Sunday, November 15, 2009

Crack XP Password through ISO Image

Offline NT Password & Registry Editor, Bootdisk / CD

I've put together a single floppy or CD which contains things needed to reset the passwords on most systems. The CD can also be installed on a USB drive, see readme.txt on the CD.

The bootdisk should support most of the more usual disk controllers, and it should auto-load most of them. Both PS/2 and USB keyboard supported.
Tested on: NT 3.51, NT 4 (all versions and SPs), Windows 2000 (all versions & SPs), Windows XP (all versions, also SP2 and SP3), Windows Server 2003 (all SPs), Vindows Vista 32 and 64 bit (SP1 also), Windows 7 (all variants). Some say also Windows Server 2008 is OK.
DANGER WILL ROBINSON!
If used on users that have EFS encrypted files, and the system is XP or newer, all encrypted files for that user will be UNREADABLE! and cannot be recovered unless you remember the old password again If you don't know if you have encrypted files or not, you most likely don't have them. (except maybe on corporate systems)
Please see the Frequently Asked Questions and the version history below before emailing questions to me. Thanks!


How to use?

Please read the walthrough and the FAQ before mailing me questions If you have the CD, all drivers are included.
If you use the floppy, you need one or more of the driver floppies, too.

Overview

  1. Get the machine to boot from CD (or floppy)
  2. Floppy version need to swap floppy to load drivers.
  3. Load drivers (usually automatic, but possible to run manual select)
  4. Disk select, tell which disk contains the Windows system. Optionally you will have to load drivers.
  5. PATH select, where on the disk is the system?
  6. File select, which parts of registry to load, based on what you want to do.
  7. Password reset or other registry edit.
  8. Write back to disk (you will be asked)
DON'T PANIC!! - Most questions can usually be answered with the default answer which is given in [brackets]. Just press enter/return to accept the default answer. The walkthrough and instructions is now on its own page!

What can go wrong?

Lots of things can go wrong, but most faults won't damage your system. The most critical moment is when writing back the registry files to NTFS.
The most common problem is that the computer was not cleanly shut down, and my disk won't write correctly back. (it says: read only filesystem). If so, boot into Windows Safe Mode (F8 before windows logo appears) and shut down from the login window. You may have to do that twice in a row.
Also, see the FAQ for help with other common problems.
For linux-knowledged people, you may do things manually if the scripts fail, you have shells on tty1-tty4 (ALT F1 - ALT F4).

