Remotely start VNC server on computer with no Admin password


Solution 1

Note that you cannot connect to the remote computer using an empty password via SMB or RPC unless it is Windows XP Home Edition or Windows 2000. All newer Windows versions will require a non-empty password for any account trying to log on either through SMB, RPC or even RDP by default. A VNC login is somewhat of an exception as it is regarded a "local console logon" by the system and thus circumvents the "no empty passwords for non-console logons" policy.

So unless you can come up with an account which has a password and is able to do administrative tasks, you are somewhat out of luck.

On the other hand, if you happen to have a password-protected administrative account, you have a multitude of options:

  • using sc.exe, shutdown.exe or accessing the remote scheduled tasks via the MMC snapin and creating and running a task with the commands of your choice in the security context of NT AUTHORITY\SYSTEM
  • using psexec, psshutdown or psservice
  • using regedit to enable remote desktop by setting fDenyTSConnections

If the host happens to be part of a domain, you also could do some wizardry in terms of enabling stuff, changing firewall settings or even setting up a scheduled task with Group Policy Preferences.

Solution 2

If remote access via RDP is not available, you can try to restart the machine remotely (from the adjacent computer on the network) via:

shutdown /m \\<name of computer here> /r

You need to be in a cmd prompt where you have either domain/local credentials that have rights on that computer which you wish to shutdown.

Solution 3

If you get access denied error when trying to restart with Windows' shutdown command, you can use PsShutdown (a part of Windows SysInternals). Download from

Once you download and extract, from command line enter:

psshutdown \\\ComputerName -r -u userName -p password

Solution 4

You can try to connect to the computer using Remote Desktop.

  • VNC to the workstation that is in the same network as the one you are trying to access.
  • Click Start -> Run and type in mstsc.exe
  • In the Computer field type in the IP address of the machine or the network name and click connect.
  • You will be prompted for your username and password (this is your windows login to that machine)

If you are able to login then you can restart using shutdown /r from the command line, after making sure that VNC server will run at startup.

hope this helps.

Solution 5

Not sure if "The computer has no password on the Admin account" refers to the local [Windows] Administrator account. If it does, I'd be interested to know if RPC is working. To do this:

net use \\<IP_Address_Of_Server>\ipc$ "" /user:<IP_Address_Of_Server>\administrator

If this comes back with "Access Denied", it would suggest that the Administrator account does indeed have a password.

Long story short, your route into the server is either going to be through some form of remote access (RDP, VNC), or via RPC. Of course, you could resort to using offensive security techniques (i.e.: try to identify a vulnerability that hasn't been patched that gives a root administrator shell).

If you do ever gain physical access, there's plenty of other possibilities to gain access, even if you don't know the administrator password...


Related videos on Youtube

Joe M.
Author by

Joe M.

Updated on September 18, 2022


  • Joe M.
    Joe M. almost 2 years

    I'm trying to remotely access a particular computer of mine and it seems that VNC has stopped. I can tell that the computer is still running because I can VNC into another machine on the same network and can see my target machine under the Network section in Windows Explorer and can also ping it succesfully.

    To summarize:

    • I own the target computer
    • I am currently too far to physically access it
    • Remote Desktop Connection feature of Windows is not enabled
    • The computer normally runs a VNC server, but it seems to have stopped
    • The computer is definitely on and connected to the network
    • The computer has no password on the Admin account
    • I can VNC into other computers on the same LAN

    Given these conditions how can I get into the target to open VNC server, or even just reboot the target (VNC should open on startup)?

    I have tried PsExec and get "access is denied", and also tried "Connect to another computer.." from the Computer Management console and also get "access is denied".

  • Joe M.
    Joe M. about 10 years
    Thanks for the suggestion.. I tried that but got an error message. I don't believe Remote Desktop was ever enabled on the target.. I only installed the VNC server.
  • Joe M.
    Joe M. about 10 years
    Thanks for your suggestion! I tried it first using the exact text you provided (but with the IP address inserted), and I got: "Logon failure: account currently disabled". I tried again replacing "administrator" with the name of the active admin account, and I got this message: "Logon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced".
  • Joe M.
    Joe M. about 10 years
    Thanks for the suggestion. Tried it and got "Access is denied.(5)". I don't suppose there is any way to specify the user name with that command?
  • Joe M.
    Joe M. about 10 years
    Thanks! Since the account has no password, I tried this without the "-p password" and still got Access Denied, then I tried it with only the "-p" and no password, and I got an invalid syntax message.
  • Joe M.
    Joe M. about 10 years
    Thanks for all the suggestions. Got "access denied" on the shutdown and sysinternals commands. Not sure what you meant about regedit? On the target machine? I can't access that at this time. But it looks like this is going to be the right answer mainly because no admin password is apparently bad news. Who would have thought not having a password would make it harder to get in to a machine? I should be able to have someone get physical access eventually but still locked out for now...
  • Get-HomeByFiveOClock
    Get-HomeByFiveOClock about 10 years
    runas /user:<domain>\<adminuser> cmd.exe shutdown /m \\<name of computer here> /r
  • Get-HomeByFiveOClock
    Get-HomeByFiveOClock about 10 years
    notes: you will need the name of a user on the remote computer who has the correct privileges, and you will be prompted to enter the password.