Windows lost administrator password rundown….



I’ve done one or two mentions in the past of ways to recover/reset lost windows passwords and thought it was probably time for another “brain dump/web research dump” of things that I’ve run across. This is not just for lost administrator passwords, but could apply to a lost user account password as well. (I’ve found that the mileage varies on the system. NT/2000/XP/2003 are not the only variations, there seem to be variations related to certain Windows updates/etc.) I should also put a disclaimer here that this information is not so you can break into someone else’s windows installation (without their permission), at the very least that’s a privacy violation and at the worst, against the law and unethical. What this is for is a guide to someone that has accidentally locked themself out of their windows install (or in some cases where someone ELSE has locked you out of your own pc.) In other words – don’t use this to crack.


For starters let’s get the really simple and obvious out of the way. 1) don’t lose your password, 2) make a good reminder, 3) make sure to try the caps lock key (try it in upper/lower caps just in case.) 4) try to think how you might have mistyped your password if your hands were “out of home position” and try that way. Those are of course the really easy things to try. (Oh and you can try guessing if someone else has locked you out.) Odds are, you’ve already been banging your fingers against that password box for a while so it’s time to try something else.

OK… well you might be lucky enough that it’s just YOUR user password that you’ve lost and you could still get in as Administrator (or through another account with admin priviliges). So, try other logins, if none other are accepted in a normal boot, try SAFE MODE booting. When your system first starts to boot up (BEFORE The WINDOWS splash screen) press F8 repeatedly. (Some will nag if you’re too early.) Admittedly you have to get it at just the right time (after the BIOS post and before windows starts loading.) this should give the choice to start up in safe mode. (If the windows splash comes up you COULD just yank the power from the pc, plug in and boot again, then windows should say it was unsuccessful starting up and offer some boot options, including safe mode.) Once you get safe mode booted it should give a login screen with your normal login and Administrator. If you’re lucky and there’s no password, you could click on Administrator and get in.

Once in go to Control Panel Users/Accounts, the select the problem user and either remove password or change it there.

OK… if that’s not working there are other options. One is ntpasswd.

This is a downloadable boot disk (text only environment) that should let you clear the administrator password. I’ve not had as much success with it lately as I did at one point and am not sure if recent Windows updates have caused the problem or if I’ve just had bad luck. Anyway, it’s worth a try, as it IS a fairly quick thing to try out.

Another quick thing to try it is Sala’s Windows Password Renew tool which MUST be run from a BartPE bootup disk. If you’re not familiar with BartPE… it’s essentially a Windows livecd, the only catch is instead of being redistributable you have to build it yourself from your own windows install/install cd. So, yes you have to get access to another machine to do it, and build it yourself, but it’s a fairly easy and relatively quick process. You download the cab file for Sala’s Password Renew and before BartPE build’s your disc you tell it where to find the plugin.

Alternatively you could download and run ubcd4win which is a customization of BartPE that comes preconfigured with several plugins (including the password renew plugin) – you still have to have a cd-burner/running windows install /install cd and enough free disk space.

Once done and booted, select Sala’s password renew from the menu, find your Windows install (usually c:\windows) and then you can change a password of a detected user, add a user, make an existing user admin and even blank the admin password (experimental). It has seemed to work fairly well for me.

There are other approaches too….

From one forum there’s this suggestion (assuming you can get to the registry from something like a BartPE disc)

To reset the Administrator’s password (or any local password), launch RegEditPE. Look the the entry labeled SAM. Navigate down till you find the entry for ‘x0001f4′. This is the entry for BartPE Administrator. Now look at SAM_ON_C and navigate down to x’0001f4’. This will be the Administrator’s setting for the local machine. Cut and Paste the ‘F’ and ‘V’ values from SAM to SAM_ON_C. This will reset the local Adminstrator’s password back to null.

Better yet, export the x’0001f4′ from SAM to the B:\ drive. Edit the *.reg entry, changing SAM to SAM_ON_C and reimport the regitry entry. In my case, I created a folder called _RegHack on my BartPE CD and just import the entry from there.

And here are commands for doing things from the CMD (command) prompt…

Add user: net user fred /add
Add user to administrators: net localgroup administrators fred /add
Change password: net user administrator password

But how could you get to the command prompt???

Well, there’s another possibility IF you can make changes to the registry somehow….

You might be able to replace the default screensaver (that would kick in at the login screen) with the command prompt….

