Hacker News new | past | comments | ask | show | jobs | submit login
Reset a Windows 8 Password without using any third party software (reboot.pro)
61 points by umago on Dec 13, 2012 | hide | past | favorite | 31 comments

I can't believe they haven't fixed that. I discovered that the login prompt ran with system-level privileges in Windows 95. I used it to play Duke3D in computer class when I was 14. You could press Ctl+Alt+Del to bring up Task Manager, from Task Manager you could choose to run a command, and run explorer.exe. It would start Windows with full admin access.

They did fix it. It's called BitLocker and it encrypts your drive. The password was never intended to stop people with physical access and the ability to boot to a disk. Consider the process for resetting your Ubuntu password: http://www.howtogeek.com/howto/linux/reset-your-forgotten-ub...

Windows 95 had no security model. There are no "system-level privileges" in Windows 95. If you could execute any code on the machine you "owned" it. There were some contrivances in the shell to attempt to limit user access, but nothing serious like the security architecture of Windows NT.

You are correct that Windows 95 did not have the security model of NT, but administrators could limit what users were allowed to do in the Windows shell. If I logged in with my user account I could not play the game I wanted to play.

"You can restrict what users are allowed to do from the desktop and what they are allowed to configure using Control Panel." - http://technet.microsoft.com/en-us/library/cc751094.aspx

Because of the absence of an underlying security model, this very often did not work properly, i.e. you could workaround pretty much every kind of "restriction" on Windows 9x by smart mouse and keyboard only moves.

The article assumes you have enough access to boot the computer from an alternative medium.

They can't just "fix" that short of forcing full disk encryption.

I was referring to the login GUI running with full privileges, meaning any time someone finds an arbitrary code execution vulnerability in the GUI they can get full admin access.

I wasn't referring to using a boot disk to reset a password. As far as I'm concerned that's a feature not a vulnerability, and it's a feature Windows makes unnecessarily hard to access.

The "GUI" is in the kernel (gdi32.ll, user32.dll, comdlg32.dll, etc). What you see at the CTRL+ALT+DEL screen is actually the "SYSTEM" user's desktop.

You are, however, technically correct, but finding arbitrary code execution vulnerabilities in the "GUI" these days is not a trivial task. And if you've done that, you can do anything you want to the system.

As Raymond Chen (Windows API developer) would say "that would involve being on the other side of this airtight hatchway".

The "login GUI" is actually the process that launches user's sessions and then passes control of the screen/input to that session. It has to have "better than" administrator level access to do so (since it has to broker administrator sessions).

Even if you ran the actual GUI as some special user, that GUI would still have to be able to do a bunch of powerful things using SYSTEM level services, so any exploit would be equally as powerful if it went after the SYSTEM login GUI or the login service.

What you're suggesting would be meaningful feel good security with no actual teeth. Attackers would just use the boot disk to alter a different file or process.

Win95 is not built on the NT kernel, unlike Win2000+, and had no security groups. Everyone was admin all the time. Every process was admin.

Physical access is always game over.

There's an important difference between being able to unobtrusively compromise a machine by appearing to use it normally and between opening up the case and removing the hard drive, something that attracts attention in almost any setting.

The article assumes you have access to reboot the computer from a CDROM or USB stick, which amounts to pretty much the same attack vector.

In theory, yes. In practice and on Windows it still maps to a lot of (superficial) hassle.

An encrypted boot device makes things a little harder, even with physical access.

No it isn't. That would only be true assuming you have a knowledgable attacker. For most cases physical access definitely does not mean game over.

Yes it is: remove harddrive. Put harddrive on other PC. Read contents of harddrive. Or even reboot the existing PC with an OS on USB or optical drive.

Unless the HD is encrypted of course, but that is not what this article and password is about.

Well, given that you can install a keylogger on the usb keyboard nowadays, it is - even with encrypted harddrives. Or you can freeze the RAM, remove it and read the encryption key.

However, encryption makes things quite a bit harder.

The trick with defeating cold boot attacks (aka freezing the RAM) is easily mitigated by a system administrator that forces the system to hibernate instead of sleep (aka write volatile memory to disk).

It can also be mitigated by requiring not just the TPM chip, but also a PIN, PASSCODE, or a PASSCODE that is cycled ever 60 seconds or so (on something like an RSA fob).

This presumes the system has a TPM chip, or a similar mechanism that can provide an original point for a trusted boot.

The trick is also easily defeated by turning the machine off instead of letting it sleep. Certainly. You could as well just go and make the case locked and hard to break, possibly coupled with an alarm. I was just pointing out that "encrypted disk" does not mean "100% secure".

Are there seriously examples of the RAM-freezing working, or is this a theoretical attack?

If "Bob" has access to my machine I have to assume it's game over, even if I have no idea about "Bob's" ability.

Under-estimating the ability of the attacker is a mistake, no?

Same goes for Macs really. Unless you have a firmware password set, resetting the root password is a few keystrokes away.

Isn't it the case with any other nix or bsd system? Boot into single user, mount filesystem, change password. I have been mostly working on Windows lately, but that's how I remember that.

Pretty much, but OSX provides a nice GUI to do it.

basically by replacing utilman you can execute arbitrary code with system(?) privileges? does the login manager check the signature of the executables?

Full-disk encryption sure is nice thing to have, even if it isn't bulletproof.

Checking signatures obviously won't help here.

Check this DEFCON presentation for Windows tricks: http://www.youtube.com/watch?v=Xi0qUZCz6F0

Interesting demos start at about 20 minutes in.

Reset Windows 8 password without using party software may be have many methods can be chose. But most of them can be complex or too much request. Anmosoft Windows Password Reset can solve those problems. Learn more, please visit http://www.resetwindowspassword.com

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact