{"id":11204,"date":"2026-05-02T10:57:57","date_gmt":"2026-05-02T15:57:57","guid":{"rendered":"https:\/\/stevepedwards.today\/DebianAdmin\/?p=11204"},"modified":"2026-05-06T07:02:51","modified_gmt":"2026-05-06T12:02:51","slug":"lost-win11-hyperv-server2022-password-fix","status":"publish","type":"post","link":"https:\/\/stevepedwards.today\/DebianAdmin\/lost-win11-hyperv-server2022-password-fix\/","title":{"rendered":"Lost Win11 HyperV Server2022 Password Fix"},"content":{"rendered":"<div class=\"pvc_clear\"><\/div>\n<p id=\"pvc_stats_11204\" class=\"pvc_stats all  \" data-element-id=\"11204\" style=\"\"><i class=\"pvc-stats-icon medium\" aria-hidden=\"true\"><svg aria-hidden=\"true\" focusable=\"false\" data-prefix=\"far\" data-icon=\"chart-bar\" role=\"img\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" viewBox=\"0 0 512 512\" class=\"svg-inline--fa fa-chart-bar fa-w-16 fa-2x\"><path fill=\"currentColor\" d=\"M396.8 352h22.4c6.4 0 12.8-6.4 12.8-12.8V108.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v230.4c0 6.4 6.4 12.8 12.8 12.8zm-192 0h22.4c6.4 0 12.8-6.4 12.8-12.8V140.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v198.4c0 6.4 6.4 12.8 12.8 12.8zm96 0h22.4c6.4 0 12.8-6.4 12.8-12.8V204.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v134.4c0 6.4 6.4 12.8 12.8 12.8zM496 400H48V80c0-8.84-7.16-16-16-16H16C7.16 64 0 71.16 0 80v336c0 17.67 14.33 32 32 32h464c8.84 0 16-7.16 16-16v-16c0-8.84-7.16-16-16-16zm-387.2-48h22.4c6.4 0 12.8-6.4 12.8-12.8v-70.4c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v70.4c0 6.4 6.4 12.8 12.8 12.8z\" class=\"\"><\/path><\/svg><\/i> <img loading=\"lazy\" decoding=\"async\" width=\"16\" height=\"16\" alt=\"Loading\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/plugins\/page-views-count\/ajax-loader-2x.gif\" border=0 \/><\/p>\n<div class=\"pvc_clear\"><\/div>\n<p><strong>Lost HyperV Server2022 Password Fix<\/strong><\/p>\n<p>Boot the VM and immediately hit F8 to start a new install, then hit Repair and command prompt.<\/p>\n<p>Since the VM, just a volume has no drive letter, we need to give it one manually so the command prompt can \"talk\" to it.<\/p>\n<p>Follow these steps exactly in your current prompt:<\/p>\n<ol>\n<li><strong>Enter Diskpart:<\/strong> Type diskpart and hit Enter.<\/li>\n<li><strong>Assign the Letter:<\/strong> Type these commands one by one:\n<ul>\n<li>select volume 1<\/li>\n<li>assign letter=v<\/li>\n<li>exit<\/li>\n<\/ul>\n<\/li>\n<li><strong>Perform the \"Utilman\" Surgery:<\/strong> Now that the drive is mapped to V:, run the swap:\n<ul>\n<li>v:<\/li>\n<li>cd windows\\system32<\/li>\n<li>ren utilman.exe utilman.exe.bak<\/li>\n<li>copy cmd.exe utilman.exe<\/li>\n<\/ul>\n<\/li>\n<li><strong>Reboot:<\/strong> Type wpeutil reboot.<\/li>\n<\/ol>\n<p><strong>What happens next?<\/strong><\/p>\n<p>When the Server 2022 login screen appears:<\/p>\n<ol>\n<li>Click the <strong>Ease of Access<\/strong> icon (or press <strong>Win + U<\/strong>).<\/li>\n<li>A black Command Prompt window will open.<\/li>\n<li>Type: net user Administrator * \/domain<\/li>\n<li>It will ask you to type a new password. <strong>Type it twice<\/strong> (Note: you won't see the characters moving while you type\u2014this is normal).<\/li>\n<\/ol>\n<p><strong>Why this works:<\/strong> Even though it's a Domain Controller, the \"Ease of Access\" tools load before anyone logs in. By swapping the program, you are essentially \"tricking\" the system into giving you a System-level command prompt with the power to override the Active Directory admin password.<\/p>\n<p>If net user says \"The command completed successfully,\" you've won! Use that new password to log in.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-11205\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2026\/05\/Server2022-Desktop.png\" alt=\"\" width=\"1361\" height=\"764\" \/><\/p>\n<p>Windows doesn't actually know you've performed \"surgery\" on its system files. As far as the OS is concerned, utilman.exe is now a program that happens to look and behave exactly like a Command Prompt. If you don't manually undo the change, your login screen will remain \"compromised\" (and slightly broken) forever.<\/p>\n<p>### The \"Frankenstein\" State<br \/>\nAfter you successfully log in using the net user command you ran through the hijacked prompt:<br \/>\n1. **The Icon remains:** The \"Ease of Access\" button on the login screen will still be there.