Site icon TechGit

How to Log Into a User’s Session Without Knowing Their Password

Martin6

Sometimes you may need to log into a user’s session while they are away for some IT or maintenance work. Here’s how using third-party remote desktop clients.

Have you ever needed to enter another user’s login session on a Windows machine? The user has locked the machine and left for the day and you don’t know that user’s password…what to do?

Log into Another User’s Session on Windows 10

Without knowing the user’s password you can still get access to the desktop as that user, sneaky huh? I will walk you through how to do this.

Why Log into Another User’s Session?

Let’s say that you are working at the IT Helpdesk. It is the end of your day when the user “groovyPost” requests IT support. The email client needs to be configured.

The user has left for the day and expect this to be fixed once back in the office the next day. You do not know that person’s password. Security policy doesn’t allow you to change the password for the user, without first going through the HR and security team for approval. Which is only for emergency cases.

You might be surprised how little is needed for this to work. In the end, we will connect to the user’s session.

Prerequisites

There are four prerequisites for this to work:

  1. Knowing a username/password for local administrator on the machine. If the already logged-in user is a local administrator we will need another local administrator account.
  2. A user previously logged in and in the disconnected state. That is the case when a user locks the machine or recover from sleep/hibernation state.
  3. Psexec.exe (or psexec64.exe), can be downloaded for free from Microsoft Sysinternals (part of the PsTools). Download the pstool.zip file and extract it. Copy the psexec.exe file to a known location or one in your path variable. If you copy the file to c:windowssystem32 you don’t have to later reference the path to the file from example cmd.exe.
  4. Have access to the user’s machine. Either physical or through a remote tool such as VNC, LogMeIn, TeamViewer, DameWare or alike. Microsoft Remote Desktop Connection will unfortunately not work.

Start Task Manager as SYSTEM

Normally when you connect to another user’s session, Windows asks for that user’s password. This is not the case when the request comes from the SYSTEM. Therefore we will want to run Task Manager as the system and connect from there. Sound complicated? It is actually fairly easy. Just follow these four steps.

  1. On the user’s machine change/switch user to your local administrator account and login. Again, it’s important to remember that it cannot be over a Remote Desktop Session.
  2. Start an elevated cmd.exe. To run a cmd.exe elevated as admin, right-click the cmd.exe on the desktop or from the Start menu and choose Run as administrator from the menu.
  3. Make sure that no Task Manager (TaskMgr.exe) process previously started under your administrator account. If it is please close them before continuing.
  4. The goal is to run Task Manager as SYSTEM and from there later connect to the user’s session. We do that by using PsExec.exe. If you copied PsExec.exe to a default path such as c:windowssystem32 you can just type the command below. If not, specify the full path to the executable PsExec.exe. Type in the below in the elevated cmd.exe:
psexec.exe -sid taskmgr.exe

What was that? -sid?

Hey now! what was that command doing? Let’s look into each part of it. PsExec.exe is primarily used to execute commands on remote systems, but can also be used locally as in this case. If first-time running PsExec on your system it will ask you to accept Software License terms.

Switches explained:
s – means the process runs as SYSTEM, we need that to not be prompted for a password when we later connect to the user’s session on the machine.
i – means we can interact with the desktop.
d – don’t wait for the process to terminate.

If we put all together; we call PsExec.exe to run Task Manager (taskmgr.exe) as SYSTEM, allow us to interact with the desktop and don’t wait for the process to terminate. Perfect, exactly what we want.

Enter the user’s session and see the desktop

Now we got Task Manager running as SYSTEM, be careful because you got full power now and no restrictions. We want to help our user to configure an email client, but we are still logged in as our Local Administrator account. To enter our user’s session without the user’s password do the following:

  1. Go to the ‘Users’ tab (If you don’t see the tab click on ‘More details’ to make it visible)
  2. Right-click on the user you want to enter into (in this scenario groovyPost) and chose Connect

Voila, you are now in the user’s session as the user without even knowing the user’s password.

You can now configure the user’s email client and then switch back to your local administrator user sessions and close it. Support case solved and you are now the hero.

Didn’t work for you?

If it didn’t work for you, verify the following:

  1. You are not running a Windows Remote Desktop session, it doesn’t work over RDP, if no physical access to the machine using any other remote tool like TeamViewer, LogMeIn, Dameware, VNC.
  2. That your cmd.exe running the command was elevated. Easily spotted by seeing the text ”Administrator: Command Prompt” in the title.
  3. That no other Task Manager (TaskMgr.exe) running in your local administrator users session before running the PsExec.exe command.
  4. No password prompt in Task Manager when trying to connect. That means your Task Manager isn’t running as SYSTEM. Close all Task Managers and run the PsExec command.

Conclusion

Another good reason to follow the best security practice is to reduce the number of local administrators. You have now seen how powerful and how dangerous it can be. This is not a bug or alike. But could be useful for example IT Helpdesk support but harmful for someone with bad intentions.

FacebookTwitterTumblrRedditLinkedInHacker NewsDiggBufferGoogle ClassroomThreadsXINGShare

Related posts:

  1. The ultimate guide to Remote Desktop — control your PC over the internet!
  2. How to Change a User Account to Administrator on Windows 10 and 11
  3. Windows Task Manager: The Complete Guide
  4. Fixed: Can’t Run CMD as Administrator on Windows 11
  5. 31 Linux Commands Every Ubuntu User Should Know
  6. Essential command tools to fix virtually any networking issue on Windows 10
  7. New GeForce drivers optimized for Call of Duty: WWII
  8. How to Use tmux on Linux (and Why It’s Better Than Screen)
  9. 4 Ways To Always Run Programs As An Administrator In Windows 10
  10. Connect iPhone to Windows 10 PC using Microsoft Remote Desktop
Exit mobile version