Bootdisk history

2010-06-27
  • Newer kernel with newer disk drivers as usual.
  • Path select has been improved, I hope, it should now also tell what it does find on its way, and be more likely to work automatically.
  • If it does not find the correct path, you probably selected the wrong partition.
  • NOTE: Windows 7 has a small boot partition first (number 1) for the boot loader, and my system may not be smart enough to select number 2 instead. So you select number 2 manually. Thanks! :)
  • Release contains some small bugfixes that may be able to handle some problematic registries. Or maybe not.
  • For more change info not directly related to regular password reset, se the other pages.
2008-08-02
  • Update 2009-12-01: This old 2008-08-02 release also works on Windows 7, all versions as far as I know. New release hopefully sometime early 2010.
  • Now uses NTFS-3g as NTFS filesystem driver.
  • This hopefully removes some problems regarding dirty and "bad flags" NTFS volumes.
  • You will be asked if you like to force your way and continue anyway if the disk has been uncleanly shut down.
  • There exists a small chance of problems with the very latest written files before the unclean shutdown if you select to force it.
  • Safest is still to boot into windows and shut down properly if that is possible with an unclean volume.
  • Path select now hopefully better at detecting default suggestion and to actually find it...
  • Newer kernel, and probably newer and better drivers.
  • No changes to the passord/registry edit program (chntpw) since last release.
  • Sorry, did not have the time to finish the floppy version yet.
2008-05-26
  • Newer kernel, and probably newer and better drivers.
  • Windows Dynamic Disks now supported, but maybe not all combinations of mirrors etc. It recognizes the partition layout at least.
  • Should now be possible to load extra drivers (drivers?.zip) from USB the same way as with floppy. Or maybe not. Did not test it that much.
  • Fixed a lot of bugs in the registry handling, did not affect password reset much, but did affect larger registry edits.
  • You still may experience hangs when the NTFS disk is mounted, it will hang after saying "NTFS version x.xx" or such. If there is disc activity, just wait, it may take a while.
2007-09-27
  • Patched up NTFS driver to get rid of hang on mount in many cases (after selecting disk). Got many problem reports on this. At the same time someone on the NTFS-for-linux mailinglist mentioned it, and Anton Altaparmakov made a patch very quick. Thank you Anton!
  • Nice if people experiencing the hang in 2007-09-23 can mail me and tell if the fix worked or not. Thanks!
  • NOTE: It may still take up to a minute or two to select the disk.
  • Floppy version had a script bug making it crash in the first menu. Fixed.
  • CCISS driver (HP/Compaq DLxxx etc) had different device paths. Hacked in support for it, may not be 100% still.
2007-09-23
  • Floppy version is back! (requires 3 floppies to get all drivers, but you can compose your own driver set so you only need 2)
  • Yes, VISTA is supported (even more)
  • Disk select now indicates which disks are removable, ie are USB keys for instance.
  • Check for "read-only" NTFS mount, you get instructions on what to do if there are problems with the disk so changes won't be saved.
  • Missed out on some IDE/ATA and SATA drivers last time, better now.. I hope.
  • User can be added to the administraror group, making them administrators.
  • Stupid typo in readme.txt on CD fixed, on how to make USB bootable.
2007-04-09
  • Now with Vista support!
  • Newer drivers, better probe/loader. Should be able to auto-load all relevant drivers for PCI based disk hardware.
  • Better manual selection of drivers (if you need to load ISA drivers for example)
  • CD only release at this time. If anyone need me to continue floppy releases, please mail me.
  • USB drive can be made out of the files on the CD, see readme.txt on the CD.
2005-03-03
  • New CD release (sorry, when yet again rewiring the driver stuff, I did not have time to make floppy stuff work)
  • Contains disk driver updates (SATA maybe more working now)?
  • New driver auto-probe and load. Better now?
  • NTFS updates, writes should be more safe, I hope, working more often.
  • No changes to the password routines themselves.
(earlier history removed)
9705xx
  • First public release.

Download

Note: Some links may be offsite.
CD release, see below on how to use
  • cd100627.zip (~4MB) - Bootable CD image. (md5sum: 6d80cdfbba97457e413f95a3554d9524 cd100627.zip)
  • cd080802.zip (~3MB) - Previous version CD image. (md5sum: 33ecd38263f935b82e7b2e3e9f5de563)
Bootable USB drive may be made from the files on the CD. See readme.txt on the CD.
Floppy release (not updated anymore), see below on how to use them
  • bd080526.zip (~1.4M) - Bootdisk image (md5sum: 37889e4c540504e59132bdcdfe7f9bb7)
  • drivers1-080526.zip (~310K) - Disk drivers (mostly PATA/SATA) (md5sum: 72ac1731c6ba735d0ac2746a30dbc3ee)
  • drivers2-080526.zip (~1.2M) - Disk drivers (mostly SCSI) (md5sum: 30172bec657c85a5f1a0b43601452fb7)
Previous versions may sometimes be found here (also my site)
NOTE: Versions before 0704xx will corrupt the disk on VISTA!

NOTE THAT THE BOOTDISK CONTAINS CRYPTHOGRAPHIC CODE, and that it may be ILLEGAL to RE-EXPORT it from your country.

How to make the CD

Unzipped, there should be an ISO image file (cd??????.iso). This can be burned to CD using whatever burner program you like, most support writing ISO-images. Often double-clikcing on it in explorer will pop up the program offering to write the image to CD. Once written the CD should only contain some files like "initrd.gz", "vmlinuz" and some others. If it contains the image file "cd??????.iso" you didn't burn the image but instead added the file to a CD. I cannot help with this, please consult you CD-software manual or friends.
The CD will boot with most BIOSes, see your manual on how to set it to boot from CD. Some will auto-boot when a CD is in the drive, some others will show a boot-menu when you press ESC or F10/F12 when it probes the disks, some may need to have the boot order adjusted in setup.

How to make the floppy

The unzipped image (bdxxxxxx.bin) is a block-to-block representation of the actual floppy, and the file cannot simply be copied to the floppy. Special tools must be used to write it block by block.

