

The next step is renaming cmd.exe to osk.exe which
replaces the onscreen keyboard functionality with
the command prompt.

The onscreen keyboard can then be selected in the
accessibility option in the Windows 10 login screen.
"

Note that *both* of the above recipes have poor hygiene.
You can rename the old executable, so as to not upset the
hard link copy in WinSXS. You can copy cmd.exe to take
the place of the old executable name. When finishing up
later, you delete the hack executable, then rename the
original file back to its original name. That way, you
won't lose the hard link. The network cable should be pulled,
because you don't want Windows Update running when you're
half way through the recipe :-/ That would be bad.

It would also be fun to use a tool on Kodi, and crack
the password, instead of merely replacing it. That's fun
if you have a good video card, and you have hours to days
to waste. If the password lacks mixed case, punctuation
and the like, it might crack rather rapidly. Even without
rainbow tables.

*******

The above applies to "local accounts". Breaking into
Microsoft Accounts (the MSA "email address" style
accounts), I don't think these methods are all that
helpful. I don't know what to do with those.

Being administrator is a pretty good deal - a person
who enables the built-in administrator, is just begging
for some "Kodi action". You shouldn't be turning that
on, in the first place. Having a single MSA account that
belongs to the administrator group, sounds just a bit
more secure (until a way can be figured to bust the MSA,
which would only be possible if a local copy is kept or
a token is kept that can be swiped).

Replacing a local password "leaves tracks", and someone
knows then, that the machine has been breached. Whereas
with the careful cracking methods (you don't replace the
password, you just know what the password is), nothing
is going to look out-of-place when they log in. Part of
the Kodi procedure, is getting the encrypted password
entry in a standard format, for the cracking tool to
munch on. Since the format is compact and post-able to
USENET, you could actually give the entry to someone
with a "cracker box", and they could feed you a few
letters as a hint :-)

Paul

Even though I am replying to Paul this comment is for all. I have 2
accounts. One account is my local account of which I am the
administrator. I also have a 2nd account which is labeled
Administrator. Is this Administrator account referring to the
Windows built-in administrator account? I will probably be asking
some basic questions while I try to figure this out.

Bill

Did you do this ?

net user administrator /active:yes

That enables the built-in administrator account.

*******

Windows doesn't like it when you remove all the administrator
capable accounts.

Whereas at the moment, you might have two of them. Which
is fine. Each can have its own password

Bill (initial account, belongs to "administrators group")

Admin (built-in account) separate password

Jim (limited user, not a member of "administrators group")
(This user cannot install programs)

Some users run as "Jim", as if you were running
Firefox as a "limited user", the chances of machine-wide
exploits is slightly reduced.

For the rest of us, we'd run as "Bill", as we need to be
able to install programs, and it would be a PITA to keep
switching between the Jim and Bill accounts, just to
install a program once in a while.

I presume there is a good reason for enabling the Admin
account, but I haven't found a reason yet.

The belief on many peoples minds, is that this is Windows 98,
and if only a powerful enough account were available, we
could smash everything in sight, and fix every problem
with immediate authority. Which really is not the case.
After a while, the Windows 98 crowd gets bored with
Windows 10, because it makes everything "hard to do".
So while there is a "natural attraction" to turning
on the Admin account, it's about as useful as a wet
paper bag.

wmic useraccount get name,sid

Name SID
Administrator S-1-5-21-3768549767-1934788099-1503758287-500
Mere User S-1-5-21-3768549767-1934788099-1503758287-1000
Guest S-1-5-21-3768549767-1934788099-1503758287-501

The real administrator is account 500.

The first user is account 1000.

I presume Guest is a limited user, but I've not used it
for anything.

A command such as

whoami /user /priv

will tell you what level you're at currently. This
is useful if you've been running psexec64, RunAsToken,
or similar commands, to impersonate another account,
and you want to check whether you've been successful

You could run such a command from either the "Bill"
account, and then from the "Admin" account, and compare
the capabilities. On the Bill account, you would use
the "Run as Administrator" Command Prompt or Powershell
window, as part of the sequence, to see your "full
set of magical powers". Impersonation is the most
valuable permission (the ability to change accounts
and run as the SYSTEM account).

