Windows NT/2K/XP/2K3 Password Recovery

KB ID 0000095


Note: As the title suggests, this is quite an old post! you might prefer THIS ONE.

Disclaimer: This information is designed to help people who are locked out of their own PC’s and not for Hacker Wannabe’s with the IQ of a haddock. Information is not inherently dangerous, just some people are. If you want to break things and be a general pain in the ass, sod off to Google and leave the grown ups alone. Pete Long 16/05/04

Generally if people are reading this they have lost or forgotten their administrator password, the more technically astute of you will baulk at this as you know the importance of this password, the simple fact is most people don’t, and by the time they need it its on a long lost post-it note. Similarly if you buy a second hand PC from eBay for example the seller will not always furnish you with the admin password.This can be resolved by wiping the hard drive and simply re-installing windows from scratch, but the chances are there will be information you need to save of the PC and you are stuck in a catch 22 situation.

OK so how do you get into the system? Well in truth there are a myriad of ways into a PC providing you are at the keyboard.



To be honest the simplest solution is the one most overlooked, is the password set to blank? try just pressing enter and not putting in a password. Most people use one password for everything (though this is not very secure 🙂 use the password you would normally use and remember Windows Passwords are CaSe SEnsitiVe, so try capitalising the first letter for example.


Well if Step 1 didn’t help you now have a choice,If your on a network with a DOMAIN you can gain access by using a domain administrators account, or if you can get in with YOUR username Click Start > Run > lusrmgr.msc {enter} right click the administrator and see if YOU have rights to change the password. OR you can simply wipe and rebuild the system, if that’s not an option and you simply HAVE TO get into the system then proceed to STEP 3


OK, more choices, the simplest solution is to change the admin password, using some third party software, this will let you in with administrative access and is pretty simple to do, there are a ton of applications to do this, I’ll demonstrate the one I usually use, and provide links to other tools at the end. There’s also another option which is to change the way windows starts to simply bypass the login completely, this is a little more complex to do but I’ll run through that as well. For some of you that may not be a solution, there may be a reason that you simply need the existing password, this is considerably more complex and can only be done in one way, that involves removing all the passwords and using software to de-crypt them. (This will cost you money)

Changing the Existing Password

Lets be honest, this is what 99.9% of you will want to do, you will also need to do this on another PC that has internet access to download the files and create the boot floppy disk you require, as I’ve already said there are a lot of tools available to you the one I use is free and can be downloaded from

NOTE: If you have encrypted files with the administrator account then these will files will be unavailable to you after carrying this out. (If your now wondering if you have – the fact you’re wondering usually indicates you don’t 🙂

From the zip file select all the files and “EXTRACT” them to your hard drive.

extract compressedunzip


Now you have extracted the files you need to use them to create the boot floppy you require. Put a blank floppy disk in the floppy drive (warning all files on this disk will be wiped ensure there’s nothing important on it.)

Now either open windows explorer or double click “My Computer” and navigate to your C: drive, you are looking for a file called “install.bat” (NB on your system it may just look like “install” depending on how your machine is set up) when you locate the file double click it to run it.

The setup program will run, and ask you which drive you want to create the boot image on, press a then press {Enter}, It will ask you to put a clean floppy in the drive and press {enter}

pasword hack

The setup program will chug along and create the floppy for you. You will know its finished when its displayed the following, just press any key to exit.

password recover

Well that’s your tool created, its time to take it to the offending machine. For it to work the offending machine will need its boot order setting so that it boots from floppy BEFORE the hard drive, for the majority of you it will be set up this way, if it wont launch the floppy disk when you boot the PC chances are this is the problem. To rectify it you need to enter the PC’s BIOS settings and change the boot order, and put the floppy (or A: drive) first in the boot order. This procedure is slightly different depending on your PC manufacturer and the BIOS itself. When your PC first boots it usually tells you how to enter the BIOS, typically by saying “Press <key> to enter setup” where <key> is usually F1, F2, F10, Esc, Delete or another key or combination of key strokes. When you get into the BIOS navigate through the screens until you see the boot order and move floppy (or A: drive) to the top on the list.

