Windows NT/2K/XP/2K3 Password Recovery

KB ID 0000095 Dtd 10/11/09

Problem

Disclaimer:
This information is designed to help people who are locked out
of their own PC’s and not for Hacker Wannabe’s with the IQ of
a haddock. Information is not inherently dangerous, just some
people are. If you want to break things and be a general pain
in the ass, sod of to ASTALAVISTA and leave the grown ups alone.

Pete Long 16/05/04

Generally
if people are reading this they have lost or forgotten their administrator
password, the more technically astute of you will baulk at this
as you know the importance of this password, the simple fact is
most people don’t, and by the time they need it its on a long
lost post-it note. Similarly if you buy a second hand PC from
eBay for example the seller will not always furnish you with the
admin password.This can be resolved by wiping the hard drive and
simply re-installing windows from scratch, but the chances are
there will be information you need to save of the PC and you are
stuck in a catch 22 situation.

OK so
how do you get into the system? Well in truth there are a myriad
of ways into a PC providing you are at the keyboard.

Solution

STEP
1

To be
honest the simplest solution is the one most overlooked, is the
password set to blank? try just pressing enter and not putting
in a password. Most people use one password for everything (though
this is not very secure 🙂 use the password you would normally
use and remember Windows Passwords are CaSe SEnsitiVe, so try
capitalising the first letter for example.

STEP
2

Well if
Step 1 didn’t help you now have a choice,If your on a network
with a DOMAIN you can gain access by using a domain administrators
account, or if you can get in with YOUR username Click Start >
Run > lusrmgr.msc {enter} right click the administrator and
see if YOU have rights to change the password. OR you can simply
wipe and rebuild the system, if that’s not an option and you simply
HAVE TO get into the system then proceed to STEP 3

STEP
3

OK, more
choices, the simplest solution is to change the admin password,
using some third party software, this will let you in with administrative
access and is pretty simple to do, there are a ton of applications
to do this, I’ll demonstrate the one I usually use, and provide
links to other tools at the end. There’s also another option which
is to change the way windows starts to simply bypass the login
completely, this is a little more complex to do but I’ll run through
that as well. For some of you that may not be a solution, there
may be a reason that you simply need the existing password, this
is considerably more complex and can only be done in one way,
that involves removing all the passwords and using software to
de-crypt them. (This will cost you money)

Changing
the Existing Password

Lets be
honest, this is what 99.9% of you will want to do, you will also
need to do this on another PC that has internet access to download
the files and create the boot floppy disk you require, as I’ve
already said there are a lot of tools available to you the one
I use is free and can be downloaded from the following URL

http://home.eunet.no/~pnordahl/ntpasswd/

NOTE:
If you have encrypted files with the administrator account then
these will files will be unavailable to you after carrying this
out. (If your now wondering if you have – the fact you’re wondering
usually indicates you don’t 🙂

From the
zip file select all the files and “EXTRACT” them to
your hard drive.

extract compressedunzip

path

Now you
have extracted the files you need to use them to create the boot
floppy you require. Put a blank floppy disk in the floppy drive
(warning all files on this disk will be wiped
ensure there’s nothing important on it.)

Now either
open windows explorer or double click “My Computer”
and navigate to your C: drive, you are looking for a file called
“install.bat” (NB on your system it may just look like
“install” depending on how your machine is set up) when
you locate the file double click it to run it.

install.bet

The setup
program will run, and ask you which drive you want to create the
boot image on, press a then press {Enter}, It will ask you to
put a clean floppy in the drive and press {enter}

pasword hack

The setup
program will chug along and create the floppy for you. You will
know its finished when its displayed the following, just press
any key to exit.

password recover

Well that’s
your tool created, its time to take it to the offending machine.
For it to work the offending machine will need its boot order
setting so that it boots from floppy BEFORE the hard drive, for
the majority of you it will be set up this way, if it wont launch
the floppy disk when you boot the PC chances are this is the problem.
To rectify it you need to enter the PC’s BIOS settings and change
the boot order, and put the floppy (or A: drive) first in the
boot order. This procedure is slightly different depending on
your PC manufacturer and the BIOS itself. When your PC first boots
it usually tells you how to enter the BIOS, typically by saying
“Press <key> to enter setup” where <key>
is usually F1, F2, F10, Esc, Delete or another key or combination
of key strokes. When you get into the BIOS navigate through the
screens until you see the boot order and move floppy (or A: drive)
to the top on the list.

