I've forgotten my Windows 2K administrator password and i'm looking for a method to retrieve it, I still have guest access to my computer, i cant install anything though. Can anybody suggest a method to retrieve it i was thinking along the lines of a dictionary attack program that doesn't require installation.
Win2K Admin Password
- Thread starter Prism
- Start date
1. DISK SELECT
Which disk contains your Windows system?
=========================================================
. Step ONE: Select disk where the Windows installation is
=========================================================
Disks:
Disk /dev/ide/host0/bus0/target0/lun0/disc: 2147 MB, 2147483648 bytes
NT partitions found:
1 : /dev/ide/host0/bus0/target0/lun0/part1 2043MB Boot
Please select partition by number or
a = show all partitions, d = load new disk drivers
l = relist NTFS/FAT partitions, q = quit
Select: [1]
For most machines only one disk and parition is listed, if so, just go with selection 1 (default)
Otherwise select partition
If no disks or not all disks are shown, you may need to load disk drivers, for SCSI-controllers (or some IDE-raid controllers). Select d to go to the driver select menu.
2. HOW TO LOAD DRIVERS
Skip this if it is not needed.
Select: [1] d
==== DISK DRIVER / SCSI DRIVER select ====
You may now insert or swap to the SCSI-drivers floppy
Press enter when done:
Found 1 floppy drives
Found only one floppy, using it..
Selected floppy #0
Mounting it..
Floppy selection done..
SCSI-drivers found on floppy:
1 BusLogic.o.gz
2 aic7xxx.o.gz
3 sym53c8xx.o.gz
[ ... ]
SCSI driver selection:
a - autoprobe for the driver (try all)
s - swap driver floppy
q - do not load more drivers
or enter the number of the desired driver
SCSI driver select: [q]
Select a for auto-probe, it will try to load all drivers, and stop when one loads properly. Some drivers may need more driver modules, so you may have to redo the auto-probe several times.
Or if you know what you want, just enter it's number or name.
SCSI driver select: [q] a
[ BusLogic.o.gz ]
Using /tmp/scsi/BusLogic.o
PCI: Found IRQ 11 for device 00:10.0
[.... lots of driver / card info ...]
scsi0: *** BusLogic BT-958 Initialized Successfully ***
scsi0 : BusLogic BT-958
Vendor: FooInc Model: MegaDiskFoo Rev: 1.0
Type: Direct-Access ANSI SCSI revision: 02
[ ... ]
Attached scsi disk sda at scsi0, channel 0, id 0, lun 0
SCSI device sda: 8388608 512-byte hdwr sectors (4295 MB)
Partition check:
/dev/scsi/host0/bus0/target0/lun0: p1
Driver BusLogic.o.gz loaded and initialized.
You may then quit the selection with q or try for more drivers.
When you quit, you will get back to the disk select (see above) and hopefully see more disks.
3. PATH AND FILE SELECT
Where's the Windows system located?
On the selected partition/disk, the main files for windows can theoretically be anywhere. And we must find the registry files to be able to edit them. There are however some usual places:
winnt35/system32/config - Windows NT 3.51
winnt/system32/config - Windows NT 4 and Windows 2000
windows/system32/config - Windows XP/2003 and often Windows 2000 upgraded from Windows 98 or earlier.
These usual paths will be checked, and if found, they will be suggested as the default.
Selected 1
Mounting on /dev/ide/host0/bus0/target0/lun0/part1
NTFS volume version 3.1.
Filesystem is: NTFS
=========================================================
. Step TWO: Select PATH and registry files
=========================================================
What is the path to the registry directory? (relative to windows disk)
[windows/system32/config] :
-r-------- 1 0 0 262144 Jan 12 18:01 SAM
-r-------- 1 0 0 262144 Jan 12 18:01 SECURITY
-r-------- 1 0 0 262144 Jan 12 18:01 default
-r-------- 1 0 0 8912896 Jan 12 18:01 software
-r-------- 1 0 0 2359296 Jan 12 18:01 system
dr-x------ 1 0 0 4096 Sep 8 11:37 systemprofile
-r-------- 1 0 0 262144 Sep 8 11:53 userdiff
Select which part of registry to load, use predefined choices
or list the files with space as delimiter
1 - Password reset [sam system security]
2 - RecoveryConsole parameters [software]
q - quit - return to previous
[1] :
If the directory is correct, something like the above will be listed (it may vary a bit..)
