Log into Another User’s Session on Windows 10
Without knowing the user’s password you can still get access to the desktop as that user, sneaky huh? I will walk you through how to do this.
Why Log into Another User’s Session?
Let’s say that you are working at the IT Helpdesk. It is the end of your day when the user “groovyPost” requests IT support. The email client needs to be configured.
The user has left for the day and expect this to be fixed once back in the office the next day. You do not know that person’s password. Security policy doesn’t allow you to change the password for the user, without first going through the HR and security team for approval. Which is only for emergency cases. You might be surprised how little is needed for this to work. In the end, we will connect to the user’s session.
Prerequisites
There are four prerequisites for this to work:
Start Task Manager as SYSTEM
Normally when you connect to another user’s session, Windows asks for that user’s password. This is not the case when the request comes from the SYSTEM. Therefore we will want to run Task Manager as the system and connect from there. Sound complicated? It is actually fairly easy. Just follow these four steps.
What was that? -sid?
Hey now! what was that command doing? Let’s look into each part of it. PsExec.exe is primarily used to execute commands on remote systems, but can also be used locally as in this case. If first-time running PsExec on your system it will ask you to accept Software License terms. Switches explained: s – means the process runs as SYSTEM, we need that to not be prompted for a password when we later connect to the user’s session on the machine. i – means we can interact with the desktop. d – don’t wait for the process to terminate. If we put all together; we call PsExec.exe to run Task Manager (taskmgr.exe) as SYSTEM, allow us to interact with the desktop and don’t wait for the process to terminate. Perfect, exactly what we want.
Enter the user’s session and see the desktop
Now we got Task Manager running as SYSTEM, be careful because you got full power now and no restrictions. We want to help our user to configure an email client, but we are still logged in as our Local Administrator account. To enter our user’s session without the user’s password do the following:
Voila, you are now in the user’s session as the user without even knowing the user’s password. You can now configure the user’s email client and then switch back to your local administrator user sessions and close it. Support case solved and you are now the hero.
Didn’t work for you?
If it didn’t work for you, verify the following:
Conclusion
Another good reason to follow the best security practice is to reduce the number of local administrators. You have now seen how powerful and how dangerous it can be. This is not a bug or alike. But could be useful for example IT Helpdesk support but harmful for someone with bad intentions. If you have any questions about accessing a user’s session/desktop without a password, join the discussion in our Windows 10 Forum.