Lost Admin Rights or Password?

Rescue the
Account via Windows Recovery Environment

Similar to lost password scenario, losing your account’s administrator rights & privileges is one of the worst
kinds of lock-out situation where the user can’t run anything that requires elevation.

If your user account has lost admin rights, it may have been caused by a malware. Or you may have
inadvertently set yourself a “Standard User” via Account settings, or configured the Local Security Policy or
user account group membership incorrectly.

This means you can’t go back to the User Account settings page and set yourself as administrator. In such
cases, the Yes button in the UAC dialog will be disabled or grayed out.
Worst part may be that most users don’t have a second or alternate administrator account on their computer.
And they would have never activated the built-in Administrator account (keeping it disabled is good for
security, anyway).

Given the situation, the user still has these options via Recovery Options (Windows Recovery Environment)
to get back lost administrator rights and privileges.

Instructions and screenshots in this article are from a Windows 10 computer, but the concept should apply
to Windows 8 and earlier, as well.

Restore lost administrator rights via Windows Recovery Environment:

1. Step 1: Access the Windows Recovery Environment

2. Step 2: Restore lost administrator rights via Windows Recovery Environment
o Option 1: Perform a System Restore Rollback from Windows RE
o Option 2: Activate built-in Administrator account & login from Safe mode.
o Option 3: Edit the Registry offline to enable built-in Administrator account & fix user account
group membership.
Premiminary Step: Access the Windows Recovery Environment

1. Boot the system using your Windows installation media or Recovery drive, if you’ve created one
already. If you don’t have one, download the Windows 10 ISO and then create a bootable media
from another computer.
2. In the Windows setup page that appears when booting using the Windows installation media, click
Next
3. Click Repair your computer.
 4. In the Windows Recovery Options menu, click Troubleshoot, and then click Advanced Options.

That’s how you access the Windows RE Advanced Options menu. Now, follow any one of the following
methods to recovery your user account.
Restore lost administrator rights via Windows Recovery Environment

There are three options discussed below. Choose one of the methods that’s best suited for you. If you have
enabled System Restore and you lost your administrator rights only recently, then you can undo the damage
caused by rolling back the system as in Option 1.

If you’ve turned off System Restore, then you may use the steps under Option 2 or Option 3 to restore
administrator rights to your user account.

Option 1: System Restore Rollback from Windows Recovery Environment

If you prefer a System Restore rollback, follow these steps:

System Restore rollback replaces the entire registry hives from a previous snapshot. This is a convenient
option if your group membership was recently changed; System Restore would revert back your previous
settings.

1. In the Recovery Options, click System Restore.

2. You’ll be asked to choose a target Operating System. Choose the Operating System.
3. Click Next in the System Restore window.

4. Click Show more restore points check box (if available)

5. Select the appropriate restore point from the list based on the date when the system was working fine.

6. Click Next and click Finish.

Option 2: Enable Built-in Administrator & Fix your user account group membership

Using the Windows 10 setup disk or USB boot media, access the Windows Recovery Environment as per
the instructions given above.

1. In the Recovery Options menu, click Troubleshoot, and then click Advanced Options.

2. Click Command Prompt.

3. In the Command Prompt window, type the following command and press ENTER:

net user administrator /active:yes

 4. Type exit to return to Recovery Options menu.
5. Exit and Continue to Windows 10.
6. When you get to the sign-in screen, hold the Shift key down while you select Power icon, and click
Restart.
7. Your computer restarts to the “Choose an option” screen. Select Troubleshoot → Advanced options
→ Startup Settings → Restart.
8. After your computer restarts, you’ll see a list of options. Select 4 or F4 to start your PC in Safe
Mode, or select 5 or F5 for Safe Mode with Networking.
9. Log in as Administrator from safe mode.

Once logged in as built-in Administrator, you may create a new user account with administrator rights. Or
fix the group membership of your original account that has lost its admin rights.

Option 3: Editing the Registry to Create a Backdoor by Setting a Debugger

Alternately, you can to edit the registry offline to facilitate (using a backdoor method) a group membership
change from login screen.

In the Recovery Options, click Command Prompt.

In the Recovery Options, click Command Prompt.

About this backdoor method: If you’ve noticed, the logon screen shows the Ease of Access button to launch
the Accessibility Options; clicking that would launch the file utilman.exe. So, what we’re doing is make
Windows invoke Command Prompt when you click the Accessibility Options button, by attaching Command
Prompt as the debugger for this executable. This is a backdoor method that helps you gain full
administrative access to the system.

