Do the utilman.exe/sethc.exe "hacks" still work?

Question

I've a situation where a friend purchased a computer from a local PC shop, and seemingly they just wrote cloned images of a hard disk to all their PCs. The windows install seems like it was preconfigured to log into windows as an admin called "admin", and with unknown password. At the time I was unaware of the setup and I made a power user account for other purposes. This appears to have turned off the "auto log in as admin", and now we're a bit stuck because the only password known is the power user one (and the PC shop has since closed/gone)

I have, however been able to get said friend to put the drive into another one of their PCs that is still accessible, and I successfully replaced utilman.exe with cmd.exe

Alas, they report that even though they're clicking the ease of access icon on the login screen, nothing appears (not even the genuine EOA center; I did wonder if Defender would have swapped it back)

Assuming the computer is as up to date as Windows 10 can be, has this route of gaining admin access to a PC been closed? What options remain for me (who can remotely instruct someone capable enough to swap a hard disk over, but not necessarily particularly windows software savvy) to try, of a similar ilk?

Answer 1

In relation to these specific questions of "does this hack still work" - my answer is "I don't know". I suspect the answer is "maybe, if you can get to them fast enough that windows Defender won't have undone the workaround ..

..but it's quite a bit more hassle than the technique I posted to the What can I do if I forgot my Windows password? thread Moab linked, using a blend of the advice given by Ramhound

The short short version is: i mounted the drive with the forgotten password in another machine, used a hex editor on the registry SAM file to search for an occurrence of F401 bytes with an odd number in the tens (mine was 15, often it's 11, it depends what flags out of the "account is disabled", "user cannot change password", "password never expires" etc are enabled on the account) 6 bytes after, and set the odd number even by minusing one off it. This removed the "account is disabled" flag from the built in admin account and I was able to remount the drive in the first machine, then use the enabled passwordless Admin account to set a password for the forgotten user and disable the Admin account again

All in, for me, hex editing the SAM file (location: c:\windows\system32\config) was quicker/easier than using a Live CD etc because of the personnel/remote constraints I had!