Look for
[HKEY_USERS\.DEFAULT\Control Panel\Desktop]
"ScreenSaveTimeOut"="600"
"SCRNSAVE.EXE"="logon.scr"

and change it to this….
[HKEY_USERS\.DEFAULT\Control Panel\Desktop]
"ScreenSaveTimeOut"="10"
"SCRNSAVE.EXE"="cmd.exe"

Now, the screensaver should kick in quickly (10 seconds) after getting to the login screen and the screensaver SHOULD be a command prompt with admin priviliges. (you MAY want to remember to change it back after you’re in….) šŸ˜‰

OK… there’s yet MORE… this next one requires a linux boot disk (although I know there’s a way to do this with the windows versions of these programs….) This next feature doesn’t change the password, but cracks the hash that it’s stored with so you should be able to see what it is.

The steps on this are thanks to irongeek.com

I’ll distill the pages down and just give an idea of what’s involved. Make your life easy and use auditor (which is a linux boot disk focusing on security/forensic tools). It’s possible also to install this software on a linux box/other boot cd and work from there, but it’s also possible to do a lot of other things…. so make things simple and use the cd that has it all installed for you.

Boot up from the livecd and open a terminal/console window. Find and mount your windows partition…. probably hda1 like this…

mount /dev/hda1

(should be able to ls the contents at /mnt/hda1 now.)

ok go ahead and cd to the ramdisk…

cd /ramdisk/

The following commands may need to be adjusted for the windows install directory. Basically we have to find the system key, then use that to get the password hashes and then load a dictionary and let another utility figure out the hashes…

first step: (get the system key)

bkhive-linux /mnt/hda1/WINDOWS/system32/config/system saved-syskey.txt

second step: (find the username/password hash)
samdump2-linux /mnt/hda1/WINDOWS/system32/config/sam saved-syskey.txt>password-hashes.txt

third step: (get dictionary ready)
gunzip -c /opt/auditor/full/share/wordlists/english/english.txt.gz> /ramdisk/eng.txt

fourth step: (analyze to find password).
john password-hashes.txt -w:eng.txt

You may need to specify that it needs to look for NT as opposed to LM hashes…
john password-hashes.txt -f:NT -w:eng.txt

One example I got with the first command above was D adminstrator
PASSWOR Administrator
(which didn’t make much sense) and the second one correctly tagged the password as
password Administrator. (It reports password and account name).

IF the dictionary “attack” doesn’t get you anywhere then you will likely need to try to brute force it… get some light reading/snacks/liquids ready and….

let’s just start guessing:
john password-hashes.txt -i:all

(again you may specify -f:NT)

This one will likely take a while. You might visit the site referred to above to get a more detailed description of the above process.

Well, I have ONE more way to do this…. and I’ve saved it for last because to me it’s probably least desirable. (You’ll know why at step 1)

1. Get your Windows install disc…

Essentailly the idea is to do a “Repair” install of your windows installation, but at a special place in the process you can access a run prompt to launch an applet to change the password. Here’s the short version from my last writeup on this…

it essentially has you restart from the install cd and do a repair installation of the existing XP install. It should churn away and copy files and will need to reboot, let it reboot (NOT FROM THE CD). In the lower left hand side of the screen you will see ā€œInstalling Devicesā€ near the progress bar. At this point you need to press shift+f10 to get a console window. Type NUSRMGR.CPL and enter – you should see the userā€™s control panel applet open up. From here you should be able to change or remove passwords as necessary.

It appears that you can also type control userpasswords2 at the command prompt and choose to login without a password. Once all that is done, you should be able to close the windows and then let the repair process finish – you will need your product key. Once thatā€™s done, you should be able to login with the re-set password (or no password) depending on what you setup.

You DO have to let it do the complete repair installation so, it can be time consuming and should require you to reinstall all your Windows updates (which can be a pain since there’s a slew since SP2).

The original writeup on this last method is at this link.

You can probably think of a few variations on all the above approaches. For instance, the BartPE plugin mentioned above gives several ways to accomplish the job in itself. One other note is that if the computer is part of a Domain some or all of these approaches become more complicated. I’ve seen reports of the BartPE plugin not working on a domain member, but it’s also pointed out that if the Domain controller is enforcing complex passwords…. you have to make a complex password in your reset to have it accept it. (Mix letters/numbers/uppercase/lowercase and DON’T use part of your name.)

I’ve noticed that some keyboards these days (usually wireless) don’t have caps/number lock indicators on board (they’re usually done via software or displayed on the other end of the remote.) The big problem there of course is if for some reason you accidentally hit the caps lock, you have no visual feedback. So that can frustrate even the best attempts.

If at this point you still can’t get into your Windows install, it may be time to copy the data out by just installing “Beside” the existing install (not formatting the disk, just install into a new directory) and try to start over.

   Send article as PDF   

Similar Posts