Taking control of his own machine

Not being administrator on his own Windows-based PC or laptop is a real shame. It prevents the installation of most software programs and some settings are not accessible. This issue is most commonly caused by system administrators in a need for a power trip, but it could also happen on a home computer configured for multiple users. One could run on user accounts and sometimes, less and less often, switch to an administrator account to install software programs. The inevitable then happens: forgotten administrator password.

The simplest solution in this case is to wipe the computer and reinstall Windows, but I needed to do better than this two years ago. This post describes what happened and what I did to get around the issue. Anyone trying this should be careful and be aware that this could cause trouble, especially if the gained privileges are misused afterwards. I only gained administrative privileges on a testing ultrabook. That couldn’t and didn’t grant me any permission on other systems.

A new but limited ultrabook

Friday, April 26 2013, I got a new Windows 8 ultrabook at my workplace. It was officially to test a Windows-based virtual assistant we were developing at that time, but that machine could do more: temporarily replace my official work laptop which was becoming too sluggish. Replacement of the old laptop was delayed for procedural reasons. I knew I could install my stuff on the ultrabook without disturbing the virtual assistant application, so the ultrabook could perform both functions.

The Monday after, I was heading to the Burlington office of my company to provide technical support for people there. I wanted to bring that new ultrabook with me so I needed to install a couple of programs on it before leaving. Unfortunately, I quickly noticed, Friday at the end of the day or during the weekend, I don’t remember, that I couldn’t install JDK on the machine because I was not administrator. I wasn’t sure I would be able to get IT from granting me the administrative privileges by Monday just before leaving and wanted to get some stuff installed before Monday.

Feeling a bit cow boy, I wanted to hack my way around this issue. Not being administrator on my corporate laptop is a concern for me. At my current workplace, this is not an issue, but I heard this is a problem in other companies. Having a last resort way out seemed useful to me. I just found out this way, and that leaves almost no traces if everything goes well. Keep in mind this impacts just the hacked computer, nothing else on the network.

Shutting down Windows 8 properly

The main idea of my strategy was to boot the ultrabook into Linux, mount the Windows partition and hack the registry to do something about the unknown administrator password. For this, Windows 8 has to be shutdown properly. There is a new feature called hybrid startup causing the shutdown to be unclean and preventing Linux to mount the Windows partition read-write. Fortunately, this can be worked around by cleanly shutting down the PC. The simplest way is to start a command prompt (Windows key + R, then cmd), and type shutdown /s /t 0. Two years ago, I also found out I could hold Shift key while clicking on the Shutdown button, but I’m not sure this works anymore.

Booting Linux

Then I needed to boot into Linux. The simplest solution is to use Offline NT Password Recovery & Registry editor, but it was not compatible with UEFI at that time and I wasn’t sure I would be able to perform a non-UEFI boot on this Dell’s XPS13 ultrabook.  Moreover, I cannot find the download anymore for the tool. It seems that we now have to email the author to get the hidden link. I find this quite bad practice and when that happens, have a tendency to look elsewhere.

I thus tried to boot Ubuntu, and I had to do it from a USB key because there is no CD/DVD drive in the XPS13. I don’t remember exactly how I got the Live USB key. I probably used the Live CD/DVD/USB Creator tool built into Ubuntu, but other pages such as this one give clues about how to create it from Windows.

I then had to modify the BIOS/UEFI settings of the ultrabook to alter boot priority. If I remember well, I had to hit F2 while the XPS13 boots, before Windows starts of course. I managed to get the ultrabook from UEFI boot the USB stick, but that crashed after the boot. I thus had to enable legacy boot and then boot the USB key in MBR, non-UEFI mode.

chntpw

After I successfully booted into Ubuntu Live USB, I started a terminal and entered sudo apt-get install chntpw. This installed the Offline NT Password Recovery tool. I just tested while writing this post on a Ubuntu 15.04 box and that still works!

After the tool was installed, I of course started it: sudo chntpw. I followed the instructions. I was offered the opportunity to reset the administrator password, but I didn’t like this, because I would not be able to restore the ultrabook in its original state: my hack would leave a trace. I found a better option: active the hidden Administrator account! After this was done, I rebooted into Windows and was able to log in as Administrator.

I don’t remember if I absolutely had to restore UEFI settings to disable legacy boot in order for Windows 8 to boot again, but I did it for my intervention to be as clean and traceless as possible. At worst, I would have obtained an error message when attempting to boot without the USB key and would have had to alter boot priority and/or disable legacy boot: no harm done to Windows.

One step further

The problem was solved, but I wanted to step even further: transfer the gained administrative privileges to my regular user account! For this, while logged in as the local Administrator, I had to access Control Panel, then Administrative settings, then Local users and groups. Unfortunately and very shockingly, this option has been completely hidden away in Windows 10: you once again have to search on Google and figure out you need to press the Windows + R keys to open the Run dialog, type lusrmgr.msc, and click/tap on OK. I hope one day Microsoft will understand this is very bad and frustrating practice that will make many power users, including me if I could, migrate to Mac OS X.

I then selected Groups, double-clicked on Administrators and clicked Add to add a member. The system offered me a dialog box to type the user name to add, but Windows was unable to find my user name of the form <company name>\<user name>.

I don’t know how I thought about it, but I figured out that Windows would need to access my company’s active directory service to resolve user names to IDs. Since I was at home, I needed to establish a VPN connection. I thus installed the Cisco VPN client on the ultrabook (I would need it anyway afterwards), then was able to add my user account to the local Administrators group. I don’t know exactly how I got the VPN client: maybe I had one copy lying around on my main computer for obscure reasons, maybe I turned on my main corporate laptop to download it, don’t remember. I was also able to hook up to the VPN from Ubuntu without a tool downloadable only from my company’s Intranet. But I got VPN and that worked.

After I did that, I logged back as my regular user, was able to install JDK without any issue, then I went back into Local Users and Groups, selected Users, double-clicked on Administrator and disabled the account. That closed the back door I used to gain administrative privileges, without taking away my new rights.

Will this always work?

No. Unfortunately, I can imagine ways to prevent this trick from working. The easiest way is to set up a password preventing access to the BIOS settings. Not being able to modify BIOS settings means impossibility to alter boot priority. With that enforced, the only workaround would be to remove the SSD from the machine, install it in another computer running Ubuntu and run chntpw, making sure it would work on the SSD, not on a potential main Windows install in dual boot on the Ubuntu box! Removing a SSD from a laptop or ultrabook is sometimes a risky operation, sometimes requires disassembly of the keyboard, memory modules, casing, etc. Not sure I would have attempted it.

Of course, the latter workaround miserably fails if the disk is encrypted, e.g., with Symantec’s PGP Whole Drive Encryption. One possible workaround may be to get the SSD out again, install it on a Ubuntu box itself running Symantec’s PGP and, if the encrypted drive’s password is known, maybe it is enough to decrypt the drive and mount it, allowing chntpw to work on it. It could also happen that the encryption key is made of the user’s password and a hash derived from computer’s information. In that case, it could be quite hard to work around the protection. One possibility, if the BIOS is not password-protected, may be to boot into a Live USB Ubuntu, install the encryption tool and try to decrypt the drive on the local computer itself.