Beruflich Dokumente
Kultur Dokumente
Note july 2005: I have problems catching up with my mail for the last 2-3 months, and will probably
have more problems for a few months more. You may get late response, or no response at all if you
mail me. Sorry!
I've put together a single floppy or CD which contains things needed to edit the passwords on most
systems.
The bootdisk supports standard (dual)IDE controllers (built in), a lot of SATA-controllers, and most
SCSI-controllers with the drivers supplied in a seperate archive below. PS/2 keyboard or USB-
keyboard supported (mouse not required) It does not need any other special hardware, it will run on 486
or higher, with at least 32MB (I think) ram or more. Unsupported hardware: MCA, EISA, i2o may not
work.
Tested on: NT 3.51, NT 4 (all versions and SP), Windows 2000 (all versions), Windows XP (all
versions, also SP2), Windows Server 2003 (at least Enterprise).
DANGER WILL ROBINSON!
If used on users that have EFS encrypted files, and the system is XP, all encrypted files for that
user will be UNREADABLE! and cannot be recovered unless you remember the old password
again If you don't know if you have encrypted files or not, you most likely don't have them. (except maybe on corporate
systems)
Please see the Frequently Asked Questions and the version history below before emailing questions
to me. Thanks!
Also take a look at Grenier's DOS port
How to fix it if you lost your admin password for your ActiveDirectory. Thanks to John Simpson.
Other ways to recover lost password etc at MCSE World
How to use?
Yes, long text. Please read it all and the FAQ before mailing me questions
If you have the CD, all drivers are included. If you use the floppy, and you need the SCSI-drivers set,
either prepare a floppy with the scsi-drivers .zip file unzipped (in \scsi), or put a selection of the drivers
you need in the \scsi folder on the main floppy, there should be enough space for maybe a couple of
drivers. In the latter case you don't need to carry around and swap floppies.
Overview
1 Disk select, tell which disk contains the Windows system. Optionally you will have to load
drivers.
2 PATH select, where on the disk is the system?
3 File select, which parts of registry to load, based on what you want to do.
4 Password reset or other registry edit.
5 Write back to disk (you will be asked)
DON'T PANIC!! - Most questions can usually be answered with the default answer which is
given in [brackets]. Just press enter/return to accept the default answer.
1. DISK SELECT
Which disk contains your Windows system?
=========================================================
. Step ONE: Select disk where the Windows installation is
=========================================================
Disks:
Disk /dev/ide/host0/bus0/target0/lun0/disc: 2147 MB, 2147483648 bytes
NT partitions found:
1 : /dev/ide/host0/bus0/target0/lun0/part1 2043MB Boot
• For most machines only one disk and parition is listed, if so, just go with selection 1 (default)
• Otherwise select partition
• If no disks or not all disks are shown, you may need to load disk drivers, for SCSI-controllers
(or some IDE-raid controllers). Select d to go to the driver select menu for auto-probe (based
what's found on the PCI bus)
• If auto-probe won't work, you may have to load something manually, select m to do that (like
the old system)
1 BusLogic.o.gz
2 aic7xxx.o.gz
3 sym53c8xx.o.gz
[ ... ]
[ ... ]
• You may then quit the selection with q or try for more drivers.
• When you quit, you will get back to the disk select (see above) and hopefully see more disks.
=========================================================
. Step TWO: Select PATH and registry files
=========================================================
What is the path to the registry directory? (relative to windows disk)
[windows/system32/config] :
-r-------- 1 0 0 262144 Jan 12 18:01 SAM
-r-------- 1 0 0 262144 Jan 12 18:01 SECURITY
-r-------- 1 0 0 262144 Jan 12 18:01 default
-r-------- 1 0 0 8912896 Jan 12 18:01 software
-r-------- 1 0 0 2359296 Jan 12 18:01 system
dr-x------ 1 0 0 4096 Sep 8 11:37 systemprofile
-r-------- 1 0 0 262144 Sep 8 11:53 userdiff
Select which part of registry to load, use predefined choices
or list the files with space as delimiter
1 - Password reset [sam system security]
2 - RecoveryConsole parameters [software]
q - quit - return to previous
[1] :
• If the directory is correct, something like the above will be listed (it may vary a bit..)
• You may then choose some canned answers based on what you want to do.
• Password reset is the default, and most used.
• Option 2, RecoveryConsole is for setting 2 parameters that the Windows 2000 and newer
RecoveryConsole (boot from CD, select Recovery and console mode) uses. One of the
parameters allows RecoveryConsole to be run without it prompting for the admin password. If
you do not know what RecoveryConsole is, don't bother. Or go search the net..
• Or if you want to do manual edit of registry, select your hives to load. Enter all names on one
line with space between.
We select 1 to edit passwords..
4. PASSWORD RESET
Everything is set and ready, let's roll!