In this picture, go to the top and select "Download original image"
to get the image in sharper rendition. This compared
real admin, to "run as admin" "Bill".

https://s18.postimg.cc/wowci9o95/whoami_user_priv.png

Paul

At some point I must of used net user to activate the administor account and
then I forgot to deactivate it. So I deactivated and the administrator
account disappeared. So the question is when you use "net user
administrator /activate:yes" is that activating the built-in administrator?
So if you activate this account it shows up in the "Switch user" list. If
you select it from the user list it asks for a password. Why would it want
a password if you have already activated it using "net user?" My main
account is setup as local and does not prompt for a password and is also an
adimistrator account.

Is the administrator account opened using "net user" also a stored
indentity?

whoami /user /priv

USER INFORMATION
----------------

User Name SID
========================= ==============================================
samsung-bill\samsung bill S-1-5-21-1356860141-3189260577-1052793827-1001

PRIVILEGES INFORMATION
----------------------

Privilege Name Description
State
=========================================
================================================== ================ ========
SeLockMemoryPrivilege Lock pages in memory
Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process
Disabled
SeSecurityPrivilege Manage auditing and security log
Disabled
SeTakeOwnershipPrivilege Take ownership of files or other
objects Disabled
SeLoadDriverPrivilege Load and unload device drivers
Disabled
SeSystemProfilePrivilege Profile system performance
Disabled
SeSystemtimePrivilege Change the system time
Disabled
SeProfileSingleProcessPrivilege Profile single process
Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority
Disabled
SeCreatePagefilePrivilege Create a pagefile
Disabled
SeBackupPrivilege Back up files and directories
Disabled
SeRestorePrivilege Restore files and directories
Disabled
SeShutdownPrivilege Shut down the system
Disabled
SeDebugPrivilege Debug programs
Disabled
SeSystemEnvironmentPrivilege Modify firmware environment values
Disabled
SeChangeNotifyPrivilege Bypass traverse checking
Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote
system Disabled
SeUndockPrivilege Remove computer from docking
station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks
Disabled
SeImpersonatePrivilege Impersonate a client after
authentication Enabled
SeCreateGlobalPrivilege Create global objects
Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set
Disabled
SeTimeZonePrivilege Change the time zone
Disabled
SeCreateSymbolicLinkPrivilege Create symbolic links
Disabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for
another user in the same session Disabled

wmic useraccount get name,sid

Name SID
Administrator S-1-5-21-1356860141-3189260577-1052793827-500
DefaultAccount S-1-5-21-1356860141-3189260577-1052793827-503
defaultuser0 S-1-5-21-1356860141-3189260577-1052793827-1000
Guest S-1-5-21-1356860141-3189260577-1052793827-501
Samsung Bill S-1-5-21-1356860141-3189260577-1052793827-1001
WDAGUtilityAccount S-1-5-21-1356860141-3189260577-1052793827-504

I am basically to a point where I am trying to understand this. I keep the
computer backed up and it works fine.

Bill

VanguardLH wrote:
VanguardLH wrote:

Since you ARE able to login to your own admin-level Windows account
(i.e., your Windows account is in the Administrators security group),
have you even tried to use that account to change the password on the
Administrator account?

Don't bother trying to use the crappy Settings app for user account
management. It sucks. Either run "control.exe userpasswords2" or run
"control.exe" and navigate to User Accounts - User Accounts - Manage
another account, select Administrator, and create a password.

Note: You must've already ran "net user administrator /active:yes" in
an elevated command shell to have Administrator listed.

I did and when I was done I shoud have run it with "/active:no" and I would
not have had all this confusion.

Bill

Bill Bradshaw wrote:
Paul wrote:
Bill Bradshaw wrote:
Paul wrote:
Bill Bradshaw wrote:
When I try to open the built-in administrator account Windows will
not longer accept my password. The prompt is correct and I have
the password saved in my password manager so I know I am entering
the right password. Is there anyway to reset this password? Windows
can drive me nuts. Running Windows 10 Pro 1809; 17763.615.
https://www.howtogeek.com/96630/how-...-the-easy-way/

copy c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe

What that does, is substitutes Command Prompt for some other
innocuous feature, a feature that works early in a session
after the desktop is ready to appear.