You may then choose some canned answers based on what you want to do.
Password reset is the default, and most used.
Option 2, RecoveryConsole is for setting 2 parameters that the Windows 2000 and newer RecoveryConsole (boot from CD, select Recovery and console mode) uses. One of the parameters allows RecoveryConsole to be run without it prompting for the admin password. If you do not know what RecoveryConsole is, don't bother. Or go search the net..
Or if you want to do manual edit of registry, select your hives to load. Enter all names on one line with space between.
We select 1 to edit passwords..
4. PASSWORD RESET
Everything is set and ready, let's roll!
=========================================================
. Step THREE: Password or registry edit
=========================================================
chntpw version 0.99.2 040105, (c) Petter N Hagen
[.. some file info here ..]
* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length : 0
Password history count : 0
<>========<> chntpw Main Interactive Menu <>========<>
Loaded hives: <sam> <system> <security>
1 - Edit user data and passwords
2 - Syskey status & change
3 - RecoveryConsole settings
- - -
9 - Registry editor, now with full write support!
q - Quit (you will be asked if there is something to save)
What to do? [1] -> 1
===== chntpw Edit User Info & Passwords ====
RID: 01f4, Username: <Administrator>
RID: 01f5, Username: <Guest>, *disabled or locked*
RID: 03e8, Username: <HelpAssistant>, *disabled or locked*
RID: 03eb, Username: <pnh>, *disabled or locked*
RID: 03ea, Username: <SUPPORT_388945a0>, *disabled or locked*
Select: ! - quit, . - list users, 0x<RID> - User with RID (hex)
or simply enter the username to change: [Administrator]
Here you can enter the username you want to reset the password for. NOTE: It is case-sensitive, write it exact as listed (without the < and > of course)
Or if the name uses some characters that cannot be displayed, enter it's ID number (RID), like this: 0x1f4 would select administrator.
We select the default, which is administrator.
RID : 0500 [01f4]
Username: Administrator
fullname:
comment : Built-in account for administering the computer/domain
homedir :
Account bits: 0x0210 =
[ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
[X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) |
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |
Failed login count: 0, while max tries is: 0
Total login count: 3
* = blank the password (This may work better than setting a new password!)
Enter nothing to leave it unchanged
Please enter new password: *
Some information is displayed. Also, if the account is locked, you will be asked if you wish to unlock it (not shown here)
We go for the blank password option (*) WHICH IS HIGLY RECOMMENDED over setting a new one.
Please enter new password: *
Blanking password!
Do you really wish to change it? (y/n) [n] y
Changed!
Select: ! - quit, . - list users, 0x - User with RID (hex)
or simply enter the username to change: [Administrator] !
! brings us back to the main menu here.
<>========<> chntpw Main Interactive Menu <>========<>
Loaded hives:
1 - Edit user data and passwords
2 - Syskey status & change
3 - RecoveryConsole settings
- - -
9 - Registry editor, now with full write support!
q - Quit (you will be asked if there is something to save)
What to do? [1] -> q
5. WRITING OUT THE CHANGES
Everything has been done, time to commit the changes.
Hives that have changed:
# Name
0 - OK
=========================================================
. Step FOUR: Writing back changes
=========================================================
About to write file(s) back! Do it? [n] : y
THIS IS YOUR LAST CHANCE! If you answer y here there will be a write to disk!
Writing sam
NOTE: A disk fixup will now be done.. it may take some time
Mounting volume... OK
Processing of $MFT and $MFTMirr completed successfully.
NTFS volume version is 3.1.
Setting required flags on partition... OK
Going to empty the journal ($LogFile)... OK
NTFS partition /dev/ide/host0/bus0/target0/lun0/part1 was processed successfully.
NOTE: Windows will run a diskcheck (chkdsk) on next boot.
NOTE: this is to ensure disk intergity after the changes
***** EDIT COMPLETE *****
You can try again if it somehow failed, or you selected wrong
New run? [n] : n
Which disk contains your Windows system?
