As you can see, this is a composite question based on a scenario I hear from time to time.
A relative or acquaintance has passed away and left behind a password-protected PC containing files that are important for any number of possible reasons.
You may be able to get in. On the other hand, particularly if your late relative was security conscious, you may not.
Become a Patron of Ask Leo! and go ad-free!
The goal of security
To put it bluntly, the goal of good security is to prevent exactly what you’re attempting.
We all want our machine to be secure from intrusion. We want our data to be protected. We want it to be accessible only to those individuals we’ve authorized to have access. When it comes to computers, there’s usually only one authorized user: ourselves.
That your intent is pure makes no difference to security or the technology used to implement it. It’s completely intent-agnostic: a break-in is a break-in.
And let’s be very clear: you’re trying to break in.
Before you start
You know I’m going to say this, so let’s get it out of the way: back up first, if you can.
In this case, though, you’ll need to back up a little differently than normal, since you can’t log in to the machine.
If you can, boot the computer from the rescue or emergency disc created by a backup tool like Macrium Reflect or EaseUS Todo. You’ll probably need to make that disc (or USB stick) on a different computer, but that’s OK. Once you boot from that media, you’ll be taken to the backup software, where you can create a backup image of the computer’s hard disk.
Save that image somewhere.
There are two things that could prevent you from being able to do this: a UEFI configuration that prevents booting from anything other than the internal hard drive, or an encrypted hard drive. If either are the case, all I can recommend is that you proceed with caution, as you’ll be proceeding without a net; missteps could permanently destroy the very data you’re attempting to recover. (Though if the only alternative is to give up, it might be worth the risk.)
Use a Microsoft account
If the computer uses a Microsoft account to log in, that’s where I’d start, particularly if you have access to that account online, or a device on which you can read email sent to that account.
If you can receive the email sent to the Microsoft account, you should be able to reset the account password. Since that account and account password would be used to log in to the machine, presumably you would then be able to log in to it as well. Problem solved.
Several things can get in the way. The account could have two-factor authentication turned on, in which case you’ll need that second factor to change the password. Microsoft could decide that due to a change in how you’re accessing the account, you need to jump through additional hoops, such as using alternate accounts or phone numbers you may not have access to, or security questions for which you don’t know the answers. I often see this when people travel overseas, but what Microsoft is looking for to trigger this is unclear.
Resetting the administrator password
On older versions of Windows, the technique outlined in I’ve Lost the Password to My Windows Administrator Account. How Do I Get it Back? — using a third-party tool to reset the machine’s administrator password — might work. In order to get in, you reset that password and enable the administrator login, or possibly reset the password for the login account itself.
Once again, Windows 10 itself and the machine’s UEFI configuration may prevent this approach from working.
Don’t log in #1: remove the drive
If all you want is the data on the drive, another approach is to physically remove the drive and attach it to another system. My recommendation would be to place it into an external USB enclosure you can attach to any machine you like.
Using that other machine, then, you can explore the contents of the hard drive and extract whatever you need.
The big roadblock here would be if encryption had been used. Data encrypted via whole-drive or BitLocker methods is generally accessible only on the machine on which the data was originally encrypted.1 Third-party encryption tools would still require their respective passwords or phrases.
Don’t log in #2: use the backup image
If you were able to make a backup image when we began, you can “mount” that image on another machine and access it more or less as if it were the original drive, exploring the contents of the drive and extracting the information you find of value.
The same caveats apply here, though, as in the previous approach: if encryption has been used, things can get irrecoverably complicated.
Apply money: forensics
While not every barrier can be overcome, it’s possible that a good computer forensics and data recovery service may be able to help. Bypassing passwords, for example, might be possible, but cracking well-implemented encryption is highly unlikely.
These services are rarely cheap, however. Electing to give one a try would be an approach I’d take only after exhausting my own alternatives and deciding it was really going to be worth it.
Naturally, you have the machine you have in the state that it’s in, and it’s too late to talk about prevention for the case at hand.
But this is an opportunity to prevent this from happening to someone else. There are several approaches to allow secure emergency access to computers, equipment, and even online accounts in the event of your demise. It doesn’t even have to be demise — a protracted severe illness or injury could result in the same desire: the ability for someone else to access critically important information.
My article What Happens When I Die? discusses preparations to consider in more detail.
If you found this article helpful, I'm sure you'll also love Confident Computing! My weekly email newsletter is full of articles that help you solve problems, stay safe, and give you more confidence with technology. Subscribe now and I'll see you there soon,