1.    16 Mar 2017 #1
    Join Date : Aug 2015
    Posts : 107
    Windows 10 Home Premium

    Laptop Hacked - Password Changed


    My brother's best friend is a nice enough guy, but FAR from being the sharpest knife in the drawer....
    A couple days ago he got a call from 'Microsoft', telling him that his computer was infected with a multitude of viruses. Not only did he take the call, but he agreed to pay 'Microsoft' $200 to fix the problems. The scammer had the scamee (my brother's friend) enter some code and his laptop was now being controlled remotely. To make matters worse he actually gave them his Windows password. Incredible.

    The upshot is that he is now out 200 bucks, they want more money and until he pays them more, he is locked out of his computer, since the scammer changed the password.

    I turned off the laptop 3 times with the power button. The 4th restart gave me the advanced startup options. Every pertinent option seemed to want the Windows password to continue. Fabulous.

    I broke out the W10 disk and booted from it. I then again accessed the Advanced options, and this time was not prompted for a password. I went to System Restore and tried to restore it to a date before the 'Microsoft' phone call.

    It now has this little box labeled System Restore. Inside that box is a white bar that is constantly filling from left to right with a green bar. It has been doing this for the last 2 hours.

    Isn't there some way to use the W10 disk, go to a command prompt and type in some commands to obliterate the password? Cause this Restore doesn't appear to be doing the trick...

    Update.... The Restore finally finished with the message System Restore did not complete successfully. Your computer's system files and settings were not changed. It goes on to say that an unspecified error occurred during System Restore (0x80070091)
      My ComputerSystem Spec
  2.    16 Mar 2017 #2
    Join Date : Aug 2016
    S/E England
    Posts : 4,488
    10 Home x64 (1709) (10 Pro on 2nd pc)

    Quote Originally Posted by boweasel View Post
    Isn't there some way to use the W10 disk, go to a command prompt and type in some commands to obliterate the password?
    No, but from the command prompt you can enable the built-in Administrator account. Then you can log in as Administrator and reset the password. See Option Four in this Tutorial.
    https://www.tenforums.com/tutorials/...a.html#option4
      My ComputersSystem Spec
  3.    16 Mar 2017 #3
    Join Date : Aug 2016
    S/E England
    Posts : 4,488
    10 Home x64 (1709) (10 Pro on 2nd pc)

    Quote Originally Posted by boweasel View Post
    Update.... The Restore finally finished with the message System Restore did not complete successfully. Your computer's system files and settings were not changed. It goes on to say that an unspecified error occurred during System Restore (0x80070091)
    That, I'm afraid, is a known problem on some systems - probably nothing to do with what the scammers got up to.
    System Restore fails: AppxStaging %ProgramFiles%\WindowsApp 0x80070091
      My ComputersSystem Spec
  4.    16 Mar 2017 #4
    Join Date : Aug 2015
    Posts : 107
    Windows 10 Home Premium
    Thread Starter

    Quote Originally Posted by Bree View Post
    from the command prompt you can enable the built-in Administrator account. Then you can log in as Administrator and reset the password. See Option Four in this Tutorial.
    https://www.tenforums.com/tutorials/...a.html#option4
    Okay.... I followed all the steps in Option Four right up to Step 8,
    Click image for larger version. 

Name:	Moll1.JPG 
Views:	3 
Size:	22.9 KB 
ID:	125440[
    where unlike the Tutorial, I got HKEY_LOCAL_MACHINE\REM_SAM\SAM\Domains\Account\Users\000001F4. No 'S' in the word Account.

    Then, in Step 9, when I opened the 000001F4 key, I was instructed to change 11 to 10 in the first column of line 0038. On the problem laptop, the first column of line 0038 has a value of 15, not 11. I would supply a screenshot but I don't know how to do that on a computer that won't start.

    So I didn't do anything. I obviously need more help.
      My ComputerSystem Spec
  5.    17 Mar 2017 #5
    Join Date : Aug 2016
    S/E England
    Posts : 4,488
    10 Home x64 (1709) (10 Pro on 2nd pc)

    Quote Originally Posted by boweasel View Post
    Okay.... I followed all the steps in Option Four right up to Step 8,
    Click image for larger version. 

Name:	Moll1.JPG 
Views:	3 
Size:	22.9 KB 
ID:	125440
    where unlike the Tutorial, I got HKEY_LOCAL_MACHINE\REM_SAM\SAM\Domains\Account\Users\000001F4. No 'S' in the word Account.
    That would appear to be just a simple typo. Look at the bottom of Regedit in the screenshot at step 8 where it too clearly shows \Account\ with no 'S'. @Brink should be able to confirm that. I've just followed the instructions on another PC and it too had Account in the singular.