=========================================================
. Step THREE: Password or registry edit
=========================================================
chntpw version 0.99.2 040105, (c) Petter N Hagen
* = blank the password (This may work better than setting a new password!)
Enter nothing to leave it unchanged
Please enter new password: *
Some information is displayed. Also, if the account is locked, you will be asked if you wish to unlock it
(not shown here)
We go for the blank password option (*) WHICH IS HIGLY RECOMMENDED over setting a
new one.
Please enter new password: *
Blanking password!
Loaded hives:
=========================================================
. Step FOUR: Writing back changes
=========================================================
About to write file(s) back! Do it? [n] : y
THIS IS YOUR LAST CHANCE! If you answer y here there will be a write to disk!
Writing sam
NOTE: A disk fixup will now be done.. it may take some time
Mounting volume... OK
That was all. The disk fixup is only run on NTFS filesystems, and will force chkdsk next time windows
boots.
Please answer n here and then reboot, CTRL-ALT-DEL. Remember to remove the floppy or CD.
Download
Note: Some links may be offsite.
2. Let the machine boot from the floppy or CD. You may need to change boot sequence from
BIOS
3. You'll see
4. ****************************************************************
5. * This utility will enable you to change the password of almost
6. * any user (incl. administrator) on an Windows NT/2k/XP installation
7. * WITHOUT knowing the old password.
8. *
9. * The program is now able to actually parse/follow the internal
10.* registry structure completely.
11.* There is now support for adding and deleting keys and values.
12.* Tested on: NT3.51 & NT4: Workstation, Server, PDC.
13.* Win2k Prof & Server to SP3. Cannot change AD.
14.* XP Home & Prof: up to SP1
15.* Now also works with syskey, read warnings if applicable.
16.*
17.* You may either let the scripts try to figure out your configuration,
18.* or you may do it manually from the shell prompts.
19.*
20.* Good luck!
21.
22.Press return/enter to continue Enter
23.* In /etc/main.rc....
24.Calling scsi.rc to probe for SCSI controllers
25.Mounting floppy to fetch drivers from /scsi on it
26.SCSI-drivers found on floppy:
27.
28.BusLogic.o.gz aic7xxx.o.gz
29.
30.Do you have your NT disks on a SCSI controller?
31. y - this will autoprobe for the driver
32. n - no, skip SCSI, I have IDE drives
33. or give the scsi-driver modules name (without the .o or .gz)
34. + optional parameters to go directly for a known driver
35.
36.Probe for SCSI-drivers: [n]Enter
37.
38.Calling part.rc to select partition
39.Partitions found on the disk(s):
40. Device Boot Start End Blocks Id System
41./dev/hda1 * 1 1859 14932386 7 HPFS/NTFS
42.
43.Probable NT partitions:
44./dev/hda1 * 1 1859 14932386 7 HPFS/NTFS
45.Wnat partition contains your NT installation?
46.[/dev/hda1] : Enter
47.FAT: Did not find valid FSINFO signature.
48.Found signature1 0x66024a1e signature2 0xc88b6602 sector=4.
49.VFS: Can't find a valid FAT filesystem on dev 03:01.
50.mount: wrong fs type, bad option, bad superblock on /deb/hda1,
51. or too many mounted fil systems
52./dev/hda1 is NTFS.
53.Trying to mount as readwrite on /mnt
54.NTFS volume version 3.0.
55.Success. Mounted NTFS /deb/hda1 on /mnt
56.Calling path.rc. to select path
57.What is the full path to the registry directory?
58.[winnt/system32/config] : Enter
59.-rw------- 1 0 0 65536 Jan 15 09:00 AppEvent.Evt
60.-rw------- 1 0 0 65536 Jan 15 09:00 default
61.-rw------- 1 0 0 65536 Jan 15 09:00 default.LOG
62.-rw------- 1 0 0 65536 Jan 15 09:00 default.sav
63.-rw------- 1 0 0 65536 Jan 15 09:00 netlogon.ftl
64.-rw------- 1 0 0 65536 Jan 15 09:00 SAM
65.-rw------- 1 0 0 65536 Jan 15 09:00 SAM.LOG
66.-rw------- 1 0 0 65536 Jan 15 09:00 SecEvent.Evt
67.-rw------- 1 0 0 65536 Jan 15 09:00 SECURITY
68.-rw------- 1 0 0 65536 Jan 15 09:00 SECURITY.LOG
69.-rw------- 1 0 0 65536 Jan 15 09:00 software
70.-rw------- 1 0 0 65536 Jan 15 09:00 software.LOG
71.-rw------- 1 0 0 65536 Jan 15 09:00 software.sav
72.-rw------- 1 0 0 65536 Jan 15 09:00 SysEvent.Evt
73.-rw------- 1 0 0 65536 Jan 15 09:00 system.sav
74.-rw------- 1 0 0 65536 Jan 15 09:00 TempLey.LOG
75.-rw------- 1 0 0 65536 Jan 15 09:00 userdiff
76.-rw------- 1 0 0 65536 Jan 15 09:00 userdiff.LOG
77.Which hives (files) do you want to edit (leave default for
78.password setting, separate multiple names with spaces)
79.[sam system security] : Enter
80.Copying sam system security to /tmp
81.
