Lost Admin Rights or Password? Rescue the Account via Windows Recovery Environment

Similar to lost password scenario, losing your account’s administrator rights & privileges is one of the worst kinds of lock-out situation where the user can’t run anything that requires elevation.

If your user account has lost admin rights, it may have been caused by a malware. Or you may have inadvertently set yourself a “Standard User” via Account settings, or configured the Local Security Policy or user account group membership incorrectly.

This means you can’t go back to the User Account settings page and set yourself as administrator. In such cases, the Yes button in the UAC dialog will be disabled or grayed out.

uac yes button grayed out

The worst part may be that most users don’t have a second administrator account on their computer. And they would have never activated the built-in Administrator account (keeping it disabled is good for security, anyway).

Given the situation, the user still has these options via Recovery Options (Windows Recovery Environment) to get back lost administrator rights and privileges.

Preliminary Step: Access the Windows Recovery Environment

  1. Boot the system using your Windows installation media or Recovery drive, if you’ve created one already. If you don’t have one, download the Windows 10 ISO and then create a bootable media from another computer.
  2. In the Windows setup page that appears when booting using the Windows installation media, click Next
  3. Click Repair your computer.
    windows 10 setup - repair your computer
  4. In the Windows Recovery Options menu, click Troubleshoot, and then click Advanced Options.

That’s how you access the Windows RE Advanced Options menu. Now, follow any one of the following methods to recover your user account.

Restore lost administrator rights via Windows Recovery Environment

There are three options discussed below. Choose one of the methods that’s best suited for you. If you have enabled System Restore and you lost your administrator rights only recently, then you can undo the damage caused by rolling back the system as in Option 1.

If you’ve turned off System Restore, then you may use the steps under Option 2 or Option 3 to restore administrator rights to your user account.

Option 1: System Restore Rollback from Windows Recovery Environment

If you prefer a System Restore rollback, follow these steps:

System Restore rollback replaces the entire registry hives from a previous snapshot. This is a convenient option if your group membership was recently changed; System Restore would restore your previous settings.

  1. In the Recovery Options, click System Restore.
  2. You’ll be asked to choose a target Operating System. Choose the Operating System.
  3. Click Next in the System Restore window.
  4. Click Show more restore points check box (if available)
  5. Select the appropriate restore point from the list based on the date when the system was working fine.
  6. Click Next and click Finish.

Option 2: Enable Built-in Administrator via a direct registry edit

You can edit the SAM registry hive offline to enable or disable the built-in Administrator account.

  1. Using the Windows 10 setup disk or USB boot media, access the Windows Recovery Environment as per the instructions above.
  2. In the Recovery Options menu, click Troubleshoot, and then click Advanced Options.
  3. Click Command Prompt.
  4. In the Command Prompt window, type the following command and press ENTER:
  5. In the Registry Editor, select HKEY_LOCAL_MACHINE
  6. From the File menu, click Load Hive…
  7. In the browse dialog, locate and select the \Windows\System32\Config\SAM hive file from your Windows installation (assuming C:\ is your Windows drive letter. See the section about finding the drive letter of your Windows installation in this article). This SAM hive contains your user accounts configuration info.
    windows recovery options load hive SAM administrator
  8. Assign a name for the loaded hive — e.g., TEMPHIVE
    windows recovery options load hive SAM administrator
  9. Go to the following branch in the Registry Editor:
  10. Double-click the REG_BINARY value named F
  11. In the 8th row, 1st column, modify the value 11 to 10
    windows recovery options load hive SAM administrator
    The value of 11 denotes that the built-in Administrator account is disabled. Setting it to 10 enables the built-in Administrator.
    windows recovery options load hive SAM administrator
  12. Click OK to save the setting.
  13. Select the TEMPHIVE key.
  14. From the File menu, click Unload Hive…
    windows recovery options load hive SAM administrator
  15. Exit the Registry Editor.
  16. In the Recovery Options window, click Continue (Exit and Continue to Windows 10.)
  17. When you get to the Windows 10 sign-in screen, you’ll see the built-in Administrator account.
  18. Log in to the built-in Administrator. This account has a blank password by default.
  19. Once logged in as the built-in Administrator, you may create a new user account with administrator rights, or assign a new password for the original user account, or fix the group membership of your original account that has lost its admin rights.

Option 3: Editing the Registry to Create a Backdoor by Setting a Debugger

Alternately, you can to edit the registry offline to facilitate (using a backdoor method) a group membership change from login screen.

In the Recovery Options, click Command Prompt.

About this backdoor method: If you’ve noticed, the logon screen shows the Ease of Access button to launch the Accessibility Options; clicking that would launch the file utilman.exe. So, what we’re doing is make Windows invoke Command Prompt when you click the Accessibility Options button, by attaching Command Prompt as the debugger for this executable. This is a backdoor method that helps you gain full administrative access to the system.