    Then, in Step 9, when I opened the 000001F4 key, I was instructed to change 11 to 10 in the first column of line 0038. On the problem laptop, the first column of line 0038 has a value of 15, not 11. I would supply a screenshot but I don't know how to do that on a computer that won't start.

    So I didn't do anything. I obviously need more help.
    Very sensible to leave things alone and seek further help. I don't know what the value 15 means, or if its safe to change it. On the machine I just modified it was 11 as expected. Hopefully someone who knows more than me will be along shortly.
      My ComputersSystem Spec
  6.    17 Mar 2017 #6
    Join Date : Aug 2015
    Posts : 107
    Windows 10 Home Premium
    Thread Starter

    Isn't there some way to use the W10 disk, go to a command prompt and type in some commands to obliterate the password?
    Quote Originally Posted by Bree View Post
    No....
    Actually Bree, there is... I went through some documents from an old computer and found this

    Create a new user or reset Windows 10 password with command prompt
    ⦁ Boot from Windows 10 disk and selected Repair
    ⦁ Go into Troubleshoot/Advanced Options/Command Prompt
    ⦁ Navigate to C:\Windows\System32
    Back up a file called utilman.exe and overlay it with cmd.exe
    ⦁ Move utilman.exe utilman.exe.bak
    ⦁ Copy cmd.exe utilman.exe
    Take out the disk and rebooted by typing
    ⦁ wpeutil reboot
    When the laptop gets to the log in screen, click on the Ease Of Access icon on the bottom right of the screen which now brings up a command prompt screen. Type
    ⦁ net user <username> <password>
    where <username> is the Windows user name and <password> is the NEW password
    Put the Windows 10 disk back in the optical drive and reboot using that disk. Go to the command prompt as before and rename utilman.exe.bak to utilman.exe.

    That's all there is to it. I rebooted, entered the new password, uninstalled the software the scammer had put on the laptop and all is well.

    But it makes me wonder why nobody else on this forum knew that. And why it's not already in some sort of tutorial. I hardly have the computer knowledge that most of you responders possess, yet I sort of remembered that there was a way around this. Shouldn't somebody here have known? These events make me question the whole rationale of using forums like this. In the past I've turned to these kinds of places when I couldn't figure it out myself. More and more I'm becoming disillusioned with the caliber of responses I get. The last thread I started in this forum (No Browser But Edge Will Connect) has now gone 3+ weeks without a response. I honestly doubt I'll ever receive an intelligent reply.

    And typos in a tutorial? A tutorial where one is supposed to make registry changes? Registry typos can be disastrous. People expect a certain level of expertise and quality here. Sadly, it seems to have fallen by the wayside.
      My ComputerSystem Spec
  7.    17 Mar 2017 #7
    Join Date : Apr 2015
    Posts : 12,819
    W10Prox64

    @boweasel
    I'm sorry you found a typo and it's unfortunate that the tutorial didn't help you regain access to the computer. A question posted in that tutorial thread would have gotten you assistance from the tut author, which might have resolved your problem with the different value you found.

    However, your bashing the volunteer help here is unnecessary.

    Back to the computer: If the system was remotely accessed by the scammers, the only sensible thing to do is pull the HDD, back up the user data, wipe the drive, and reinstall the OS. Anything less than that is just asking for trouble. You have no idea what they did to that thing. Many of these scammers place time bombs on their victims' systems. It's just not possible to "clean it" and be sure it's good.
      My ComputerSystem Spec

 


Similar Threads
Thread Forum
Password changed (not by me)
I have 2 PC's. Both run Windows 10. Both had different passwords. Somehow, the password on the one PC was changed to match the password on the other PC. Now they both have the same password. I never changed anything, and no one else has access...
User Accounts and Family Safety
Local Account Password changed
Hi, I have linked my Windows 10 app store to a BT provided email address. After rebooting it has asked me to login. It has changed my local account from my name to my BT email address and asking for a password. This is not my normal password and...
User Accounts and Family Safety
Solved Changed Microsoft Account Password Does not Change PC Login Password
I have three Win 10 PC's (desktop, laptop, Surface) that all have the admin login account set up through a common Microsoft Hotmail account. I changed to a new password on my Hotmail account, but the old Hotmail password is still used for logins to...
User Accounts and Family Safety
Intalled Windows 10 on brand new laptop and it changed my password
I just bought the Asus Zenbook and when I opened it it asked me if I wanted to install Windows 10, I did, but now for some reason it won't let me log-in telling me that the password I am using is wrong. I used the same password I had used to log-in...
User Accounts and Family Safety
Login screen changed and password changed after verification
My Login screen used to have only my name on it and yesterday after clicking on "Verify" and going thru several screens and rebooting, I noticed that my name and Hotmail address are both on my Login screen and the Windows 10 password has been...
User Accounts and Family Safety
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 16:42.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums