Kid bypassing Laptop Windows Password

Wow, this is a read and a half, I think I'll stick to the pure techncial bit as I work in IT within schools so this is pretty much by bread and butter as the kids love trying to get into our systems / machines in ways they shouldnt. Ultimately as many others have said the fact you have given him an admin account essentialy means its game over. The whole point of admin is that it lets you change things and you are going to be immediately on the back foot trinyg to work out, how, it happened, rather than truly stopping it. I'd suggest you woudl be better of doing the below.

1. Enable bitlocker on the machine so the boot drive is encrypted, this means that even if something like a linux boot CD / pen drive is used, it wouldn't be able to interact with the bitlockered volume to make any changes. Ensure they bit locker password is long and dont save the key somewhere the kid can access
2. Put an admin password on the BIOS of the machine, ensure its different and dont let the kid have it.
3. Within the BIOS disable the ability to boot from USB, CD, Network, everything, except the internal drive itself. Ensure things like secure boot, and the TPM are enabled.
4. Change the kids admin account to a standard user.
5. Reset the password on your admin account on the machine, again make this different to the BIOS and Bitlocker passwords.

If you do all 5 of them that should stop it. Disabling the boot options in BIOS stops things like linux CD's etc being able to boot. Password protecting the BIOS then stops those settings from being changed. Bitlockering the drive stops it from being read or files being changed should the prior two methods fail for any reason (but short of guessing that password I dont see how they could) or if the drive is removed and put in something else. Dropping the kids account to a standard user account means they cant disable bitlocker, and then cant reverse engineer any of the other bits. It should also make it considerably harder to install any kind of tools that cold find the passwors mentioned, or circumevent any of the other protections.

With all of these in place there's really no way they should be able to bypass anything. Though keep in mind the instant you give them admin rights, its game over. At that point passswords et are irrelevant as they can simply use their admin to install all mannaer of tools designed to cirumvent this. It only works if you do everything together. If you take admin away, but dont secure the bios and bitlocker the drive, they can simply boot a live CD to do things in that that you cant do without admin etc. It only works if you do everything together.
Useless advice. :cry:

If his dad did all 5 of them but that WONT stop it.

1. Kid can disabled bitlocker easy and decrypted boot drive bypass boot pin or password via software tool.
2. Kid can find a screwdriver to open laptop and removed CMOS battery that will remove BIOS admin password.
3. Kid can change ability to boot from USB, CD, Network and everything after he removed CMOS battery that will reset BIOS settings to default.
4. Kid can easily change standard user back to admin account through PowerShell.
5. Kid can reset Windows 11 admin account easily again and again with utilman.exe trick which I did reset my sister PC years ago when she forget admin account password.
 
Wow, this is a read and a half, I think I'll stick to the pure techncial bit as I work in IT within schools so this is pretty much by bread and butter as the kids love trying to get into our systems / machines in ways they shouldnt. Ultimately as many others have said the fact you have given him an admin account essentialy means its game over. The whole point of admin is that it lets you change things and you are going to be immediately on the back foot trinyg to work out, how, it happened, rather than truly stopping it. I'd suggest you woudl be better of doing the below.

1. Enable bitlocker on the machine so the boot drive is encrypted, this means that even if something like a linux boot CD / pen drive is used, it wouldn't be able to interact with the bitlockered volume to make any changes. Ensure they bit locker password is long and dont save the key somewhere the kid can access
2. Put an admin password on the BIOS of the machine, ensure its different and dont let the kid have it.
3. Within the BIOS disable the ability to boot from USB, CD, Network, everything, except the internal drive itself. Ensure things like secure boot, and the TPM are enabled.
4. Change the kids admin account to a standard user.
5. Reset the password on your admin account on the machine, again make this different to the BIOS and Bitlocker passwords.

If you do all 5 of them that should stop it. Disabling the boot options in BIOS stops things like linux CD's etc being able to boot. Password protecting the BIOS then stops those settings from being changed. Bitlockering the drive stops it from being read or files being changed should the prior two methods fail for any reason (but short of guessing that password I dont see how they could) or if the drive is removed and put in something else. Dropping the kids account to a standard user account means they cant disable bitlocker, and then cant reverse engineer any of the other bits. It should also make it considerably harder to install any kind of tools that cold find the passwors mentioned, or circumevent any of the other protections.

With all of these in place there's really no way they should be able to bypass anything. Though keep in mind the instant you give them admin rights, its game over. At that point passswords et are irrelevant as they can simply use their admin to install all mannaer of tools designed to cirumvent this. It only works if you do everything together. If you take admin away, but dont secure the bios and bitlocker the drive, they can simply boot a live CD to do things in that that you cant do without admin etc. It only works if you do everything together.

Thanks for that.

Like I said previously until now simply changing the password temporarily worked. We've obviously now moved beyond that. All the machines are encrypted except the gaming machines and test machines. Which have no data on them and are effectively disposable. Of course it has to be done for all the gaming machines. The account used not be admin but gained that permission a while ago. Hasn't that come back to bite.
 
Last edited:
One of you says a million and one, the other 10 or more, lol. Comedy.

Thus far there only been a handful of practical and likely possibilities, from genuine people who actually read what was posted.
Probably something to do with the fact that we're two different people with different opinions, and the fact that one of is talking about all possible ways and the other is talking about just those methods mentioned in this thread.

TBH it seems you created this thread simply to troll as despite people best efforts to help all you've done is throw that back in people faces and rebuke them because you've not made it clear what your attempting to achieve, if you really wanted help then i suggest that insulting people probably isn't the best way to go about that.
 
Useless advice. :cry:

If his dad did all 5 of them but that WONT stop it.

1. Kid can disabled bitlocker easy and decrypted boot drive bypass boot pin or password via software tool.
2. Kid can find a screwdriver to open laptop and removed CMOS battery that will remove BIOS admin password.
3. Kid can change ability to boot from USB, CD, Network and everything after he removed CMOS battery that will reset BIOS settings to default.
4. Kid can easily change standard user back to admin account through PowerShell.
5. Kid can reset Windows 11 admin account easily again and again with utilman.exe trick which I did reset my sister PC years ago when she forget admin account password.

Agreed. Ultimately it just escalates from one level to the next. Though there is a honeymoon period before each escalation. But thats life.
 
Probably something to do with the fact that we're two different people with different opinions, and the fact that one of is talking about all possible ways and the other is talking about just those methods mentioned in this thread.

TBH it seems you created this thread simply to troll as despite people best efforts to help all you've done is throw that back in people faces and rebuke them because you've not made it clear what your attempting to achieve, if you really wanted help then i suggest that insulting people probably isn't the best way to go about that.

From my point of view, more accurately some people tried to derail the thread to what they wanted to talk then got grouchy when they couldn't. As I said ".. answering a question I didn't ask..." I said it a lot, like a lot.

But hey its an open forum and you get the chaff with the wheat. Part of being on a forum.
 
Last edited:
Useless advice. :cry:

If his dad did all 5 of them but that WONT stop it.

1. Kid can disabled bitlocker easy and decrypted boot drive bypass boot pin or password via software tool.
2. Kid can find a screwdriver to open laptop and removed CMOS battery that will remove BIOS admin password.
3. Kid can change ability to boot from USB, CD, Network and everything after he removed CMOS battery that will reset BIOS settings to default.
4. Kid can easily change standard user back to admin account through PowerShell.
5. Kid can reset Windows 11 admin account easily again and again with utilman.exe trick which I did reset my sister PC years ago when she forget admin account password.

Your logic on this is flawed in my opinion and its why I made the point that this only works if all the settings are done together. Unless the laptop is very old removing the CMOS battery will not remove the admin password. This hasn't been a thing for years and generally speaking once a BIOS has a password theres no way of removing it short of replacing actual chips on the BIOS or having the password. Whilst some companies offer things like bios reset util tools these generally rely on being able to boot into something else or run as admin which the other protections prevent.

The rest of your logic then falls apart, the ability to boot from network / cd / usb etc doesnt become available because the bios didnt lose its password.

Whilst standard users can change bitlocker passwords / boot pins this wasnt the point of having it enabled. I'm not suggesting he stop the person using the laptop with a bitlocker password, you would let the TPM deal with that and never tell the kid the password or pin that was used. You need the old password / pin to change it, so this wouldnt work as the kid wouldnt have the old password to be able to do the change.

You can't run the elevated commands needed to change a standard user to an admin use in a non admin prompt of powershell.

Utilman relies on being able to boot a windows dvd, again, this wont work as long as the bios is correctly configured and password protected. Even if it did as you mount the volume to replace the file, you would need the bitlocker password to unlock the drive which the kid doesnt have.


What you are describing was certainly true years ago, but just isnt the ase now. My suggestions fall apart if any one of them is missed, and as you say if you miss allowing boot media you have live CD's, if you miss bitlocker you can edit the drives in other ways, if you miss a password you can change these settings, but when these are all done together there really is no way around it.

I get that he didnt specificaly ask for this, but as people are saying thats the point of a forum and the other points have already been done to death. Short of trawling the event logs in the hope you catch what was done (assuming its even a loggable event) there's really no hope of knowing how it happened when the kid had admin access. The whole point of admin is that it allows you to do anything on the machine and for as long as they have this no protection will ever stop this happening as the admin rights simply allow it to be turned off / undone.
 
Last edited:
I've only ever messed with cmos and pram batteries trying to revive old machines. Not access new ones.

A quick Google suggests there are manufacturers back door codes you can use to reset the bios if the battery method doesn't work.
 
This thread was a fun ride. May I try to skin the cat another way?

Bear in mind, this is not my opinion, I'm simply making an observation:
If someone (let's call him Bob) wants to "hack" into a password protected computer but doesn't know how to do it, what does he do?
"I'll ask online" he thinks to himself, but he quickly realises that nobody is going to offer to help him hack into someone else's computer - they'll just call him a very naughty boy.
"So..." Bob thinks to himself "what if I say that I just want to know how to do it, not for my own benefit, but simply because my kid managed to hack into MY computer, so HE'S the naughty boy, and I'm just trying to teach him a lesson", Bob nods, rubbing his hands together "I'm a genius!"

I want to reiterate; I am not saying you're Bob, OP, and I don't think anyone here truly thinks you're Bob either, but the shadow of Bob is what's probably keeping you in the dark (your storytelling has been a little flawed too at times, but I think that's more due to the omission of details rather than anything else).

Also a reminder for everyone asking for the kid's age:
Lol when I said Kid hes taller and stronger than I am. But I'm a dirty fighter and he isn't.
We don't know the kid's age, but this quote from the very first page provides more context than a number would anyway.

With that said, nobody is going to advertise, in a public forum, how to hack a windows password. There's many ways to skin that cat and it's in nobody's interest for the general public to know how to do it.
I hope you figure out what your son is doing and come out on top :cool:
 
Type bypass Windows password into Google and follow one of the millions of results. :)
Now come on, don't pretend like you've never asked someone something that you couldn't have simply googled. We've all got a bit of Bob in us.

Doesn’t matter how old the kid is, ask said kid how they did it. Story doesn’t add up.
In fairness, OP's unwillingness to ask the kid isn't the part of the story that doesn't add up. That's like suggesting asking the career criminal for advice on how to catch him next time. He's supposedly bypassed the password on many occasions and hid the laptop, so he is quite unlikely to be a helpful witness to his own crimes. In this context, an older child is especially less likely to be cooperative.

Giving the kid admin privileges is a much bigger plot hole, but does go a long way in explaining how he might achieve the results he supposedly has.

OcUK is usually a good shortcut to getting good tech info. An unusually high noise to signal ratio this time though.
It's been part drama, part mystery, part comedy. At least you've created something entertaining.
 
Your logic on this is flawed in my opinion and its why I made the point that this only works if all the settings are done together. Unless the laptop is very old removing the CMOS battery will not remove the admin password. This hasn't been a thing for years and generally speaking once a BIOS has a password theres no way of removing it short of replacing actual chips on the BIOS or having the password. Whilst some companies offer things like bios reset util tools these generally rely on being able to boot into something else or run as admin which the other protections prevent.

