Outside the Cube
About this site
Links to us
Outside the Cube
Male Dating Scammers,
Generated 20:02:10 on Jun 3, 2020
How to get into Windows when you lost the Administrator password
Question: I lost the Administrator password and do not have any other account. How can I get into my Windows installation, reset the admin password and create new user accounts?
Answer: First some introduction information. Windows NT - from now on NT - came out in the late 80ies and brought the file system NTFS = New Technology File System. NTFS is superior to MS-DOS's, Windows 95 and Windows 98 file system. For this article most relevant is that you give access rights - typically on directory level. Certain folders may be accessible only to certain users.
The administrator can access all folders and the execution of some programs requires admin rights, which makes the admin account very important.
So there you are, in front of that NT box with a NTFS partition/ hard disk and you want that admin password and don't know it. Here's my toolbox of dirty tricks:
- The official way - I guess this is what Microsoft would answer:
"Reinstall Windows NT"
Takes a minimum of 30 minutes. Works guaranteed, but you lose your settings. To fully restore the settings, it would take days.
- A quickie for read access: NTFSDOS.EXE
This is a nice little tool that I use since it came out in 1996. It's FREE and I love it! To use it, you need a MSDOS boot floppy. Go to a Win98 computer that carries DOS 7.0 - this version does long file names. At the DOS prompt create a bootable floppy with
format a: /s
Get NTFSDOS.EXE from http://www.sysinternals.com and put the 40kB small EXE file on the boot floppy.
Then have the NT computer boot from that floppy (you might need to change the BIOS to make it boot from floppy instead of from hard disk right away).
After booting, you'll be at the DOS prompt. Run the program NTFSDOS and it will mount all NTFS partitions that it can find.
This is supposed to work even for the latest version, NTFS5. I have only NTFS4 on my computers, so I cannot verify this.
You can now read any file/ execute any console program, e.g. you can copy stuff over to your floppy disk or to a network drive, but no write access. And of course you won't find out the encrypted admin password.
Such a tool just bypasses the security that the operating system grants.
- Read & write access with "NTFSDOS Pro" ($149) or better "ERD Commander" ($250 - $325)
Available at http://www.winternals.com/
Works basically like NTFSDOS as described in 2), but you get write access. ERD 'pro' can replace the unknown admin password with a new one.
- Dirty trick - slip the system a command prompt!
This one gives you full read/write access, and admin access. It does not work on Windows 2000 anymore.
So, you sit and stare at the login prompt for a while, and the screen saver will come up. Here comes our attack. We replace the screensaver with a different program which will not ask for a password.
Usually you can log in with a guest or regular user account. Do that and go to the directory WindowsSystem32 and replace the login screensaver with the command line prompt.
ren logon.scr login.bak
copy cmd.exe logon.scr
To save time, you might want to change the time out in the registry from 900 seconds to something shorter, but that goes to far in an epinion. (search under HKEY_USERSDEFAULT)
Then reboot, and just wait for the screensaver to come up. It will be the command line prompt and you'll have access to the computer. Full access! You can run the user manager, create a new account and give it admin privileges or just change the admin password...
Also don't forget to restore the original screen saver.
Advice for administrators who want to protect their computers:
- Put a password on your BIOS and disable booting from floppy or CD-ROM. This rules out NTFSDOS and Co.
- Maybe even physically lock your computer so that the hard disk cannot be removed and put in a different computer where the attacker can boot from floppy disk
- I don't know how to protect your machine against the last attack. It obviously only requires a working regular account.
Finally a note to Linux fans. Bypassing the OS with a boot floppy is independent from Windows a threat. I bet there are or will be tools that mount a Linux ext2 partition from DOS. Just a matter of time and demand.
|Most recent comments