Another one might be OSK.exe (the on-screen keyboard).

https://www.myce.com/news/old-loopho...assword-78066/

"navigate to C:\Windows\System32, rename osk.exe
(the onscreen keyboard) to osk.old (placeholder name).

The next step is renaming cmd.exe to osk.exe which
replaces the onscreen keyboard functionality with
the command prompt.

The onscreen keyboard can then be selected in the
accessibility option in the Windows 10 login screen.
"

Note that *both* of the above recipes have poor hygiene.
You can rename the old executable, so as to not upset the
hard link copy in WinSXS. You can copy cmd.exe to take
the place of the old executable name. When finishing up
later, you delete the hack executable, then rename the
original file back to its original name. That way, you
won't lose the hard link. The network cable should be pulled,
because you don't want Windows Update running when you're
half way through the recipe :-/ That would be bad.

It would also be fun to use a tool on Kodi, and crack
the password, instead of merely replacing it. That's fun
if you have a good video card, and you have hours to days
to waste. If the password lacks mixed case, punctuation
and the like, it might crack rather rapidly. Even without
rainbow tables.

*******

The above applies to "local accounts". Breaking into
Microsoft Accounts (the MSA "email address" style
accounts), I don't think these methods are all that
helpful. I don't know what to do with those.

Being administrator is a pretty good deal - a person
who enables the built-in administrator, is just begging
for some "Kodi action". You shouldn't be turning that
on, in the first place. Having a single MSA account that
belongs to the administrator group, sounds just a bit
more secure (until a way can be figured to bust the MSA,
which would only be possible if a local copy is kept or
a token is kept that can be swiped).

Replacing a local password "leaves tracks", and someone
knows then, that the machine has been breached. Whereas
with the careful cracking methods (you don't replace the
password, you just know what the password is), nothing
is going to look out-of-place when they log in. Part of
the Kodi procedure, is getting the encrypted password
entry in a standard format, for the cracking tool to
munch on. Since the format is compact and post-able to
USENET, you could actually give the entry to someone
with a "cracker box", and they could feed you a few
letters as a hint :-)

Paul
Even though I am replying to Paul this comment is for all. I have 2
accounts. One account is my local account of which I am the
administrator. I also have a 2nd account which is labeled
Administrator. Is this Administrator account referring to the
Windows built-in administrator account? I will probably be asking
some basic questions while I try to figure this out.

Bill
Did you do this ?

net user administrator /active:yes

That enables the built-in administrator account.

*******

Windows doesn't like it when you remove all the administrator
capable accounts.

Whereas at the moment, you might have two of them. Which
is fine. Each can have its own password

Bill (initial account, belongs to "administrators group")

Admin (built-in account) separate password

Jim (limited user, not a member of "administrators group")
(This user cannot install programs)

Some users run as "Jim", as if you were running
Firefox as a "limited user", the chances of machine-wide
exploits is slightly reduced.

For the rest of us, we'd run as "Bill", as we need to be
able to install programs, and it would be a PITA to keep
switching between the Jim and Bill accounts, just to
install a program once in a while.

I presume there is a good reason for enabling the Admin
account, but I haven't found a reason yet.

The belief on many peoples minds, is that this is Windows 98,
and if only a powerful enough account were available, we
could smash everything in sight, and fix every problem
with immediate authority. Which really is not the case.
After a while, the Windows 98 crowd gets bored with
Windows 10, because it makes everything "hard to do".
So while there is a "natural attraction" to turning
on the Admin account, it's about as useful as a wet
paper bag.

wmic useraccount get name,sid

Name SID
Administrator S-1-5-21-3768549767-1934788099-1503758287-500
Mere User S-1-5-21-3768549767-1934788099-1503758287-1000
Guest S-1-5-21-3768549767-1934788099-1503758287-501

The real administrator is account 500.

The first user is account 1000.

I presume Guest is a limited user, but I've not used it
for anything.