The debugger method invoking sethc.exe or utilman.exe has already been covered on various technology
sites, so I’m not the first or only one who found it. What I’ve actually found is that the same technique works
for Atbroker.exe as well, in Windows 10. This post is to illustrate the backdoor method using screenshots so
that it benefits common users, for legitimate uses.

1. Follow the instructions in article How to Edit the Registry Offline Using Windows Recovery
Environment? and load the SOFTWARE registry hive.
2. Add a debugger value for utilman.exe, mentioning cmd.exe as the debugger. To do that, create a
subkey named “utilman.exe” under this key:

HKEY_USERS\MyKey\Microsoft\Windows NT\CurrentVersion\Image File Execution

Options\utilman.exe

(Assuming you used the name MyKey when you loaded the hive.)

3. In the utilman.exe key, create a string value (REG_SZ) named Debugger

4. Double-click Debugger and set its value data to c:\windows\system32\cmd.exe

Here is how it should look like.

Editor’s note: You can also set a debugger for atbroker.exe using the same way. Any one of them
will do, and work equally well. If you’re setting a “debugger” value for Atbroker.exe, then to invoke
the debugger (Command Prompt, in this case), you just need to click the lock screen once, just as
you usually do when logging on to Windows. It would open a full privileged Command Prompt for
you, from where you can change your account settings.

5. Make sure you Unload the hive, Then exit the Registry Editor
6. Click Continue to Exit and continue to Windows.
7. In the Windows logon screen, click the accessibility (Ease of access) button. This should now launch
the Command Prompt window.
8. It’s time to fix your user account group membership, or enable the built-in Administrator which ever
you prefer:
 To activate the built-in Administrator account, type:

net user administrator /active:yes

To fix the user account membership to set it as administrator, type::

net localgroup administrators username /add

For example if your user account name is John, you’d type:

net localgroup administrators john /add

For more details and screenshots on changing group membership of accounts, check out
section Fix Group Membership of your User Account ↓ at the end of this article.

Quick Tip: In the Command Prompt window, you can launch the User Accounts GUI to fix your
group membership, enable the built-in Administrator account, or reset local user account passwords.
Run the command CONTROL USERPASSWORDS2 or LUSRMGR.MSC (for Windows Pro Editions and
higher)

9. Now, close the backdoor created in Step #3 above. You don’t have to go back to Recovery
Environment to delete the key. You can do so from within Windows. To close the backdoor, simply
delete this key using the Registry Editor once you login to your user account:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File

Execution Options\utilman.exe

This is an important step. If this backdoor is left as it is, anyone who has access to your system can
play bad tricks against you.
Fix Group Membership of the Corrupt User Account (Set your account as administrator)

After following one of the three options above, you need to fix the group membership of your original
(corrupt) user account. The corrupt account may show up as Standard User, or Guest — i.e., it’s not a
member of Administrators group.

You can view the group membership of accounts by running the control userpasswords2 command from
Run dialog.

To fix the user account group membership and make it an administrator, from the user accounts dialog
shown above:

 Select your account → Properties → Group Membership → Administrator → OK.

Alternately, via Command Prompt:

Open elevated Command Prompt, and type the following command:

net localgroup administrators {username} /add

Example: If the username is RobertM, run this command:

net localgroup administrators RobertM /add

Close and reopen the control userpasswords2 dialog. You’ll see that the account RobertM in this
example, is made an administrator.
Login to the user account and see if the rights and privileges are restored and you’re able to run programs
elevated. Test the account for some time. If everything works fine on that account, you can deactivate the
built-in Administrator account. To do so, start Command Prompt as administrator and run the following
command:

net user administrator /active:no

Press ENTER.

Hope this guide helped you restore administrator rights and privileges for your user account, or to reset a lost
local user account password in Windows 10 and earlier versions.

You'd like to read these articles:

 Fix: UAC Dialog "Yes" Button is Grayed Out or Disabled

 How to Enable the Built-in Administrator in Windows 10 via Recovery Options
 Perform System Restore Rollback Offline in Windows 10 [Recovery Options]
 [Fix] UAC asks for password even if logged in as administrator
 [Windows 10] "The Username or Password is Incorrect" Error at Every Restart

Ramesh Srinivasan founded Winhelponline.com back in 2005. He is passionate about Microsoft

technologies and he has been a Microsoft Most Valuable Professional (MVP) for 10 consecutive years from
2003 to 2012.
1 thought on “Lost Admin Rights or Password? Rescue the Account via Windows Recovery Environment”

1.

Donnie

After Windows 10 updates, Windows Defender can detect the backdoor method during the logon
process and prevent launching the command prompt.
https://www.bleepingcomputer.com/news/security/windows-defender-can-detect-accessibility-tool-
backdoors/

So we might need to rename the executable file of Windows Defender from the recovery
environment.