Reset Windows 7 Passwords

If you forget the password to an account on a Windows 7 machine, there's a simple way to reset it. All you need is the standard Windows 7 recovery CD (the one that lets you get a command prompt window open after booting from the CD).

So, calm down - you've got this. Before rushing through the steps, read the next few paragraphs so that you understand WHAT you are about to do and WHY it works the way it does. Trust me - a clear understanding of what's going on here and how we're going to game the system will keep your stress level down and keep you from getting confused and making mistakes.

SETHC.EXE

This approach depends on how Windows 7 deals with a little executable named sethc.exe in the Windows\System32 directory. This is some kind of accessibilty program in Windows, and I'm not sure exactly what it's for. The important thing is how Windows launches it - at the password prompt on login, hitting the shift key five times in a row executes sethc.exe even though you're not logged in.

Windows executes sethc.exe immediately, with administrator privileges, without checking to make sure sethc.exe is actually the correct executable program for the accessibilty feature. Experienced users are grinning at this point, because they can see what's coming next.

CMD.EXE

Right beside sethc.exe in the Windows\System32 directory is cmd.exe - the Windows command line program. This is commonly called the DOS prompt, and when you're on the command line interface, you can execute all kinds of interesting and useful programs that don't use Windows-ish graphical interfaces. Things like utility commands for setting passwords on user accounts, for example.

Tricking the system

So, we have a Windows mechanism that launches a specific program even if you're not logged in, and we've got a command-line utility that lets you set the password on a user account. How are we going to put these two things together?

The Windows Recovery CD

Grab a Windows 7 recovery disk (any one will do - it doesn't have to be one you created on your system). Configure your machine to boot first from the CD, or figure out how to make your machine boot from CD during the startup process. Boot from the CD. Select the option to repair your computer, then the option to get a command prompt.

Now, you're looking at a black window with a command-line prompt. Your prompt will probably show some weird drive like X: instead of the familiar C: or D: - this is because you're running Windows (sort of, in a limited capacity) on a ramdisk instead of your regular C: or D: drive. Here's the magic - you can make changes on your C: or D: drive from this command line. You can copy files, for one thing.

What's your letter?

You need to know which drive letter corresponds to your Windows installation (the real one, not the temporary repair environment running on drive X:). This will typically be either C: or D:, but might be something weird like H: depending on your particular setup. Figure out your Windows drive letter. For this article, my assumption is that your machine is fairly generic and has its Windows software installed on the C: drive.

Find your sethc.exe program

In the command prompt window, switch drives to the one that contains your Windows installation. This is a very easy thing to do:

C:

Now, go to the Windows\System32 directory:

cd \Windows\System32

Look before you leap

Before you start changing things, look and see how sethc.exe and cmd.exe are sitting side-by-side in the directory:

dir sethc.exe
dir cmd.exe

These commands will show you that sethc.exe and cmd.exe are two different programs (the file sizes are different - first clue).

What are we going to do, again?

Here's the plan - we're going to make a backup copy of sethc.exe, replace the sethc.exe file in \Windows\System32 with a copy of cmd.exe for a few minutes, and use the 'hit the shift key five times at the login prompt' trick to launch a command-line window with administrative privilege. In that window, we're going to set the password on a user account. After we've set the account password, we're going to restore the correct sethc.exe file from the backup copy we made.

Got all that? Slow down, think it through, and don't proceed until it all makes sense to you.

Back up sethc.exe

Make a copy of your original sethc.exe file. Put it somewhere safe, like the top folder of your C: drive:

copy sethc.exe c:\
We'll use this copy to restore the correct sethc.exe file to the Windows\System32 directory after we have solved the problem of the forgotten password.

Replace sethc.exe with cmd.exe

Copy cmd.exe over sethc.exe, replacing the little accessibility program with the full-blown Windows command line interface:

copy cmd.exe sethc.exe
When asked if you want to overwrite sethc.exe, respond with Yes.

After doing this, your Windows machine will now launch the command-line interface when you hit the Shift key five times in a row.

Reboot

Take the recovery CD out of your machine, shut it down, and boot it up normally.

Open the command-line interface

At the login prompt (you know, the one with the forgotten password), hit the Shift key five times in a row instead of providing a password. The command line interface window will appear.

Set the password on a user account

You've got a command line interface open with administrative privileges - so, you can issue the command that sets the password for a user account. Let's assume the user account is called Fred and set Fred's password to password (he'll change it later to something he can remember).

net user Fred password
Now, Fred can log in by typing password as his password. What a relief!

Don't forget sethc.exe - clean up after yourself!

OK - you've solved the problem of the forgotten password, but you're not quite done. You really don't want to leave your machine set up to launch an administrator command line window without even logging in, and you might actually want to use the little accessibilty utility someday.

Put the recovery CD back in, shut down your machine, and boot from the CD. Bring up the command prompt window like you did before.

Switch to your Windows drive and go to the Windows\System32 directory, just like before:

C:
cd \Windows\System32

Copy sethc.exe from the backup location back into its proper place in Windows\System32:

copy c:\sethc.exe sethc.exe
When asked if you want to overwrite sethc.exe, respond with Yes and your sethc.exe file will be restored to the state it was in before we undertook this effort.

All done!

Take out the recovery CD, shut down and restart your machine, and you're good to go!

Oh - and remind Fred to change his password to something he'll remember.