How to create a Windows password reset disk

We all know that reusing passwords is a bad idea. If hackers get access to one account, they’ve got access to all of them. Even Microsoft definitively recommends using a different password for everything, but that can get difficult when you’ve got dozens of accounts across different devices and services.

At least if you forget the password for an online service you can reset it through your email, but what do you do if you forget your Windows password? There aren’t many options to fix the problem. You could try contacting Microsoft or resetting it online through a different device, but that doesn’t always work.

That’s where proactively creating a password reset disk before you need one can prevent the problem entirely. This guide walks you through all you need to know.

What is a password reset disk?

A Windows password reset disk is a recovery tool that allows users with local accounts on a Windows PC to reset their account password, without losing access to their files or needing to reinstall the operating system. It’s tied to a single local user account on a specific device and can’t be reused across multiple computers or even other accounts on the same PC.

It needs to be created before a password is forgotten and remains valid even if the password changes later. It’s worked pretty much the same since Windows 7 through Windows 11, but Microsoft is gradually encouraging passwordless methods like Windows Hello and Microsoft Authenticator, reducing the long-term importance of reset disks.

All Windows 11 editions (Home, Pro, Enterprise, and Education) that support local user accounts still include the option to create a Password Reset Disk using a USB flash drive.

» Here’s how to delete user profiles in Windows

How does a password reset disk work?

A password reset disk is a USB flash drive (or, in older versions, a floppy disk) that stores a single hidden file named userkey.psw. This is an encrypted key derived from that account’s local Security Identifier (SID), which is unique to both the user and system. This file does not contain the actual password but a cryptographic hash and key pair that allows Windows to reset the password securely without revealing the old one.

During use, Windows verifies the disk’s authenticity by matching the SID and encryption metadata embedded in userkey.psw with the corresponding local account stored in the Security Accounts Manager (SAM) database. If they align, the Password Reset Wizard grants permission to set a new password.

Since SIDs differ between systems, attempting to use the disk on another device will fail. Likewise, it doesn’t work for Microsoft, domain, or Azure AD accounts, since those credentials are managed centrally rather than locally.

If a new local account is created or Windows is reinstalled, a new reset disk must also be created. This strict one-to-one binding enhances security by preventing password recovery across unauthorized systems.

How to create a password reset disk in Windows

Only standard or administrative users with a local account can create a password reset disk in Windows. The feature is available through the User Accounts Control Panel and requires access to the account at the time of creation.

However, it can’t be created for:

• Microsoft accounts: These use cloud-based password recovery via account.live.com.
• Domain (Active Directory) accounts: Password resets are handled by domain administrators through centralized management tools.

When you’re ready to create your password reset disk, follow these steps:

1. Insert a USB drive or floppy disk (if you’re on an older system that supports floppy disks)

2. Open Control Panel through the Windows search box

3. Navigate to User Accounts

4. Click “Create a password reset disk”

5. When the Forgotten Password Wizard launches, click Next

6. Select your drive (whether USB or floppy disk), then enter your current account password

The Wizard creates a file named userkey.psw on the drive

Click “Finish” once the process is complete

Note: If the option to create a password reset disk isn’t available, then you have a Microsoft account linked to your Windows account and this option will not be available to you. In that case, if you want to access the account without the password that you forgot, you’ll have to try some alternative recovery methods.

Alternative recovery methods

Since password reset disks are not supported for Microsoft accounts, recovery relies on cloud-based authentication and identity verification. Users can reset their credentials through Microsoft’s online recovery portal at account.live.com:

• Two-step verification: Microsoft sends a security code to your registered email address, phone number via SMS, or through the Microsoft Authenticator app installed on their mobile device. This is the most common and secure recovery method for Microsoft accounts.
• Security questions or backup codes: If you configured additional security during account setup, Microsoft may prompt you to answer pre-set security questions (like “What was your first pet’s name?”).
• Windows Hello or PIN reset: Microsoft is pushing Windows Hello (fingerprint, facial recognition, or PIN) on modern devices for enhanced security reasons. All you need is biometric data (like fingerprint or facial recognition if your PC supports it) or PIN credentials to access your device without a Microsoft account password. Once you’re in, you can reset your password from within Windows Settings.

» Looking for an alternative? Here are the best password managers for enterprises

In domain or enterprise environments

In domain or enterprise IT environments using Active Directory (AD), password reset disks are replaced by centrally managed recovery tools that provide secure credential management. Instead of local recovery files, domain controllers store and validate user credentials across the network:

• Active Directory Users and Computers (ADUC): IT administrators open the ADUC management console (typically accessed from a domain controller or administrative workstation), navigate to the organizational unit containing the user’s account, right-click the user’s name, and select “Reset Password.” This allows admins to immediately create a temporary password for the user, forcing them to change it at next login.
• Self-Service Password Reset (SSPR): Organizations can deploy a secure web portal (often integrated with Azure AD/Entra ID) that allows end users to reset their own domain passwords without IT intervention. Users navigate to the portal, verify their identity through pre-configured methods (email, SMS, security questions, or authenticator app), and create a new password.
• Credential Recovery Policies: IT administrators configure automated password policies through Group Policy Objects (GPO) that define password complexity requirements, expiration rules, and account lockout thresholds. Microsoft Identity Manager (MIM) can be deployed to provide advanced identity governance, including automated password synchronization across multiple systems and self-service password reset workflows with approval chains for sensitive accounts.

Atera’s Robin streamlines the entire process through autonomous password management, interacting directly with the end user to help them follow a secure, streamlined password reset process. This autonomous service desk cuts through 40% of the IT workload and tier-1 tickets so that IT admins can focus on real problems.

For organizations using Active Directory or Azure AD, Atera’s RMM platform integrates seamlessly with existing Group Policy configurations, allowing IT administrators to maintain centralized password policies, complexity requirements, and lockout thresholds while Autopilot handles the user-facing recovery process.

» Learn more about group policy management with Atera

Modern IT teams are ditching password reset disks

Password reset disks remain a functional recovery option for Windows local accounts, but their limitations (single-device binding, physical storage requirements, and incompatibility with Microsoft or domain accounts) make them impractical for modern IT environments. As organizations increasingly adopt cloud-based identity management, centralized authentication, and passwordless solutions like Windows Hello and Azure AD, the need for physical reset media continues to decline.

For IT teams managing multiple users and devices, traditional password recovery methods create unnecessary friction, generate excessive help desk tickets, and divert technical resources from strategic initiatives. Atera’s Autonomous IT platform addresses these challenges head-on. Robin resolves up to 40% of IT workload without human intervention, including password resets. Combined with Atera’s all-in-one RMM and AI ticketing system, IT teams gain centralized visibility into authentication issues, automated policy enforcement, and seamless integration with Active Directory and Azure AD environments.

» Interested? Try Atera for free