TechStorm.Net Logo

Adobe Acrobat
pipeAudio & Video
Internet Tools
Mozilla
pipePerl
SeaMonkey
TiVo
Windows 2000
Windows 98
Windows ME
Windows NT
Windows XP

HyperLinks

Site Info

    Get SeaMonkey


Home > Windows 2000 > Tips & Tricks

Custom Search
Resetting the Administrator's password

Problem:
I've forgotten the Administrator password. How can I reset it?

Versions:
Windows 2000 and XP

Solution:

Resetting the Password
If you simply want to reset the password on the local machine, there is a linux utility called Offline NT Password and Registry Editor that is available. You can put it on a floppy disk or CD and boot up the machine with it and reset any user's password. Please note that any files that were saved with file encryption (EFS or Encrypting File System) will no longer be accessible via this method.

If you need to reset the password on a machine that is a domain controller, check out this how-to.

Cracking the Password
Let's say you need to crack the password to access some encrypted files, or maybe you are an administrator, and you want to ensure that your users are using good passwords. In that case, you'll need to download SAMInside. Windows 2000 and XP double-encrypt the password, and, to my knowledge, SAMInside is the only utilty that can decrypt it. The shareware version can crack letter-only passwords in a few hours, or you can register the software for $40 and passwords with virtually any characters.

If you have administrative rights on the machine, you can run SAMInside and have it aquire the password hashes from the registry. If you do not have administrative rights, you will need to acquire the sam and system files from the %windir%\system32\config directory. Windows prevents anyone from accessing these files while running, so you will need to boot into another operating system and copy the files. Unfortunately, the system file is usually bigger than what will fit on a floppy, so using a USB or flash memory drive is recommended.

You can boot into DOS and then use a freeware application called NTFSDOS to copy the files over. Probably the easier method is to download Knoppix, a version of Linux that runs from CD. Knoppix is capable of reading the NTFS-partitioned hard drive and copy the sam and system files over to a USB or flash memory drive all within a nice Windows-like interface.

Once you have the sam and system files, you can go back into Windows, run SAMInside, and point it to the sam and system files you copied over. For those that are too cheap to register SAMInside, you can copy the password hashes from the SAMInside.hashes file and use a freeware program such as John The Ripper to crack the passwords.

Bypassing the Password
There is also a way to reset the Administrator password, do what you want to do, and then reestablish the old Administrator password without ever knowing what it is. Keep in mind that if the computer is part of a domain, and auditing is turned on, an administrator may be able to detect someone has logged in as Administrator on the local computer. You have been warned!

Unless Windows was installed on a FAT/FAT32 partition, this option requires software on a boot disk/CD to read and write to the NTFS partition. So far, I have only been successful using Winternal's NTFSDOS Professional. Again, this is a professional tool and not cheap. The downloaded version is restricted to read access until you register the software. The latest version of Knoppix (3.4) has the capability to write to NTFS drives however, the NTFS driver is still very much in the beta stage. For this how-to, I am going to use NTFSDOS Pro.

Before we begin, we need a good DOS boot disk. Head over to Bootdisk.Com, and download a boot disk image. I recommend the Windows 98 Second Edition boot disk, since it is easy to use and includes support for most major CD-ROM drives...not that you'll need CD access for this tip, but it is certainly handy to have around. Once it is finished downloading, put a floppy disk in the drive, and run the file. The image will be written to the floppy.

If you haven't already, install NTFSDOS Professional. Grab a couple of formatted floppy disks, then run the program to create the necessary floppy disks. Do not use your DOS boot disk as the NTFSDOS Pro files will not fit on it. Another option is to create a folder with the files necessary to run NTFSDOS Pro and then burn them on to a CD.

Finally, create the Offline NT Password and Registry Editor boot disk/CD as well.

Now that we have all the disks ready, let's start cracking! (Pun intended.)

  1. Insert the DOS boot disk into the computer you are going to reset the password on and start it up. You may have to have to mess with the BIOS settings to force the computer to boot from the floppy or CD.
  2. After a few minutes, you will see the A:\> prompt. We need access to the NTFS partition, so replace the DOS boot disk with the first disk that NTFSDOS Pro created in the floppy disk drive. Type:

    ntfspro [ENTER]

    The NTFS partitions on the fixed disk will be mounted in the next few moments. The system partition with the \windows or \winnt directory is usually set to the D:\ drive letter.
  3. Change to the system partition to d:\ by typing

    d: [ENTER]
  4. We need to navigate to the \winnt\system32\config\ directory. Do this by typing

    cd \winnt\system32\config [ENTER]

    If you you receive an error, try using this

    cd \windows\system32\config [ENTER]
  5. Copy the SAM database file to the floppy using this command

    copy sam a:\ [ENTER]
  6. Once the file has been successfully copied, replace the NTFSDOS Pro disk with the Offline NT Password & Registry Editor boot disk/CD. Restart the computer.
  7. Follow the Offline NT Password & Registry Editor instructions for resetting the Administrator password.
  8. Remove all boot disks/CDs from the drives and restart the computer and allow it to load Windows.
  9. Log into Administrator account using the password you reset it to. If the computer is a member of the domain, the domain should be set to [Computer Name] (this computer).
  10. Do whatever it is you want to do as Administrator. If you want to add your username to the Administrators group continue on. Otherwise, skip to step #13.
  11. Click on the Start menu and Run...
  12. We are going to schedule the Local Users and Groups Management Console to start up in approximately 15 minutes from the current time. Do this by typing

    at 16:45 /interactive lusrmgr.msc [ENTER]

    where 16:45 is the time in military notation approximately 15 minutes from the current time. A command line window will briefly appear saying the event has been added.
  13. Insert the DOS boot disk into the drive and restart the computer.
  14. Once again, replace the DOS boot disk with the first NTFSDOS Pro disk and type

    ntfspro [ENTER]
  15. Change to the system partition to d:\ by typing

    d: [ENTER]
  16. Navigate to the \winnt\system32\config\ directory by typing

    cd \winnt\system32\config [ENTER]

    If you you receive an error, try using this

    cd \windows\system32\config [ENTER]
  17. Copy the original SAM file back to the NTFS partition by entering

    copy a:\sam . [ENTER]

    Don't forget the space and period at the end!     This tells the computer to copy the sam file from the floppy to the current directory.
  18. Once the file has been copied, remove all disks in the drives, and restart the computer and allow it to load Windows.
  19. Login with as you normally would with your regular username and password.
  20. At the time you specified above, a Local Users and Groups window will appear on the screen. All actions performed in this window will be completed as if you are logged in as the administrator. To add your user account to the local Administrators group, In the right-hand column, double-click Groups > Administrators and use the Add... button to add your username.

You may find the following links helpful if you need more information...

Last updated June 2, 2004