The rest of your logic then falls apart, the ability to boot from network / cd / usb etc doesnt become available because the bios didnt lose its password.

Whilst standard users can change bitlocker passwords / boot pins this wasnt the point of having it enabled. I'm not suggesting he stop the person using the laptop with a bitlocker password, you would let the TPM deal with that and never tell the kid the password or pin that was used. You need the old password / pin to change it, so this wouldnt work as the kid wouldnt have the old password to be able to do the change.

You can't run the elevated commands needed to change a standard user to an admin use in a non admin prompt of powershell.

Utilman relies on being able to boot a windows dvd, again, this wont work as long as the bios is correctly configured and password protected. Even if it did as you mount the volume to replace the file, you would need the bitlocker password to unlock the drive which the kid doesnt have.


What you are describing was certainly true years ago, but just isnt the ase now. My suggestions fall apart if any one of them is missed, and as you say if you miss allowing boot media you have live CD's, if you miss bitlocker you can edit the drives in other ways, if you miss a password you can change these settings, but when these are all done together there really is no way around it.

I get that he didnt specificaly ask for this, but as people are saying thats the point of a forum and the other points have already been done to death. Short of trawling the event logs in the hope you catch what was done (assuming its even a loggable event) there's really no hope of knowing how it happened when the kid had admin access. The whole point of admin is that it allows you to do anything on the machine and for as long as they have this no protection will ever stop this happening as the admin rights simply allow it to be turned off / undone.

TPM and other onboard protection on anything remotely new will do as you say - you simply aren't getting in unless you have skills which are likely way beyond what the kid in this instance is capable of, but we dont know the kid might be hiding the laptop while taking the bios chip off and reprogramming it for the lols.
 
Your logic on this is flawed in my opinion and its why I made the point that this only works if all the settings are done together. Unless the laptop is very old removing the CMOS battery will not remove the admin password. This hasn't been a thing for years and generally speaking once a BIOS has a password theres no way of removing it short of replacing actual chips on the BIOS or having the password. Whilst some companies offer things like bios reset util tools these generally rely on being able to boot into something else or run as admin which the other protections prevent.

The rest of your logic then falls apart, the ability to boot from network / cd / usb etc doesnt become available because the bios didnt lose its password.

Whilst standard users can change bitlocker passwords / boot pins this wasnt the point of having it enabled. I'm not suggesting he stop the person using the laptop with a bitlocker password, you would let the TPM deal with that and never tell the kid the password or pin that was used. You need the old password / pin to change it, so this wouldnt work as the kid wouldnt have the old password to be able to do the change.

You can't run the elevated commands needed to change a standard user to an admin use in a non admin prompt of powershell.

Utilman relies on being able to boot a windows dvd, again, this wont work as long as the bios is correctly configured and password protected. Even if it did as you mount the volume to replace the file, you would need the bitlocker password to unlock the drive which the kid doesnt have.


What you are describing was certainly true years ago, but just isnt the ase now. My suggestions fall apart if any one of them is missed, and as you say if you miss allowing boot media you have live CD's, if you miss bitlocker you can edit the drives in other ways, if you miss a password you can change these settings, but when these are all done together there really is no way around it.

I get that he didnt specificaly ask for this, but as people are saying thats the point of a forum and the other points have already been done to death. Short of trawling the event logs in the hope you catch what was done (assuming its even a loggable event) there's really no hope of knowing how it happened when the kid had admin access. The whole point of admin is that it allows you to do anything on the machine and for as long as they have this no protection will ever stop this happening as the admin rights simply allow it to be turned off / undone.
I stand by a lot of this. Except for Dell laptops who have a publicly available tool to reset the BIOS admin password simply by providing the serial number, and also ensuring you disable PowerShell command history. The command history is a simple text file, readable by all users, in plain text, and could contain administrative passwords. You can then laterally elevate a normal user command prompt to admin but using a run as command using the password from PowerShell history.
 
Back
Top Bottom