Log into Another User’s Session on Windows 10

Without knowing the user’s password you can still get access to the desktop as that user, sneaky huh? I will walk you through how to do this.

Why Log into Another User’s Session?

Let’s say that you are working at the IT Helpdesk. It is the end of your day when the user “groovyPost” requests IT support. The email client needs to be configured.

The user has left for the day and expect this to be fixed once back in the office the next day. You do not know that person’s password. Security policy doesn’t allow you to change the password for the user, without first going through the HR and security team for approval. Which is only for emergency cases. You might be surprised how little is needed for this to work. In the end, we will connect to the user’s session.

Prerequisites

There are four prerequisites for this to work:

Start Task Manager as SYSTEM

Normally when you connect to another user’s session, Windows asks for that user’s password. This is not the case when the request comes from the SYSTEM. Therefore we will want to run Task Manager as the system and connect from there. Sound complicated? It is actually fairly easy. Just follow these four steps.

What was that? -sid?

Hey now! what was that command doing? Let’s look into each part of it. PsExec.exe is primarily used to execute commands on remote systems, but can also be used locally as in this case. If first-time running PsExec on your system it will ask you to accept Software License terms. Switches explained: s –  means the process runs as SYSTEM, we need that to not be prompted for a password when we later connect to the user’s session on the machine. i – means we can interact with the desktop. d – don’t wait for the process to terminate. If we put all together; we call PsExec.exe to run Task Manager (taskmgr.exe) as SYSTEM, allow us to interact with the desktop and don’t wait for the process to terminate. Perfect, exactly what we want.

Enter the user’s session and see the desktop

Now we got Task Manager running as SYSTEM, be careful because you got full power now and no restrictions. We want to help our user to configure an email client, but we are still logged in as our Local Administrator account. To enter our user’s session without the user’s password do the following:

Voila, you are now in the user’s session as the user without even knowing the user’s password. You can now configure the user’s email client and then switch back to your local administrator user sessions and close it. Support case solved and you are now the hero.

Didn’t work for you?

If it didn’t work for you, verify the following:

Conclusion

Another good reason to follow the best security practice is to reduce the number of local administrators. You have now seen how powerful and how dangerous it can be. This is not a bug or alike.  But could be useful for example IT Helpdesk support but harmful for someone with bad intentions. If you have any questions about accessing a user’s session/desktop without a password, join the discussion in our Windows 10 Forum.

How to Log Into a User s Session Without Knowing Their Password - 23How to Log Into a User s Session Without Knowing Their Password - 68How to Log Into a User s Session Without Knowing Their Password - 58How to Log Into a User s Session Without Knowing Their Password - 80How to Log Into a User s Session Without Knowing Their Password - 15How to Log Into a User s Session Without Knowing Their Password - 11How to Log Into a User s Session Without Knowing Their Password - 42