Hack a Windows 7/8/10 admin account password with Windows magnifier
This exploit takes advantage of the ease of access tool on the login page by ‘tricking’ windows into launching a fully privileged command prompt by selecting ‘make items on the screen larger – magnifier’. By using this method you can simply reset admin account password, just by having physical access to the computer.
Disclaimer: This is for use on a PC that you own. Breaking into someone else’s PC is considered a serious crime in most places. If you make a mistake or change something else, your Windows may become a non-boot. If so, just undo whatever you changed outside of the hack shown here, and it will back to normal. Need I say this is for Educational Purposes! You are responsible for your own thoughts and actions.
1. Launch any OS that allow full access to file system
Here you can use many different linux distros or even a windows disk/usb, as long as you can access the terminal/command prompt, you’re good. In this case, we are going to use Kali linux distro. Insert CD/DVD into drive and reboot the machine. Start your Live DVD. You may need to go into the BIOS screen and change the boot-up order to CD/DVD drive first, HDD second.
2. Navigate to Sys32
Use the file browser in your Linux environment, navigate to %windir%/system32/. You may have to right-click and mount the Windows partition/drive first or use the NTFS-3G command.
Article is written on a macbook with Windows dual booted, there is Windows instance named as BOOTCAMP.
3. Rename Magnify.exe
Find and rename magnify.exe (Magnifier file) to magnify.old.
mv magnify.exe magnify.old
4. Rename cmd.exe
Find and rename cmd.exe to magnify.exe.
mv cmd.exe magnify.exe
5. Shut Down Linux & Reboot Windows
Log out and reboot, remove CD/DVD/USB, and restart into Windows.
6. Get CMD Prompt Modify Accounts
When Windows reboots, click on the ease of access button in the bottom left corner
Click the second selection “Make items on the screen larger (Magnifier)” and hit apply.
The command prompt should now be in front of you. You now have a system level command prompt. At this point is where you can change the admin password and make any modification to the system using administrator privileges.
Tip: You can right-click on cmd.exe and click “Run as administrator” inside of Windows for escalated privileges. To edit files, it would never be allowed at basic admin level (caution). Same goes for any app in Windows right click and make the magic happen.
Type net user to get a list of accounts
Change Password:
net user username new_password
Tip: when you do so, the password changes without prompting you again.
Add an account:
net user username password /add
Tip: If your username has a space, like John Doe, use quotes like “John Doe”.
Admin that:
net localgroup administrators username /add
Delete that:
net user username /delete
Remote Desktop Users Group:
net localgroup Remote Desktop Users username /add
Net User Syntax Reference:
net user commands net user for domain
7. Revert back all changes
Now you should insert your Linux Live CD/DVD/USB and rename the files back to the original names.
- Repeat Step 1
- Repeat Step 2
- Rename magnify.exe back to cmd.exe
- Rename magnify.old back to magnify.exe
- Log out, take out CD/DVD USB, reboot into Windows
Recommended resources
Kali Linux
Create Live USB Sticks Rufus
Conclusion
Well, that was how you hack a Windows 7/8/2008/10 administrator account password with Windows Magnifier. This also demonstrates how you could Pwn a machine if you think about it some, have hands on and they have not disabled EoA. Hope it helps you in some way.
source: https://null-byte.wonderhowto.com, https://thehacktoday.com