82.Now running chntpw
83.chntpw version 0.99.0 030112, (c) Petter N Hagen
84.Hive's name (from header) (\SystemRoot\System32\Config\Sam)
85.ROOT KEY at offset: 0x001020
86.
87.File size 32768 [8000] bytes, containing 7 pages (+ 1 headerpage)
88.Used, for data: 319/26472 blocks/bytes, unused: 6/1976 blocks/bytes.
89.Hive's name (from header): (SYSTEM)
90.ROOT KEY at offset: 0x001020
91.
92.File size 2555904 [270000] bytes, containing 584 pages (+ 1 headerpage)
93.Used, for data: 44209/2524072 blocks/bytes, unused: 19/9048 blocks/bytes.
94.Hive's name (from header): (SYSTEM)
95.ROOT KEY at offset: 0x001020
96.
97.File size 49152 [c000] bytes, containing 11 pages (+ 1 headerpage)
98.Used, for data: 859/42568 blocks/bytes, unused: 5/2136 blocks/bytes.
99.Hello, this is SAM!
100.Failed logins before lockout is : 0
101.Minimum password length : 0
102.Password history count : 0
103.
104.()========() chntpw Main Interactive Menu ()========()
105.Loaded hives: (sam) (system) (security)
106. 1 - Edit user data and passwords
107. 2 - Syskey status & change
108. - - -
109. 9 - Registry editor, now with full write support!
110. q - Quit (you will be asked if there is something to save)
111.
112.What to do? [1] -> Enter
113.
114.==== chntpw Edit User Info & Passwords ====
115.
116.RID: 03f2, Username: (ACTUser)
117.RID: 03f2, Username: (Administrator)
118.RID: 03f2, Username: (ASPNET)
119.RID: 03f2, Username: (Guest), disabled or locked*
120.RID: 03f2, Username: (IUSR_HOGE-SRV)
121.RID: 03f2, Username: (IWAM_HOGE-SRV)
122.RID: 03f2, Username: (SQLDebugger)
123.RID: 03f2, Username: (hoge)
124.RID: 03f2, Username: (VUSER_HOGE-SRV)
125.RID: 03f2, Username: (VUSER_HOGE-SRV1)
126.
127.Select: ! - quit, . - list users, 0x(RID) - User with RID (hex)
128.or simple enter the username to change: [Administrator] Enter
129.RID : 032f
130.Username: Administrator
131.fullname:
132.comment :
133.homedir :
134.
135.Account bits: 0x0215 =
136.[ ] Disabled | [ ] Homedir req. | [ ] passwd not req. |
137.[ ] Temp. duplicate | [X] Normail account | [ ] NMS account |
138.[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
139.[X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) |
140.[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |
141.
142.Failed login count: 0, while max tries is : 0
143.Total login.count: 7
144.Account is disabled
145.Crypted NT pw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
146.Crypted LM pw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
147.MD4 hash : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
148.LANMAN hash : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
149.
150.* = blank the password (EXPERIMENTAL! but may fix problems)
151.Enter nothing to leave it unchanged
152.Please enter new password: *
153.Blanking password. This may actually fix things if previous password-preset
154.did not work. Or it may even make things worse. Happy joy!
155.
156.Do you really wish to change it? (y/n) [n] y
157.
158.Select: ! - quit, . - list users, 0x(RID) - User with RID (hex)
159.or simple enter the username to change: [Administrator] !
160.
161.()========() chntpw Main Interactive Menu ()========()
162.Loaded hives: (sam) (system) (security)
163. 1 - Edit user data and passwords
164. 2 - Syskey status & change
165. - - -
166. 9 - Registry editor, now with full write support!
167. q - Quit (you will be asked if there is something to save)
168.
169.What to do? [1] -> q
170.
171.Hives that have changed:
172. # Name
173. 0 (sam)
174.Write hive files? (y/n) [n] : y
175.Calling write.rc to select write back sam file
176.About to write file(s) back! Do it? [n] y
177.Writing sam
178.* end of scripts.. returning to the shell..
179.* Press CTRL-ALT-DELL to reboot now (remove floppy first)
180.* or do whatever you want from the shell..
181.* However, if you mount something, remember to umount before reboot
182.* You may also restart the script procedure with 'sh /scripts/main.rc'
183.#
184.Remove the floppy and restart. Now you can log in without password (or whatever you set)