What you will need:
1. Physical access to the computer (log on not necessary).
2. Backtrack 5r3 live CD or USB, or ANY other Linux Live distro.
3. About 10-15 minutes.
1- Boot the target PC with your Backtrack disc or flash drive, and proceed to the desktop. 1
2- Open the file browser, and navigate to the PC hard drive:\windows\system32 folder.
3- Find the file named sethc.exe and rename it to sethc.exe.old
4-Then find cmd.exe in the same folder and rename it to sethc.exe
5- Log off Backtrack and shut down. Reboot the target computer normally to Windows.
6- At the log in screen, press Shift (five times) 5x and a window will open with a command prompt with elevated privileges.
7- At cmd prompt type “net user” (without quotes) to view a list of accounts on the machine.
8- You now have some choices, depending on what you are trying to accomplish. You can enable the hidden (in Windows 7 and 8) Administrator account , or you can choose an existing account. If you choose an existing account, be aware that you can change or remove the password, and that user will know when they log in next and find out their password is different. If that will be a problem, then use the Administrator acct and you can then browse their folders and files.
9- So after you decide which account you want, type “net user [acct name]” (without quotes, without brackets)
10- Then “net user [acct name] [new password]” (no quotes no brackets)
11- If you are enabling the Administrator account then type “net user Administrator /active:yes”
The cmd window will close. Reboot the computer then at the log on screen choose the account you want and enter the password you chose.
After gaining access
you can create a new account if you want, then shut down.
Now boot into Backtrack one last time. Using the file manager browse to \windows\system32 and rename the files from before back to their original names. (sethc.exe back to cmd.exe, and sethc.exe.old back to sethc.exe)
shutdown backtrack and you’re done.