Friday, May 17, 2013

How to recover Windows passwords

This tutorial explains what to do if you have forgotton your Windows user password. Windows versions after XP can't be accessed through safe mode or otherwise. External applications are needed to reset/change the user password so it's possible to login again.

Caution: This tutorial is for advanced users. If you completely don't understand it, get someone who does. Alternatively, you can try other tools for this purpose. For example PCLoginNow (http://www.pcloginnow.com/product.html) or Ophcrack (http://ophcrack.sourceforge.net/).
See this link for more password recovery tools
The following way has been successfully been tested with Windows NT, 2000, XP, Vista, and Windows 7.

Related links:

Related downloads:

The files inside the USB zip are exactly the same as on the CD. See below for instructions on how to make USB disk bootable.

How to make the CD

Unzipped, there should be an ISO image file (cd??????.iso). This can be burned to CD using whatever burner program you like, most support writing ISO-images. Often double-clikcing on it in explorer will pop up the program offering to write the image to CD. Once written the CD should only contain some files like "initrd.gz", "vmlinuz" and some others. If it contains the image file "cd??????.iso" you didn't burn the image but instead added the file to a CD. I cannot help with this, please consult you CD-software manual or friends.
The CD will boot with most BIOSes, see your manual on how to set it to boot from CD. Some will auto-boot when a CD is in the drive, some others will show a boot-menu when you press ESC or F10/F12 when it probes the disks, some may need to have the boot order adjusted in setup.

How to make an bootable USB drive

  • Copy all the files that is inside the usbXXXXXX.zip or on the CD onto an usb drive, directly on the drive, not inside any directory/folder.
  • It is OK if there are other files on the USB drive from before, they will not be removed.
  • Install bootloader on the USB drive, from command prompt in windows (start the command line with "run as administrator" if possible)
    • X:syslinux.exe -ma X:
  • Replace X: with the drive letter the USB drive shows up as (DO NOT USE C:)
  • If it seems like nothing happened, it is usually done.
  • However, a file named ldlinux.sys may appear on the USB drive, that is normal.
  • It should now in theory be bootable.
  • Please know that getting some computers to boot from USB is worse than from CD, you may have to change settings, or some will not simply work at all.

    How to make the floppy

    The unzipped image (bdxxxxxx.bin) is a block-to-block representation of the actual floppy, and the file cannot simply be copied to the floppy. Special tools must be used to write it block by block.
  • Unzip the bd zip file to a folder of your choice.
  • There should be 3 files: bdxxxxxx.bin (the floppy image) and rawrite2.exe (the image writing program), and install.batwhich uses rawrite2 to write the .bin file to floppy.
  • Insert a floppy in drive A: NOTE: It will lose all previous data!
  • Run (doubleclick) install.bat and follow the on-screen instructions.

Offline NT Password & Registry Editor, Walkthrough


 
  The following is a walkthrough of using the CD to reset one user (admin) on a test Vista computer.
Insert the CD and convince your BIOS that it should boot from it. How to boot from a CD varies from computer make to computer make, so it depends on your mainboard. Some BIOS shows a boot device select menu if you press ESC, F8, F11 or F12 or something like that during the self test. (some even tell you on the screen what to press)
If it boots, you should see this ->
Usually just press enter here. If you have linux knowledge, you can tweak kernel options if you need/like.
Then it boots and outputs a lot of kernel messages about your hardware and such.. most if not all are nothing to worry about.
Click images to enlarge

  Most of the generic linux boot now done, and we try to load the disk drivers. If you use the floppy version you will be asked to swap floppies at this point. Drivers are then tried based on PCI hardware indentification.
Most of these messages are from the drivers themselves. Some talk a lot, some doesn't. But all give info on the brand and model and size of the disks found, if any.



  Here you select one of the partitions listed above (in this case there is only one) or one of the letters from the menu. If there is a 100MB partition and a big one, select the big one.
Floppy users may need to do 'f' to load in more drivers from another floppy.
The 'd' option will re-run the PCI scan and start relevant drivers (they must already be loaded from floppy with 'f' option)
The 'm' for manual load will present a list of all the drivers with short description if available, and allow you to specify which to load. (Dependecies are handled automatically)
Here we only have one partition, so we just press enter to select it.
The registry is usually system32/config under WINDOWS or WINNT directory, depending on the windows version (and it may be changed during installation).
If the correct partition has been selected, the default prompt will be adjusted to match if it can find one of the usual variants.
Press enter, then the program will tell if the correct directory has been selected.
Choice 1 is for password edit, most used. But if you wish, you can load any of the files (just enter it's name) and do manual registry edit on them.
But here, we select 1 for password edit, some files are copied around into memory and the edit application is invoked.
This demo shows selection 1 for password edit, but you can also do other things.
Note that 2, Syskey may be dangerous! AND NOT NEEDED TO RESET PASSWORDS! and does not work at all on Vista, but you get some info before you do any changes.
Selection 3, RecoveryConsole is only relevant for Win2k, XP and 2003 and you must have selected to load the SOFTWARE part of the registry (selection 2) earlier.
The manual registry editor is always available, it is not the most user-friendly thing, but anyway..
We continue our quest to change our "admin" users password..
This is a list of all local users on the machine. You may see more users here than in the overly user-friendly control panel, for example XP has some help and support built in users.
The users marked "ADMIN" are members of the administrators group, which means they have admin rights, if you can login to one of them you can get control of the machine.
The buildt in (at install time in all windows versions) administrator is always RID 01f4. This example is from Vista, and Vista by default has this locked down (the installer instead asks and makes another user the regular use administrator, in this case RID 03e8)
The "lock?" collumn show if the user account is disabled or locked out (due to many logon attempts for example) or BLANK if the password seems to be blank.
We select to edit the "admin" user (this was the user made administrator by the Vista installer)
Some status info, user is locked out if "Disabled" is set or "Failed login count" is larger than "max tries" policy setting. This user is not locked in any way. The lockout can be reset with option 4 below.
UNIQ5cff702f5288ada4-pre-00000002-QINU Here we just reset/clear/blank the password.
But you can also try to set a new password with option 2, but it will only work if the password is not blank already. Also, it often fails to work on XP and newer systems.
Number 3 is to put a non-admin user into the administrators (220) group, thus making the user an administrator. IT IS STILL EXPERIMENTAL AND IT MAY sometimes RESULT IN STRANGE ERRORS WHEN LATER EDITING THE GROUP FROM WINDOWS! Also, usually pointless in promoting the Guest user, as it is most likely forbidden to log in by the security policy settings.
Exclamation point ! quits out (it's SHIFT 1 on the US keyboard layout used on the boot CD)
Then we get back to the main menu, and select to quit..
  You must answer y, or the changes will not be saved. This is the last chance to change your mind!
Only changed files of the registry are actually written back.
If you forgot something, you may run again, else press CTRL-ALT-DEL to reboot.

If you see an error message now, this does not mean that it isn't working.
Reboot and test if Windows can be accessed again.

No comments:

Post a Comment