Contrary to what some third-party “download” sites claim, resetpass.bat is not a standalone executable file you download from a random forum. It is a script that is actually embedded within the Symantec Endpoint Protection installation files themselves.
When you download the full Symantec Endpoint Protection 14 installation package (an .exe or .iso), you are also downloading the resetpass.bat script as a resource. The script works by leveraging a backdoor command-line tool within SEP (smc.exe) to force a password reset on the local client.
For SEP 14.3 and newer (especially RU2+), Broadcom has deprecated resetpass.bat in favor of a more secure architecture. If the script fails or gives an "Access Denied" error: resetpass.bat for symantec 14 download
| Error Message | Cause | Solution |
| :--- | :--- | :--- |
| Access Denied | Not running as Admin | Right-click → Run as Administrator |
| smc.exe not recognized | Wrong file path | Edit the script to point to correct install folder (e.g., C:\Program Files (x86)\...) |
| Command failed on SEP 14.3 | Syntax changed | Replace -securitypasswordreset with -p reset |
| Tamper Protection blocked | Hardware-assisted security | Boot into Safe Mode with Networking, then run script |
| The service cannot be stopped | SEP is locked by policy | Use the -f (force) flag: smc -stop -f |
Here is the most critical warning in this article: Do not download resetpass.bat from random file sharing sites, GitHub gists, or blog comment sections. Malicious actors often create fake versions of this script that contain: Here is the most critical warning in this
If you are a licensed customer, log into the Broadcom support portal and download the "SEP Client Installer" or "SEP Tools" package. The script is included there.
Once you regain access, your job is not done. The default password is a massive security liability. Perform these actions immediately: Once you regain access, your job is not done
Using the utility requires local access to the server hosting the SEPM. It cannot be executed remotely without prior remote access to the OS.
| Issue | Solution |
|-------|----------|
| Access Denied when running | Run Command Prompt as Administrator. |
| resetpass.bat not found | Your SEPM is in a custom folder. Search the entire drive for resetpass.bat. |
| Script runs but password still fails | Stop the SEPM service, delete the keystore folder backup (located in C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\), then rerun resetpass.bat. Be careful – only do this if you have a backup. |
| Output says "Password reset to: [blank]" | For SEP 14.3+, manually check resetpass_output.txt or try symantec as the password. |
| Database corruption error | You may need to restore from a SEPM system state backup, as the password table is damaged. |