A command such as

whoami /user /priv

will tell you what level you're at currently. This
is useful if you've been running psexec64, RunAsToken,
or similar commands, to impersonate another account,
and you want to check whether you've been successful

You could run such a command from either the "Bill"
account, and then from the "Admin" account, and compare
the capabilities. On the Bill account, you would use
the "Run as Administrator" Command Prompt or Powershell
window, as part of the sequence, to see your "full
set of magical powers". Impersonation is the most
valuable permission (the ability to change accounts
and run as the SYSTEM account).

In this picture, go to the top and select "Download original image"
to get the image in sharper rendition. This compared
real admin, to "run as admin" "Bill".

https://s18.postimg.cc/wowci9o95/whoami_user_priv.png

Paul

At some point I must of used net user to activate the administor account and
then I forgot to deactivate it. So I deactivated and the administrator
account disappeared. So the question is when you use "net user
administrator /activate:yes" is that activating the built-in administrator?
So if you activate this account it shows up in the "Switch user" list. If
you select it from the user list it asks for a password. Why would it want
a password if you have already activated it using "net user?" My main
account is setup as local and does not prompt for a password and is also an
adimistrator account.

Is the administrator account opened using "net user" also a stored
indentity?

whoami /user /priv

USER INFORMATION
----------------

User Name SID
========================= ==============================================
samsung-bill\samsung bill S-1-5-21-1356860141-3189260577-1052793827-1001

PRIVILEGES INFORMATION
----------------------

Privilege Name Description
State
=========================================
================================================== ================ ========
SeLockMemoryPrivilege Lock pages in memory
Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process
Disabled
SeSecurityPrivilege Manage auditing and security log
Disabled
SeTakeOwnershipPrivilege Take ownership of files or other
objects Disabled
SeLoadDriverPrivilege Load and unload device drivers
Disabled
SeSystemProfilePrivilege Profile system performance
Disabled
SeSystemtimePrivilege Change the system time
Disabled
SeProfileSingleProcessPrivilege Profile single process
Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority
Disabled
SeCreatePagefilePrivilege Create a pagefile
Disabled
SeBackupPrivilege Back up files and directories
Disabled
SeRestorePrivilege Restore files and directories
Disabled
SeShutdownPrivilege Shut down the system
Disabled
SeDebugPrivilege Debug programs
Disabled
SeSystemEnvironmentPrivilege Modify firmware environment values
Disabled
SeChangeNotifyPrivilege Bypass traverse checking
Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote
system Disabled
SeUndockPrivilege Remove computer from docking
station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks
Disabled
SeImpersonatePrivilege Impersonate a client after
authentication Enabled
SeCreateGlobalPrivilege Create global objects
Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set
Disabled
SeTimeZonePrivilege Change the time zone
Disabled
SeCreateSymbolicLinkPrivilege Create symbolic links
Disabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for
another user in the same session Disabled

wmic useraccount get name,sid

Name SID
Administrator S-1-5-21-1356860141-3189260577-1052793827-500
DefaultAccount S-1-5-21-1356860141-3189260577-1052793827-503
defaultuser0 S-1-5-21-1356860141-3189260577-1052793827-1000
Guest S-1-5-21-1356860141-3189260577-1052793827-501
Samsung Bill S-1-5-21-1356860141-3189260577-1052793827-1001
WDAGUtilityAccount S-1-5-21-1356860141-3189260577-1052793827-504

I am basically to a point where I am trying to understand this. I keep the
computer backed up and it works fine.

Bill

It's possible then, that you never assigned a password to the
"administrator" account.

https://support.microsoft.com/en-ca/...-windows-vista

net user administrator /active:yes

net user administrator mywhizzynewpassword

Disabling administrator, should remove it from the login choices at startup.

*******

You'll find all sorts of useless advice on passwords.

https://www.lifewire.com/how-do-i-fi...ssword-2626064

At the bottom of the page, I notice one user is
wearing a ballcap. That'll need extra tinfoil if
he expects to discover the value of the password :-)
I don't think the ballcap has sufficient mental
concentration powers, to crack the password all
by itself.

If you just activated the account, the password could
still be blank. I wonder how long it would take a
tool on Kodi to crack that ?

You have two user accounts, 1000 and 1001. You would want
to use the Accounts panel to check that at least one
of those belongs to the Administrators Group.

To activate the administrator account in the first place,
probably requires logging in with an account belonging
to the Administrator Group.

Paul