When the
PC boots a lot of info will flash up on the screen, its just loading
a bit of Linux don’t panic. When it settles down it asks you where
windows is (its talking in UNIX speak don’t worry) you probably
only have one operating system, if your clever enough to multiboot
(have multiple operating systems on one PC) then Ill assume your
clever enough to locate the partition you are looking for, for
the rest of you just press {Enter}

It now
asks “Where is the registry” but it displays the default
location so just press {Enter}

Now you
want to use a thing called the SAM, don’t panic just press {Enter}

The administrator
is just a user so you need to accept the default choice of “Edit
user data and passwords” by pressing {Enter}

The software
selects the administrator by default, if it’s another user your
after you can type its username (They are all listed above to
help you) but we want the administrator so just hit {Enter}

You can
now either type in a new password, or simply type an asterisk
(this sets a blank password), you will be asked to confirm, do
so by pressing Y then {Enter} all being well you will get a “Changed!”
pop up on the screen and it will ask if there is another user
you want to change the password for, Press ! {Enter} to return
to the main menu, then press q {Enter} you now need to COMMIT
the changes, press Y then {Enter} after doing some work it will
say
***** EDIT COMPLETE ****** then press n {Enter} Now remove the
floppy and press Ctrl+Alt+Delete to reboot.

When windows
reboots it will run its built in disk checking program “Chkdsk” DONT interrupt it, just let it do its own thing,
after a while windows will boot normally and you can login with
the new password. (NB: Windows XP users, if you
don’t see the Administrator account listed on the welcome screen
press Ctrl+Alt+Delete TWICE to get a standard login screen.)

I
DONT HAVE A FLOPPY DRIVE!!!!

No problem,
there are CD Based boot utilities that will do the same job 🙂

EBCD-Emergency
boot CD

“change password of any user, including administator
of Windows NT/2000/XP OS. You do not need to know the old password.”

Change
the way Windows Starts

Note:This
will not work on Windows Server 2003

If you
turn your PC on it will eventually get to logon, if you do nothing
a screen saver will launch, this screensaver is called LOGON.SCR,
all very well and good you say but what use is that? Well If you
replace LOGON.SCR with the windows command line program (cmd.exe)
it will launch a command line window instead, and not just any
command line window, you are then typing commands with the SYSTEM
rights, (This is higher than administrator)

So how
is that done? Well it depends on your setup, if you have formatted
the machine as FAT32 you are in luck simply download
a boot disk
, and change.

for windows
2000

copy c:winntsystem32logon.scr
c:winntsystem32logon.bak {Enter}
del c:winntsystem32logon.scr (Enter}
copy c:winntsystem32cmd.exe c:winntsystem32cmd.bak {Enter}
ren c:winntsystem32cmd.exe c:winntsystem32logon.scr {Enter}

for windows
XP

copy c:windowssystem32logon.scr
c:windowssystem32logon.bak {Enter}
del c:windowssystem32logon.scr (Enter}
copy c:windowssystem32cmd.exe c:windowssystem32cmd.bak {Enter}
ren c:windowssystem32cmd.exe c:windowssystem32logon.scr
{Enter}

Then reboot
when the system reboots go and have a coffee, when you see the
command window type

net user
administrator password {Enter}

The password
will now be set to password, reboot and change logon.bak to logon.scr
and cmd.bak to cmd.exe

However Most people will have their machines formatted as NTFS which,
being more secure is not able to be changed from a boot disk,
unless its a boot disk with NTFSPro on it, then it can (WARNING THIS IS NOT FREE). Or simply remove
the hard drive and place it in another (working PC) then use windows
explorer to back up the logon.scr and cmd.exe files (change their
extensions to .bak) and rename cmd.exe to logon.scr, Put it back
in your PC and away you go.

WARNING THE
FOLLOWING COSTS MONEY 🙁

If you
have got this far down the page, and your not in yet, then we
are going to have to break the habit of a lifetime (and spirit
of this site) and spend some cash. Basically the most drastic
(and time consuming) method involves removing the entire list
of encrypted passwords from the inaccessible machine and decrypting
them.

Your encrypted
passwords are help in two locations, the first is called the SAM
(system account manager) and the second is the PC’s registry.

The files
you need live in the following locations….

Windows XP C:WINDOWSsystem32configSAM
& C:WINDOWSsystem32configSYSTEM

WIndows 2000 C:WINNTsystem32configSAM
& C:WINNTsystem32configSYSTEM

NOTE:
The system file is too big to fit on a floppy if you are using
floppies you will need a dos compression utility like RAR to compress it.

OK, I’ve
detailed above how to get at files on a system you don’t have
access to, I’d recommend putting the drive in another PC and just
copying it out, If you want a FREE alternative download Knoppix (this is Linux that runs from a CD, boot with it and extract the
file straight from the affected system.)

Now you
have extracted the two files you need to extract the passwords
this takes specialist software, the most famous is LophtCrack from @Stake software but at time of writing its nearly $600 another
choice is Proactive
Windows Explorer
from Elcomsoft which is half the price.

lophtcrack

 

Related Articles, References, Credits, or External Links

Offline
Password changers (NOT FREE)

Sunbelt
($70)

ERD
Commander 2005
(The Rolls Royce of Password changers $149
workstation $299 Server)

Windows
XP/2000NT Key
($195)

Info

How to
Log On to Windows XP If You Forget Your Password or Your Password
Expires
http://support.microsoft.com/default.aspx?scid=kb;en-us;321305

Author: Migrated

Share This Post On