PassPass (bypass Windows local password)
PassPass (bypass the Windows account password)
PassPass allows you to bypass a local Windows user account password on XP through to Windows 10 (E2B v1.87+). It does NOT allow you to bypass the password entry for a Windows email account logon.
YouTube demo (old version) here.
See also the UtilMan hack method here which does not require you to modify any files on the Windows system.
PassPass comes from an idea developed by WindowsGate and Astr0baby’s tutorial, Wonko The Sane (for the grub4dos Windows dll version detection batch code) and Holmes.Sherlock (for writing the original grub4dos dll patch code).
A grub4dos version of PassPass for E2B is included in the E2B \_ISO\docs folder.
A Windows executable version called PEPassPass.exe is also available from the E2B Alternate Downloads Area – Other Files folder (written by boulcat and Ner0) It works by patching some code bytes in the Windows DLL file which handles user authorisation at logon.
How to use PassPass
1. (optional) If possible, boot to WinPE or linux from a USB drive and make backup copies of:
- \Windows\System32\NtlmShared.dll (if Windows 10/Server 2016)
This is so that if you break Windows by patching these dlls, you can restore them again, if necessary.The same dll file is backed-up by E2B later – this is just an extra step to be super-safe and is optional.
2. Boot from the E2B USB drive and run PassPass and choose the Windows installation you want to patch
3. Use the Backup option to keep a copy of the DLL. Note: make a note of what volume and DLL this is, in case you need to restore it later.
4. Use the Patch option to patch the DLL
5. Boot from the HDD to Windows – any password should now be accepted for any user account. Note that once logged in, some operations may not work correctly because the DLL has been patched. So it is best to create a new account with a new password, unpatch the DLL and then log-in using that new account… Create a new Admin user account (and set a password), e.g. Name=New, Password=windows.
6. Boot from the E2B USB drive and run PassPass, select the same Windows OS again and use UnPatch to restore the original DLL (or you can use the Restore DLL option if you previously made a backup – make sure that you restore the same DLL and volume that you backed up in Step 3).
7. Reboot and log in to the New account (for normal behaviour), do what you want (e.g. change other account passwords), then boot to one of the other accounts and delete the new user account when finished making changes. If anything goes wrong, restore the DLL file copy that you made in Step 1 using WinPE (or linux) or by using the E2B Restore option.
How to add PassPass to your E2B USB drive
Simply copy the \_ISO\docs\PassPass folder to the \_ISO\UTILITIES folder.
You should now have a \_ISO\UTILITIES\PassPass folder present containing PPass.g4b, PassPass.bak and PassPass.mnu.
You can now patch the Windows DLL on any volume in the system. The user password for any Windows local account will then not be required.
Note: You may be warned that more than one patch location exists. This is normal for some DLLs (e.g. Windows 8).
If you have any problems, please report them to me (the OS version number and MD5 hash of the DLL is required as well as the OS name, DLL filename and 32/64-bitness).