=========================================================
. Step ONE: Select disk where the Windows installation is
=========================================================
Disks:
Disk /dev/ide/host0/bus0/target0/lun0/disc: 2147 MB, 2147483648 bytes
NT partitions found:
1 : /dev/ide/host0/bus0/target0/lun0/part1 2043MB Boot
Please select partition by number or
a = show all partitions, d = load new disk drivers
l = relist NTFS/FAT partitions, q = quit
Select: [1]
For most machines only one disk and parition is listed, if so, just go with selection 1 (default)
Otherwise select partition
If no disks or not all disks are shown, you may need to load disk drivers, for SCSI-controllers (or some IDE-raid controllers). Select d to go to the driver select menu.
2. HOW TO LOAD DRIVERS
Skip this if it is not needed.
Select: [1] d
==== DISK DRIVER / SCSI DRIVER select ====
You may now insert or swap to the SCSI-drivers floppy
Press enter when done:
Found 1 floppy drives
Found only one floppy, using it..
Selected floppy #0
Mounting it..
Floppy selection done..
SCSI-drivers found on floppy:
1 BusLogic.o.gz
2 aic7xxx.o.gz
3 sym53c8xx.o.gz
[ ... ]
SCSI driver selection:
a - autoprobe for the driver (try all)
s - swap driver floppy
q - do not load more drivers
or enter the number of the desired driver
SCSI driver select: [q]
Select a for auto-probe, it will try to load all drivers, and stop when one loads properly. Some drivers may need more driver modules, so you may have to redo the auto-probe several times.
Or if you know what you want, just enter it's number or name.
SCSI driver select: [q] a
[ BusLogic.o.gz ]
Using /tmp/scsi/BusLogic.o
PCI: Found IRQ 11 for device 00:10.0
[.... lots of driver / card info ...]
scsi0: *** BusLogic BT-958 Initialized Successfully ***
scsi0 : BusLogic BT-958
Vendor: FooInc Model: MegaDiskFoo Rev: 1.0
Type: Direct-Access ANSI SCSI revision: 02
[ ... ]
Attached scsi disk sda at scsi0, channel 0, id 0, lun 0
SCSI device sda: 8388608 512-byte hdwr sectors (4295 MB)
Partition check:
/dev/scsi/host0/bus0/target0/lun0: p1
Driver BusLogic.o.gz loaded and initialized.
You may then quit the selection with q or try for more drivers.
When you quit, you will get back to the disk select (see above) and hopefully see more disks.
3. PATH AND FILE SELECT
Where's the Windows system located?
On the selected partition/disk, the main files for windows can theoretically be anywhere. And we must find the registry files to be able to edit them. There are however some usual places:
winnt35/system32/config - Windows NT 3.51
winnt/system32/config - Windows NT 4 and Windows 2000
windows/system32/config - Windows XP/2003 and often Windows 2000 upgraded from Windows 98 or earlier.
These usual paths will be checked, and if found, they will be suggested as the default.
Selected 1
Mounting on /dev/ide/host0/bus0/target0/lun0/part1
NTFS volume version 3.1.
Filesystem is: NTFS
=========================================================
. Step TWO: Select PATH and registry files
=========================================================
What is the path to the registry directory? (relative to windows disk)
[windows/system32/config] :
-r-------- 1 0 0 262144 Jan 12 18:01 SAM
-r-------- 1 0 0 262144 Jan 12 18:01 SECURITY
-r-------- 1 0 0 262144 Jan 12 18:01 default
-r-------- 1 0 0 8912896 Jan 12 18:01 software
-r-------- 1 0 0 2359296 Jan 12 18:01 system
dr-x------ 1 0 0 4096 Sep 8 11:37 systemprofile
-r-------- 1 0 0 262144 Sep 8 11:53 userdiff
Select which part of registry to load, use predefined choices
or list the files with space as delimiter
1 - Password reset [sam system security]
2 - RecoveryConsole parameters [software]
q - quit - return to previous
[1] :
If the directory is correct, something like the above will be listed (it may vary a bit..)
You may then choose some canned answers based on what you want to do.
Password reset is the default, and most used.
Option 2, RecoveryConsole is for setting 2 parameters that the Windows 2000 and newer RecoveryConsole (boot from CD, select Recovery and console mode) uses. One of the parameters allows RecoveryConsole to be run without it prompting for the admin password. If you do not know what RecoveryConsole is, don't bother. Or go search the net..