<br \/>\n2. **The Payload remains:** If you click that button again, it won't open the Magnifier or On-Screen Keyboard; it will still pop open a **System-level Command Prompt**.<br \/>\n3. **Security Risk:** This is a massive \"backdoor.\" Anyone with physical access to your VM can now click that button and have full SYSTEM authority over your machine without needing a password.<br \/>\n### How to \"Re-Stitch\" the OS<br \/>\nOnce you are back in and have confirmed your \"Steve\" password works, you must perform the reverse surgery to get the VM back to a healthy state.<br \/>\n**1. The Cleanup (Undo the Swap):**<br \/>\nYou usually can't do this while Windows is running normally because utilman.exe (which is actually cmd.exe) might be protected by TrustedInstaller. You often have to boot back into that **Command Repair\/Recovery** mode one last time.<br \/>\n**2. The Commands:**<br \/>\nOnce you are back in the recovery console (where the drive is V:):<br \/>\n```bash<br \/>\nv:<br \/>\ncd windows\\system32<br \/>\ndel utilman.exe # Delete the \"fake\" Utilman (which was a copy of CMD)<br \/>\nren utilman.exe.bak utilman.exe # Rename the original back to its real name<\/p>\n<p>```<br \/>\n### Why we do it this way<br \/>\nIn a lab environment, we use the utilman.exe trick because it's the fastest way to reset a local admin password without third-party tools. However, in a \"Production\" environment, a security auditor would flag this immediately.<\/p>\n","protected":false},"excerpt":{"rendered":"<div class=\"pvc_clear\"><\/div>\n<p id=\"pvc_stats_11204\" class=\"pvc_stats all  \" data-element-id=\"11204\" style=\"\"><i class=\"pvc-stats-icon medium\" aria-hidden=\"true\"><svg aria-hidden=\"true\" focusable=\"false\" data-prefix=\"far\" data-icon=\"chart-bar\" role=\"img\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" viewBox=\"0 0 512 512\" class=\"svg-inline--fa fa-chart-bar fa-w-16 fa-2x\"><path fill=\"currentColor\" d=\"M396.8 352h22.4c6.4 0 12.8-6.4 12.8-12.8V108.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v230.4c0 6.4 6.4 12.8 12.8 12.8zm-192 0h22.4c6.4 0 12.8-6.4 12.8-12.8V140.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v198.4c0 6.4 6.4 12.8 12.8 12.8zm96 0h22.4c6.4 0 12.8-6.4 12.8-12.8V204.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v134.4c0 6.4 6.4 12.8 12.8 12.8zM496 400H48V80c0-8.84-7.16-16-16-16H16C7.16 64 0 71.16 0 80v336c0 17.67 14.33 32 32 32h464c8.84 0 16-7.16 16-16v-16c0-8.84-7.16-16-16-16zm-387.2-48h22.4c6.4 0 12.8-6.4 12.8-12.8v-70.4c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v70.4c0 6.4 6.4 12.8 12.8 12.8z\" class=\"\"><\/path><\/svg><\/i> <img loading=\"lazy\" decoding=\"async\" width=\"16\" height=\"16\" alt=\"Loading\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/plugins\/page-views-count\/ajax-loader-2x.gif\" border=0 \/><\/p>\n<div class=\"pvc_clear\"><\/div>\n<p>Lost HyperV Server2022 Password Fix Boot the VM and immediately hit F8 to start a new install, then hit Repair and command prompt. Since the VM, just a volume has no drive letter, we need to give it one manually so the command prompt can \"talk\" to it. Follow these steps exactly in your current <a href=\"https:\/\/stevepedwards.today\/DebianAdmin\/lost-win11-hyperv-server2022-password-fix\/\" class=\"more-link\">...<span class=\"screen-reader-text\">\u00a0 Lost Win11 HyperV Server2022 Password Fix<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-11204","post","type-post","status-publish","format-standard","hentry","category-post"],"a3_pvc":{"activated":true,"total_views":4,"today_views":0},"_links":{"self":[{"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/posts\/11204","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/comments?post=11204"}],"version-history":[{"count":4,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/posts\/11204\/revisions"}],"predecessor-version":[{"id":11211,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/posts\/11204\/revisions\/11211"}],"wp:attachment":[{"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/media?parent=11204"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/categories?post=11204"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/tags?post=11204"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}