The debugger method invoking sethc.exe or utilman.exe has already been covered on various technology sites, so I’m not the first or only one who found it. What I’ve actually found is that the same technique works for Atbroker.exe as well, in Windows 10. This post is to illustrate the backdoor method using screenshots so that it benefits common users, for legitimate uses.

  1. Follow the instructions in article How to Edit the Registry Offline Using Windows Recovery Environment? and load the SOFTWARE registry hive.
  2. Add a debugger value for utilman.exe, mentioning cmd.exe as the debugger. To do that, create a subkey named “utilman.exe” under this key:
    HKEY_USERS\MyKey\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe

    (Assuming you used the name MyKey when you loaded the hive.)

  3. In the utilman.exe key, create a string value (REG_SZ) named Debugger
  4. Double-click Debugger and set its value data to c:\windows\system32\cmd.exeHere is how it should look like.Editor’s note: You can also set a debugger for atbroker.exe using the same way. Any one of them will do, and work equally well. If you’re setting a “debugger” value for Atbroker.exe, then to invoke the debugger (Command Prompt, in this case), you just need to click the lock screen once, just as you usually do when logging on to Windows. It would open a full privileged Command Prompt for you, from where you can change your account settings.
  5. Make sure you Unload the hive, Then exit the Registry Editor
  6. Click Continue to Exit and continue to Windows.
  7. In the Windows logon screen, click the accessibility (Ease of access) button. This should now launch the Command Prompt window.
  8. It’s time to fix your user account group membership, or enable the built-in Administrator whichever you prefer:To activate the built-in Administrator account, type:
    net user administrator /active:yes

    To fix the user account membership to set it as administrator, type::

    net localgroup administrators username /add

    For example if your user account name is John, you’d type:

    net localgroup administrators john /add

    hand point iconFor more details and screenshots on changing group membership of accounts, check out section Fix Group Membership of your User Account ↓ at the end of this article.

    Quick Tip: In the Command Prompt window, you can launch the User Accounts GUI to fix your group membership, enable the built-in Administrator account, or reset local user account passwords. Run the command CONTROL USERPASSWORDS2 or LUSRMGR.MSC (for Windows Pro Editions and higher)

  9. Now, close the backdoor created in Step #3 above. You don’t have to go back to Recovery Environment to delete the key. You can do so from within Windows. To close the backdoor, simply delete this key using the Registry Editor once you login to your user account:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe

    This is an important step. If this backdoor is left as it is, anyone who has access to your system can play bad tricks against you.

Fix Group Membership of the Corrupt User Account (Set your account as administrator)

After following one of the three options above, you need to fix the group membership of your original (corrupt) user account. The corrupt account may show up as Standard User, or Guest — i.e., it’s not a member of the Administrators group.

You can view the group membership of accounts by running the control userpasswords2 command from the Run dialog.

make user account administrator group membership net localgroup

To fix the user account group membership and make it an administrator, from the user accounts dialog shown above:

  • Select your account → Properties → Group Membership → Administrator → OK.
    lost administrator rights - standard user to administrator - userpasswords2

Alternately, via Command Prompt:

Open elevated Command Prompt, and type the following command:

net localgroup administrators {username} /add

Example: If the username is RobertM, run this command:

net localgroup administrators RobertM /add

make user account administrator group membership net localgroup

Close and reopen the control userpasswords2 dialog. You’ll see that the account RobertM in this example, is made an administrator.

make user account administrator group membership net localgroup

Log in to the user account and see if the rights and privileges are restored and you’re able to run programs elevated. Test the account for some time. If everything works fine on that account, you can deactivate the built-in Administrator account. To do so, start Command Prompt as administrator and run the following command:

net user administrator /active:no

Press ENTER.

Hope this guide helped you restore administrator rights and privileges for your user account, or to reset a lost local user account password in Windows 10 and earlier versions.

One small request: If you liked this post, please share this?

One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
  • Pin it!
  • Share it to your favorite blog + Facebook, Reddit
  • Tweet it!
So thank you so much for your support, my reader. It won't take more than 10 seconds of your time. The share buttons are right below. :)

Ramesh Srinivasan is passionate about Microsoft technologies and he has been a consecutive ten-time recipient of the Microsoft Most Valuable Professional award in the Windows Shell/Desktop Experience category, from 2003 to 2012. He loves to troubleshoot and write about Windows. Ramesh founded Winhelponline.com in 2005.

2 thoughts on “Lost Admin Rights or Password? Rescue the Account via Windows Recovery Environment”

  1. I would like to say thank you to Ramesh and his winhelponline.com for an excellent problem solving article. I had somehow been relegated to a Guest account on my own computer and could not find a way to get my Admin privileges back until I found this article. Now I am happily back to normal and I didn’t have to reinstall my operating system to do it. This page will be permanently bookmarked for future use and reference.


Leave a Comment