Or if you want to do manual edit of registry, select your hives to load. Enter all names on one line with space between.
We select 1 to edit passwords..
4. PASSWORD RESET
Everything is set and ready, let's roll!
=========================================================
. Step THREE: Password or registry edit
=========================================================
chntpw version 0.99.2 040105, (c) Petter N Hagen
[.. some file info here ..]
* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length : 0
Password history count : 0
<>========<> chntpw Main Interactive Menu <>========<>
Loaded hives: <sam> <system> <security>
1 - Edit user data and passwords
2 - Syskey status & change
3 - RecoveryConsole settings
- - -
9 - Registry editor, now with full write support!
q - Quit (you will be asked if there is something to save)
What to do? [1] -> 1
===== chntpw Edit User Info & Passwords ====
RID: 01f4, Username: <Administrator>
RID: 01f5, Username: <Guest>, *disabled or locked*
RID: 03e8, Username: <HelpAssistant>, *disabled or locked*
RID: 03eb, Username: <pnh>, *disabled or locked*
RID: 03ea, Username: <SUPPORT_388945a0>, *disabled or locked*
Select: ! - quit, . - list users, 0x<RID> - User with RID (hex)
or simply enter the username to change: [Administrator]
Here you can enter the username you want to reset the password for. NOTE: It is case-sensitive, write it exact as listed (without the < and > of course)
Or if the name uses some characters that cannot be displayed, enter it's ID number (RID), like this: 0x1f4 would select administrator.
We select the default, which is administrator.
RID : 0500 [01f4]
Username: Administrator
fullname:
comment : Built-in account for administering the computer/domain
homedir :
Account bits: 0x0210 =
[ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
[X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) |
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |
Failed login count: 0, while max tries is: 0
Total login count: 3
* = blank the password (This may work better than setting a new password!)
Enter nothing to leave it unchanged
Please enter new password: *
Some information is displayed. Also, if the account is locked, you will be asked if you wish to unlock it (not shown here)
We go for the blank password option (*) WHICH IS HIGLY RECOMMENDED over setting a new one.
Please enter new password: *
Blanking password!
Do you really wish to change it? (y/n) [n] y
Changed!
Select: ! - quit, . - list users, 0x - User with RID (hex)
or simply enter the username to change: [Administrator] !
! brings us back to the main menu here.
<>========<> chntpw Main Interactive Menu <>========<>
Loaded hives:
1 - Edit user data and passwords
2 - Syskey status & change
3 - RecoveryConsole settings
- - -
9 - Registry editor, now with full write support!
q - Quit (you will be asked if there is something to save)
What to do? [1] -> q
5. WRITING OUT THE CHANGES
Everything has been done, time to commit the changes.
Hives that have changed:
# Name
0 - OK
=========================================================
. Step FOUR: Writing back changes
=========================================================
About to write file(s) back! Do it? [n] : y
THIS IS YOUR LAST CHANCE! If you answer y here there will be a write to disk!
Writing sam
NOTE: A disk fixup will now be done.. it may take some time
Mounting volume... OK
Processing of $MFT and $MFTMirr completed successfully.
NTFS volume version is 3.1.
Setting required flags on partition... OK
Going to empty the journal ($LogFile)... OK
NTFS partition /dev/ide/host0/bus0/target0/lun0/part1 was processed successfully.
NOTE: Windows will run a diskcheck (chkdsk) on next boot.
NOTE: this is to ensure disk intergity after the changes
***** EDIT COMPLETE *****
You can try again if it somehow failed, or you selected wrong
New run? [n] : n
Lord Kalthorn
Guru
- Messages
- 13,293
- Location
- Britain
Hmm, looks like it may work - but I don't trust much to do with Hacking Windows.
Lord Kalthorn
Guru
- Messages
- 13,293
- Location
- Britain
What?!
Lord Kalthorn
Guru
- Messages
- 13,293
- Location
- Britain
Oh ha ha.
At0m1x you should have just gave him the link: http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html
ditto
thread man i've got the same problem. i'm on windows nt @ schools and i'm looking to find the admin password. any suggestions would be much apprectaitesd at rockerbaby881@hotmail.com
thread man i've got the same problem. i'm on windows nt @ schools and i'm looking to find the admin password. any suggestions would be much apprectaitesd at rockerbaby881@hotmail.com
