Bitlocker & Time based policy bypass

Assumptions :

1. Having the handy Linux live USB

2. Recovery key of the Bitlocker is known.

Bitlocker recovery key can be known from the official microsoft account website under machine info settings.

---

Here the user is not able to logon into the windows bitlocker protected system as the password is been forgotten.

Opening the system from the BIOS configuration mode to disable the secure boot policy if it is been enforced into the system. Our HP machine was protected by the HP secure boot policy so we have to disable it.

Changing the default boot order of the System and loading the Live USB (Linux) to boot the OS

Selecting the live USB mode to start the Linux OS

Here are the Bitlocker protected drives where the recovery keys are being known to us so we will be decrypting the drives.

Entering the recovery keys here and we are able to decrypt the drives.

here is the directory structure of the windows we are looking for directory :

C:/Windows/System32/Config

Using the command "chntpw" to change the user settings of the windows file system.

# If the program is not installed into your linux file system
sudo apt install chntpw

Use the following command to enumerate the users present into the filesystem.

COMMAND FOR HELP : chntpw -h

COMMAND : chntpw -l SAM SECURITY SYSTEM

The "SAM," "Security," and "System" files in the Windows Registry store user accounts, security settings, and hardware information, respectively. They are crucial for system functionality and security. Modifying them without proper knowledge can cause issues.

making the command into the interactive mode using the following command given below to get options of the loaded hives.

chntpw -i SAM SECURITY SYSTEM

selecting the user in our case 'Temp' selecting the RID : 3ed to select the corresponding user.

Under the user edit menu, select 1 to clear the password of the corresponding username.

There is prompt that the user password is successfully removed.

NOTE : If in your case the issue is only limited to the password recovery then you are good to go !! just restart the system normally and you will be able to log back in.

Section 2 : Removing the time based login policy of the user.

---

Here our account has the time based login restriction enforced so we have to open the system into recovery mode.

To open the recovery mode in windows opreating system 

Press Shift+Restart option

Then the pc should boot into this section select troubleshoot option.

Then advanced options

Select the command prompt option here if the bitlocker prompt is there then select skip for now button & boom we got the recovery shell X:windows/system32

on selecting the drive we got the error that the drive is bitlocker protected then we have to disable the bitlocker protection using the following command:

manage-bde -unlock E: -RecoveryPassword "mypassword"

Yoo we have successfully unlocked the system volume encryption settings.

using the following command to replace the utility function present on the lock screen to open command prompt into the lock screen.

1. cd Windows/System32
2. ren Utilman.exe utilman2.exe
3. copy cmd.exe Utilman.exe

We got the shell clicking the accessibility button present on the right side of the lock screen.

listing out the users present into the system, use the following code:

net user

Changing the password of the selected user.

net user 'username' 'password'
net user 'username' /times:ALL // This will remove the time based restriction policy

Here we can see that the password is unlocked and the time based logon is set to all time access.

Login back to the system

We got the system back in. This is how we can remove the time based policy and also disable the bitlocker encryption to remove the password.

---