script using curcuitpy to remove windows password on non-encrypted (without bitlocker) drives.
Use this only on devices that you have permission to use it on. This Repo is for educational purposes only!
This was tested on windows 10
The led first lights up to give you some time to react. Then it flashes x number of times with x being the mode number.
- mode - This is in the booted usb
- mode - This is once windows boots
- mode - This is once windows is logged in
- Install circuitpy on the rpi pico. You can do this simply by holding the bootsel button when plugging the rpi and then putting the .uf2 file inside the rpi pico directory (on the disk that was mounted). Note: if You installed Anything on this rpi pico previously you have to wipe it first by putting flash_nuke.uf2 into the same directory.
- Get a bootable ENGLISH* windows usb - You get one here
- copy the files from here to rpi pico (adafruit_hid to lib)
- make sure to keep the var.txt as 0 before plugging it in to the target pc (every time you plug it in it increases)
- boot to the to the windows usb
- plug the rpi
- after it's done unplug it and plug it once windows loads
- rewrite [user] with your username and 123 with your new password
- login with your new credentials
- plug the rpi again so that it can revert the system to it's previous state (the password will stay as the new one set)
- enjoy unlocked windows!
* The script relies on a US keyboard
- When you boot to the windows usb the rpi replicates an hid device (like a keyboard) and does inputs to the computer. It will try to replace sethc.exe with cmd.exe in system32. To preserve the system it also creates sethc_backup.exe in system32 to backup sethc. This allows us to execute command prompt in the login screen. This cannot work if the drive is encrypted tho as we do not have access to system32 when it's encrypted.
- Once windows boots we get the rpi to press shift multiple times which starts sethc.exe (sticky keys). This opens the command prompt with administrator privileges. Now the rpi types
net user [username] 123
. This command changes the login information for the user. This works only with non-microsoft accounts tho. If you want to retrieve data from a microsoft account you can instead typenet user administrator /active:yes
. This will create a new user called administrator with absolute administrator privileges. It is recommended to delete this account once you're finished. You can do so using this command:net user administrator /active:no
. - Once you're logged in plugging the rpi again replaces sethc.exe with sethc_backup.exe so that we can have sticky keys back again. It's possible that windows defender will popup with privilige escalation warning. This was neccessary to do the password removal. Once the rpi finishes the system is back to normal but with the new password.