Lost Admin Rights or Password? Rescue the Account via Windows Recovery Environment

Similar to lost password scenario, losing your account’s administrator rights & privileges is one of the worst kinds of lock-out situation where the user can’t run anything that requires elevation.

If your user account has lost admin rights, it may have been caused by a malware. Or you may have inadvertently set yourself a “Standard User” via Account settings, or configured the Local Security Policy or user account group membership incorrectly.

This means you can’t go back to the User Account settings page and set yourself as administrator. In such cases, the Yes button in the UAC dialog will be disabled or grayed out.

uac yes button grayed out

Worst part may be that most users don’t have a second or alternate administrator account on their computer. And they would have never activated the built-in Administrator account (keeping it disabled is good for security, anyway).

Given the situation, the user still has these options via Recovery Options (Windows Recovery Environment) to get back lost administrator rights and privileges.

Instructions and screenshots in this article are from a Windows 10 computer, but the concept should apply to Windows 8 and earlier, as well.

Premiminary Step: Access the Windows Recovery Environment

  1. Boot the system using your Windows installation media or Recovery drive, if you’ve created one already. If you don’t have one, download the Windows 10 ISO and then create a bootable media from another computer.
  2. In the Windows setup page that appears when booting using the Windows installation media, click Next
  3. Click Repair your computer.
    windows 10 setup - repair your computer
  4. In the Windows Recovery Options menu, click Troubleshoot, and then click Advanced Options.

That’s how you access the Windows RE Advanced Options menu. Now, follow any one of the following methods to recovery your user account.

Restore lost administrator rights via Windows Recovery Environment

There are three options discussed below. Choose one of the methods that’s best suited for you. If you have enabled System Restore and you lost your administrator rights only recently, then you can undo the damage caused by rolling back the system as in Option 1.

If you’ve turned off System Restore, then you may use the steps under Option 2 or Option 3 to restore administrator rights to your user account.

Option 1: System Restore Rollback from Windows Recovery Environment

If you prefer a System Restore rollback, follow these steps:

System Restore rollback replaces the entire registry hives from a previous snapshot. This is a convenient option if your group membership was recently changed; System Restore would revert back your previous settings.

  1. In the Recovery Options, click System Restore.
  2. You’ll be asked to choose a target Operating System. Choose the Operating System.
  3. Click Next in the System Restore window.
  4. Click Show more restore points check box (if available)
  5. Select the appropriate restore point from the list based on the date when the system was working fine.
  6. Click Next and click Finish.

Option 2: Enable Built-in Administrator & Fix your user account group membership

Using the Windows 10 setup disk or USB boot media, access the Windows Recovery Environment as per the instructions given above.

  1. In the Recovery Options menu, click Troubleshoot, and then click Advanced Options.
  2. Click Command Prompt.
  3. In the Command Prompt window, type the following command and press ENTER:
    net user administrator /active:yes

    net user administrator active yes winre

  4. Type exit to return to Recovery Options menu.
  5. Exit and Continue to Windows 10.
  6. When you get to the sign-in screen, hold the Shift key down while you select Power icon, and click Restart.
  7. Your computer restarts to the “Choose an option” screen. Select Troubleshoot → Advanced options → Startup Settings → Restart.
  8. After your computer restarts, you’ll see a list of options. Select 4 or F4 to start your PC in Safe Mode, or select 5 or F5 for Safe Mode with Networking.
  9. Log in as Administrator from safe mode.

Once logged in as built-in Administrator, you may create a new user account with administrator rights. Or fix the group membership of your original account that has lost its admin rights.

Option 3: Editing the Registry to Create a Backdoor by Setting a Debugger

Alternately, you can to edit the registry offline to facilitate (using a backdoor method) a group membership change from login screen.

In the Recovery Options, click Command Prompt.

About this backdoor method: If you’ve noticed, the logon screen shows the Ease of Access button to launch the Accessibility Options; clicking that would launch the file utilman.exe. So, what we’re doing is make Windows invoke Command Prompt when you click the Accessibility Options button, by attaching Command Prompt as the debugger for this executable. This is a backdoor method that helps you gain full administrative access to the system.

The debugger method invoking sethc.exe or utilman.exe has already been covered on various technology sites, so I’m not the first or only one who found it. What I’ve actually found is that the same technique works for Atbroker.exe as well, in Windows 10. This post is to illustrate the backdoor method using screenshots so that it benefits common users, for legitimate uses.

