Reset a Forgotten Windows Administrator Password — the Utilman Trick

You're staring at a Windows login screen. You don't know the password. You own the machine. You need back in. This is the utilman trick — a classic local-admin password reset that still works on modern Windows Server, with one big caveat called BitLocker.

Before anything: this only belongs on hardware you own or are authorized to administer. Using it on someone else's machine without permission is unauthorized access — illegal in every jurisdiction I know of. If you're reading this to get into a work machine, call IT instead.

---

TL;DR — the 8 commands

1. Boot from Windows install media (USB or ISO).
2. At the first setup screen, press Shift + F10.
3. Figure out the drive letter of your Windows install.
4. Back up and replace utilman.exe with cmd.exe.
5. Reboot into normal Windows.
6. At the login screen click the Ease of Access icon → you get a SYSTEM-level command prompt.
7. net user Administrator NewPassword!
8. Restore the original utilman.exe.

Full walkthrough below.

---

Why this works

Windows runs a few utilities at the login screen before anyone logs in: the Ease of Access menu, the on-screen keyboard, the magnifier. These processes run as NT AUTHORITY\SYSTEM — the highest privilege level on Windows, above any user account.

The Ease of Access button launches C:\Windows\System32\utilman.exe. If we replace that binary with cmd.exe, clicking the button gives us a SYSTEM shell sitting in front of a locked desktop. From there, resetting a password is a one-liner.

You cannot do this from a running Windows — the file is locked. That's why we boot from install media and do the swap offline.

---

What you need

• A Windows install USB or ISO. Any recent version (10/11/Server 2019/2022/2025) works. Microsoft has free official ISOs.
• Physical access to the machine (or iDRAC/iLO/iKVM for a server).
• Knowing whether the drive is BitLocker-encrypted. If yes, skip to the BitLocker section below.

---

Step 1 — Boot from install media

Plug in the USB, enter the firmware boot menu (usually F12, F11 or Esc — depends on the OEM), and boot the Windows installer.

At the first language/keyboard screen, don't click Next. Press Shift + F10. You get a CMD window running inside WinPE with full filesystem access.

---

Step 2 — Find the Windows drive letter

WinPE assigns letters differently than running Windows. The letter you'll use here is usually D: or E: — not C:.

wmic logicaldisk get deviceid,volumename,size

Or, more modern (if it's on the image):

diskpart
list volume
exit

Look for the volume with Windows in its name, or the largest NTFS one. That's your target. I'll call it D: from here.

---

Step 3 — Swap utilman.exe with cmd.exe

Back up the original, then replace it:

cd /d D:\Windows\System32
copy utilman.exe utilman.exe.bak
copy /y cmd.exe utilman.exe

Verify the copy succeeded — the file sizes should match cmd.exe:

dir utilman.exe cmd.exe

---

Step 4 — Reboot back into Windows

wpeutil reboot

Pull the USB out so it boots from the internal disk. You'll get to the normal login screen.

---

Step 5 — Open the SYSTEM shell

Click the Ease of Access icon (person-in-a-circle, bottom-left or bottom-right depending on Windows version). Instead of the accessibility menu, a command prompt opens. The title bar will say something like C:\Windows\system32\utilman.exe; the user context is SYSTEM.

Sanity check:

whoami
REM → nt authority\system

---

Step 6 — Reset the password

Set a fresh password for the account you need:

net user Administrator "NewP@ssword-2026!"

Or list accounts first if you're not sure which one to touch:

net user

If the built-in Administrator account is disabled, re-enable it:

net user Administrator /active:yes

Close the window. You can now sign in.

---

Step 7 — Clean up (do not skip)

You now have a permanent SYSTEM backdoor at the login screen. Undo it.

Boot the install USB again, press Shift+F10, and restore the original:

cd /d D:\Windows\System32
del utilman.exe
ren utilman.exe.bak utilman.exe
wpeutil reboot

Or, if you're willing to do it from the running Windows after logging in with your new password (you need a proper elevated shell + take-ownership first — harder, skip if unsure).

Verify post-reboot that clicking the Ease of Access button opens the accessibility menu, not CMD.

---

The BitLocker caveat

If the Windows drive is encrypted with BitLocker, you cannot modify utilman.exe offline without unlocking the volume first. WinPE will see the drive but read-only as FVEK-encrypted blobs — no writes.

You need the BitLocker recovery key. Where to find it:

• Microsoft account: account.microsoft.com/devices/recoverykey — keys for any PC you set up with a Microsoft account are stored there.
• Azure AD / Entra ID: if it's a work machine, IT has the key in the device's object.
• Active Directory: keys are usually backed up to the computer object if GPO enforced it.
• Printed / USB: if the user printed or saved the key when BitLocker turned on.

With the recovery key, unlock first, then do the utilman swap:

manage-bde -unlock D: -RecoveryPassword 123456-123456-123456-123456-123456-123456-123456-123456

If you truly don't have the key and no way to get one, you are not getting into that disk. That's BitLocker working as designed.

---

Alternatives when utilman won't work

• Microsoft account password: if the account is a Microsoft account (not a local one), reset the password on account.microsoft.com and wait a minute for the device to sync.
• Another admin account: log in as any admin you do have, open CMD as admin, net user <lockedout> NewPass!. No install media needed.
• Domain account on a domain controller: reset via the DC — Set-ADAccountPassword or AD Users and Computers.
• Offline tools: tools like Hiren's BootCD, Kon-Boot or chntpw automate the same offline registry trick. They work on older Windows; on modern Windows with Defender they can trip AV or fail on Secure Boot systems.

---

Will this trigger Defender?

On modern Windows 11 and Server 2022/2025, Defender scans behavioural patterns at login. Replacing utilman.exe with cmd.exe is a known attack pattern — Defender may flag it. In my experience:

• It works fine on default Windows Server setups.
• On Windows 11 with Tamper Protection or HVCI/Credential Guard on, you may get warnings or the swap may get reverted on next boot.
• Secure Boot + BitLocker together form the real barrier, not Defender alone.

If your org runs full endpoint protection, this trick is not the right tool — open a ticket with whoever provisioned the machine.

---

FAQ

Does the utilman trick work on Windows Server 2025?

Yes, if the system drive is unencrypted. Same steps as Windows 10/11 and earlier Server versions.

Will this delete my files?

No. It replaces one system binary temporarily. Your user profiles, documents and installed software are untouched.

Is this a security vulnerability?

It is a feature of how Windows boots plus a consequence of giving anyone with physical access the ability to boot install media. The fix is BitLocker (encrypt the disk) plus a firmware password (block alternate boot), which is why both are enabled on any serious Windows deployment.

Can I do this without install media?

You can use Windows Recovery Environment (WinRE) — hit the power button three times during boot to force it — and run the same copy commands from the recovery CMD. Same effect, no USB needed.

What if I only know the old password but it expired?

Log in normally; Windows will prompt you to set a new one. No need for any of this.

---

Reference

• Create a Windows User via CMD (net user) — covers net user flags in depth
• Windows Server Initial Setup Checklist
• Microsoft BitLocker recovery guide

Last updated: April 2026.