Recently, someone asked me to help them log into their Windows 10 account after they forgot their password.
The user’s account was the only account on the system and had administrator privileges.
It was a local account protected by a password, with no secondary PIN or biometric access options set up.
The account was set up specifically as a local account, making it impossible to reset the password online. After ruling out system repair and restore options, I consulted the Internet to search for a quick solution.
A popular solution was to circumvent the login security by creating another administrator account and removing the local user’s password.
This process took around five minutes and gave me access to the system and local user account, in addition to all the unencrypted files stored in their documents folder.
The first step was to use Microsoft’s Media Creation Tool to create a bootable Windows 10 USB.
This was not used to install anything, but allows anyone to access the command prompt without logging in.
I inserted the bootable USB into the system and set the PC to boot from the drive in the BIOS.
From the set-up menu, pressing Shift+F10 opens the command prompt.
This allowed me to change the login screen’s Utility Manager button to open the command prompt instead of a sub-menu by entering commands which replace the “utilman” executable with “cmd.exe”.
I then reset the system and booted from the original drive to access the login screen.
Clicking on the Utility Manager button opened the command prompt instead of its dedicated menu, allowing me to access administrative tasks without logging in.
I then created a new local user and set them as an administrator using the command prompt.
After doing this and rebooting to the login screen, anyone can log in to the machine as the new local user.
Because the user is an administrator, I could navigate to the “Local Users and Groups” menu in the Computer Management application and remove the password of any local user account, including other administrators.
After doing this and rebooting, the user can now access their previously-locked account and access account-specific files.
It should be noted that this method can remove certain files and settings, such as encrypted files in the user account folder and passwords stored in web browser autofill settings.
While this was a relatively painless way to assist the PC’s owner, it appears to expose flaws in local account security.
This is not the only way to circumvent Windows 10 local account security, as dedicated tools are available online.
Ten Immutable Laws of Security
Microsoft told MyBroadband that the scenario described above is not a security vulnerability according to the Ten Immutable Laws of Security, “as it requires the attacker to have physical access to a machine to succeed”.
“However, customers can help protect their data from an attacker who gains physical access to their machine by enabling full disk encryption, such as Bitlocker with PIN,” said Microsoft.
The company said Windows 10 is designed to protect customers from security threats, regardless of whether they use an offline or online account, thanks to features such as Device Guard, Windows Hello, and Windows Defender.
While local user accounts are secure against remote attacks, if an attacker gains hardware access to the device, they could use basic tools to circumvent local security.
If users are worried about attackers gaining access to their PC, they should encrypt their hard disk or sign on using an online Microsoft account.