  1. Follow the instructions in article How to Edit the Registry Offline Using Windows Recovery Environment? and load the SOFTWARE registry hive.
  2. Add a debugger value for utilman.exe, mentioning cmd.exe as the debugger. To do that, create a subkey named “utilman.exe” under this key:
    HKEY_USERS\MyKey\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe

    (Assuming you used the name MyKey when you loaded the hive.)

  3. In the utilman.exe key, create a string value (REG_SZ) named Debugger
  4. Double-click Debugger and set its value data to c:\windows\system32\cmd.exe

    Here is how it should look like.

    Editor’s note: You can also set a debugger for atbroker.exe using the same way. Any one of them will do, and work equally well. If you’re setting a “debugger” value for Atbroker.exe, then to invoke the debugger (Command Prompt, in this case), you just need to click the lock screen once, just as you usually do when logging on to Windows. It would open a full privileged Command Prompt for you, from where you can change your account settings.

  5. Make sure you Unload the hive, Then exit the Registry Editor
  6. Click Continue to Exit and continue to Windows.
  7. In the Windows logon screen, click the accessibility (Ease of access) button. This should now launch the Command Prompt window.
  8. It’s time to fix your user account group membership, or enable the built-in Administrator which ever you prefer:

    To activate the built-in Administrator account, type:

    net user administrator /active:yes

    To fix the user account membership to set it as administrator, type::

    net localgroup administrators username /add

    For example if your user account name is John, you’d type:

    net localgroup administrators john /add

    hand point iconFor more details and screenshots on changing group membership of accounts, check out section Fix Group Membership of your User Account ↓ at the end of this article.

    Quick Tip: In the Command Prompt window, you can launch the User Accounts GUI to fix your group membership, enable the built-in Administrator account, or reset local user account passwords. Run the command CONTROL USERPASSWORDS2 or LUSRMGR.MSC (for Windows Pro Editions and higher)

  9. Now, close the backdoor created in Step #3 above. You don’t have to go back to Recovery Environment to delete the key. You can do so from within Windows. To close the backdoor, simply delete this key using the Registry Editor once you login to your user account:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe

    This is an important step. If this backdoor is left as it is, anyone who has access to your system can play bad tricks against you.

Fix Group Membership of the Corrupt User Account (Set your account as administrator)

After following one of the three options above, you need to fix the group membership of your original (corrupt) user account. The corrupt account may show up as Standard User, or Guest — i.e., it’s not a member of Administrators group.

You can view the group membership of accounts by running the control userpasswords2 command from Run dialog.

make user account administrator group membership net localgroup

To fix the user account group membership and make it an administrator, from the user accounts dialog shown above:

  • Select your account → Properties → Group Membership → Administrator → OK.

    lost administrator rights - standard user to administrator - userpasswords2

Alternately, via Command Prompt:

Open elevated Command Prompt, and type the following command:

net localgroup administrators {username} /add

Example: If the username is RobertM, run this command:

net localgroup administrators RobertM /add

make user account administrator group membership net localgroup

Close and reopen the control userpasswords2 dialog. You’ll see that the account RobertM in this example, is made an administrator.

make user account administrator group membership net localgroup

Login to the user account and see if the rights and privileges are restored and you’re able to run programs elevated. Test the account for some time. If everything works fine on that account, you can deactivate the built-in Administrator account. To do so, start Command Prompt as administrator and run the following command:

net user administrator /active:no

Press ENTER.

Hope this guide helped you restore administrator rights and privileges for your user account, or to reset a lost local user account password in Windows 10 and earlier versions.

One small request: If you liked this post, please share this?

One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
  • Pin it!
  • Share it to your favorite blog + Facebook, Reddit
  • Tweet it!
So thank you so much for your support, my reader. It won't take more than 10 seconds of your time. The share buttons are right below. :)

About the author

Ramesh Srinivasan founded Winhelponline.com back in 2005. He is passionate about Microsoft technologies and he has been a Microsoft Most Valuable Professional (MVP) for 10 consecutive years from 2003 to 2012.

2 thoughts on “Lost Admin Rights or Password? Rescue the Account via Windows Recovery Environment”

  1. I would like to say thank you to Ramesh and his winhelponline.com for an excellent problem solving article. I had somehow been relegated to a Guest account on my own computer and could not find a way to get my Admin privileges back until I found this article. Now I am happily back to normal and I didn’t have to reinstall my operating system to do it. This page will be permanently bookmarked for future use and reference.


Leave a Comment