How does resetting Windows passwords without authentication work

security windows passwords hiren

Solution 1:

I couldn't find any explanation on why or how this works.

The OS has a file which contains a list of all user accounts, together with their password hashes. Editing the file to change the password hash to some known value (e.g. the hash of nothing) will result in the OS expecting that new password.

In Windows, that file is SAM (part of the Registry). Linux has /etc/passwd and /etc/shadow.

Isn't this a gaping security hole for Windows?

No, it is generally not considered a security hole in any OS. The account system is meant to do its job while the OS is running – if it's not running, then its rules no longer apply; you could as well use Hiren to copy all the files out (bypassing the ACLs aka "file permissions" that the main OS would enforce), or to swap one .exe with another (making Minesweeper.exe steal all your files). Really, instead of booting Hiren, you could just take the system disk out, connect it to another computer via USB, and do the same thing.

In other words, if the attacker has physical access to the device (or just its system disk), then it's usually considered that the attacker gaining physical access was the real security hole.

Of course, with laptops and other mobile devices, security access is much easier to get, and the most commonly accepted solution is device encryption – having the entire system disk encrypted, e.g. through Windows BitLocker, would prevent someone from accessing any of the files inside. (Most modern CPUs have acceleration for encryption, so it doesn't make the system slower at all.)

(Disk encryption should be combined with Secure Boot to prevent e.g. tampering with the passphrase prompt, although realistically for most people it's more towards "may/should" than "absolute must".)

Though do keep in mind that the login password is also directly used to encrypt certain user-specific data. Resetting the password in this way (or really, in any other way, including if you had used legitimate Administrator powers to do so) will cause that user's EFS-encrypted files, or DPAPI-protected data like browser passwords (in some browsers), to become forever inaccessible. So if you're unable to use BitLocker, then EFS may help just a little bit.

Apparently this is super easy and you don't even need a third party tool to achieve this.

Hiren is a third-party tool.

Related

We couldn’t create a new partition or locate an existing one. For more information, see the Setup log files
Default program not listed in windows10 settings [duplicate]
apt-get install is not working in WSL
VirtualBox guest has no network
Disable windows 10 invisible border grid function
Apache client denied by server configuration after mac OS X upgrade to Yosemite
Outlook 2016 additional search fields have disappeared
Default folder for PuTTY (Windows) to pickup the private key
How to automatically go to the last edited position on file open in Word?
Install GCC in Git for Windows bash environment
Use number pad of mac keyboard on Windows 10
Can you install FFmpeg using only command promt?