When the PC boots a lot of info will flash up on the screen, its just loading a bit of Linux don’t panic. When it settles down it asks you where windows is (its talking in UNIX speak don’t worry) you probably only have one operating system, if your clever enough to multiboot (have multiple operating systems on one PC) then Ill assume your clever enough to locate the partition you are looking for, for the rest of you just press {Enter}

It now asks “Where is the registry” but it displays the default location so just press {Enter}

Now you want to use a thing called the SAM, don’t panic just press {Enter}

The administrator is just a user so you need to accept the default choice of “Edit user data and passwords” by pressing {Enter}

The software selects the administrator by default, if it’s another user your after you can type its username (They are all listed above to help you) but we want the administrator so just hit {Enter}

You can now either type in a new password, or simply type an asterisk (this sets a blank password), you will be asked to confirm, do so by pressing Y then {Enter} all being well you will get a “Changed!” pop up on the screen and it will ask if there is another user you want to change the password for, Press ! {Enter} to return to the main menu, then press q {Enter} you now need to COMMIT the changes, press Y then {Enter} after doing some work it will say ***** EDIT COMPLETE ****** then press n {Enter} Now remove the floppy and press Ctrl+Alt+Delete to reboot.

When windows reboots it will run its built in disk checking program “Chkdsk” DONT interrupt it, just let it do its own thing, after a while windows will boot normally and you can login with the new password. (NB: Windows XP users, if you don’t see the Administrator account listed on the welcome screen press Ctrl+Alt+Delete TWICE to get a standard login screen.)


No problem, there are CD Based boot utilities that will do the same job 🙂

EBCD-Emergency boot CD “change password of any user, including administator of Windows NT/2000/XP OS. You do not need to know the old password.”

Change the way Windows Starts

Note:This will not work on Windows Server 2003

If you turn your PC on it will eventually get to logon, if you do nothing a screen saver will launch, this screensaver is called LOGON.SCR, all very well and good you say but what use is that? Well If you replace LOGON.SCR with the windows command line program (cmd.exe) it will launch a command line window instead, and not just any command line window, you are then typing commands with the SYSTEM rights, (This is higher than administrator)

So how is that done? Well it depends on your setup, if you have formatted the machine as FAT32 you are in luck simply download a boot disk from boot, and change.

for windows 2000

copy c:winntsystem32logon.scr c:winntsystem32logon.bak {Enter} del c:winntsystem32logon.scr (Enter} copy c:winntsystem32cmd.exe c:winntsystem32cmd.bak {Enter} ren c:winntsystem32cmd.exe c:winntsystem32logon.scr {Enter}

for windows XP

copy c:windowssystem32logon.scr c:windowssystem32logon.bak {Enter} del c:windowssystem32logon.scr (Enter} copy c:windowssystem32cmd.exe c:windowssystem32cmd.bak {Enter} ren c:windowssystem32cmd.exe c:windowssystem32logon.scr {Enter}

Then reboot when the system reboots go and have a coffee, when you see the command window type

net user administrator password {Enter}

The password will now be set to password, reboot and change logon.bak to logon.scr and cmd.bak to cmd.exe

However Most people will have their machines formatted as NTFS which, being more secure is not able to be changed from a boot disk, unless its a boot disk with NTFSPro on it, then it can (WARNING THIS IS NOT FREE). Or simply remove the hard drive and place it in another (working PC) then use windows explorer to back up the logon.scr and cmd.exe files (change their extensions to .bak) and rename cmd.exe to logon.scr, Put it back in your PC and away you go.


If you have got this far down the page, and your not in yet, then we are going to have to break the habit of a lifetime (and spirit of this site) and spend some cash. Basically the most drastic (and time consuming) method involves removing the entire list of encrypted passwords from the inaccessible machine and decrypting them.

Your encrypted passwords are help in two locations, the first is called the SAM (system account manager) and the second is the PC’s registry.

The files you need live in the following locations….

Windows XP C:WINDOWSsystem32configSAM & C:WINDOWSsystem32configSYSTEM

WIndows 2000 C:WINNTsystem32configSAM & C:WINNTsystem32configSYSTEM

NOTE: The system file is too big to fit on a floppy if you are using floppies you will need a dos compression utility like RAR to compress it.

OK, I’ve detailed above how to get at files on a system you don’t have access to, I’d recommend putting the drive in another PC and just copying it out, If you want a FREE alternative download Knoppix (this is Linux that runs from a CD, boot with it and extract the file straight from the affected system.)

Now you have extracted the two files you need to extract the passwords this takes specialist software, the most famous is LophtCrack from @Stake software but at time of writing its nearly $600 another choice is Proactive Windows Explorer from Elcomsoft which is half the price.



Related Articles, References, Credits, or External Links


Author: Migrated

Share This Post On