  • Unzip the bd zip file to a folder of your choice.
  • There should be 3 files: bdxxxxxx.bin (the floppy image) and rawrite2.exe (the image writing program), and install.bat which uses rawrite2 to write the .bin file to floppy.
  • Insert a floppy in drive A: NOTE: It will lose all previous data!
  • Run (doubleclick) install.bat and follow the on-screen instructions.
  • Thanks to Christopher Geoghegan for the install.bat file (some of it ripped from memtest86 however)
Or from unix:
dd if=bd??????.bin of=/dev/fd0 bs=18k

How to make and use the drivers floppy


  • Simply copy the zip file onto an empty floppy.
  • You MUST NOT UNZIP THE ZIP FILE!
  • Depending on your hardware you may only need one of the driver sets or the other, or maybe both.
  • To use, insert one of the driver floppies when asked for it after booting, the zip file will be unzipped to memory.
  • If no drivers matched (no harddisk found), you can select 'f' from the main menu to load the other driver set.
  • Then select 'd' to auto-start the new drivers (if it matches your hardware)
  • Sometimes it fails detecting the floppy change and you get an error, just select 'f' again, it works the second time.
  • For more advanced users that uses this often, it is possible to unzip just the drivers you need and zip them up into a new zip archive. The zip file name must start with "drivers", the rest is ignored. (it unzips drivers*.zip)

Other places to go for password and disk recovery


Bootdisk credits and license

Most of the stuff on the bootdisk is either GPL, BSD or similar license, you can basically do whatever you want with all of it, the sourcecode and licenses can be found at their sites, I did not change/patch anything.
The "chntpw" program (password changer, registry editor) is licensed under GNU GPL v2. COPYING.txt
Stuff I used, big thanks:
Posted by Madhu at 11/15/2009 04:31:00 PM 0 comments
Labels: , , ,

Administrator and User Passwords in Windows XP

Can't Login To Windows? Locked Out? Forgot Your Password?  Click here.
If you can't get in/login to Windows there is a program that can do it automatically and instantly for you. Windows Geeks Password Removal Tool will remove all passwords including for Administrator on Vista, XP and NT/2000/2003 Servers/Workstation.

One Step - No Hassle Solution!  Removes and Unlocks All Windows Passwords Instantly.
Click here for more information.
Direct Bootup Without Typing Password
1. At a command prompt, type "control userpasswords2" and press Enter to open the Windows 2000-style User Accounts
    application.
2. On the Users tab, clear the Users Must Enter A User Name And Password To Use This Computer check box and then
    click OK.
3. In the Automatically Log On dialog box that appears, type the user name and password for the account you want to be
    logged on each time you start your computer.
Remove Login Password
Control Panel/Administrative Tools/Local Security Settings/Minimum Password Length/Reduce it to 0 (No password required). Control Panel/User Account/Your Account/Remove Password. 
After you log on as an administrator to a computer that is not a member of a domain, when you double-click User Accounts in Control Panel to change the password for the built-in Administrator account, the Administrator account may not appear in the list of user accounts. Consequently, you cannot change its password.

This behavior can occur because the Administrator account logon option appears only in Safe mode if more than one account is created on the system. The Administrator account is available in Normal mode only if there are no other accounts on the system.  To work around this behavior:

- If you are running Windows XP Home Edition, restart the computer and then use a power user account to log on to the
  computer in Safe mode.

- If you are running Windows XP Professional, reset the password in the Local Users and Groups snap-in in Microsoft
  Management Console (MMC):

1. Click Start, and then click Run.
2. In the Open box, type "mmc" (without the quotation marks), and then click OK to start MMC.
3. Start the Local Users and Groups snap-in.
4. Under Console Root, expand "Local Users and Groups", and then click Users.
5. In the right pane, right-click Administrator, and then click Set Password.
6. Click Proceed in the message box that appears.
7. Type and confirm the new password in the appropriate boxes, and then click OK.
How to use the net user command to change the user password at a Windows command prompt. Only administrators can change domain passwords at the Windows command prompt.  To change a user's password at the command prompt, log on as an administrator and type:  "net user * /domain" (without the quotation marks)

When you are prompted to type a password for the user, type the new password, not the existing password. After you type the new password, the system prompts you to retype the password to confirm. The password is now changed.

Alternatively, you can type the following command:  net user .  When you do so, the password changes without prompting you again. This command also enables you to change passwords in a batch file.

Non-administrators receive a "System error 5 has occurred. Access is denied" error message when they attempt to change the password.
If you set a computer for auto logon, anyone who can physically obtain access to the computer can gain access to all of the computer contents, including any network or networks it is connected to. In addition, if you enable autologon, the password is stored in the registry in plaintext. The specific registry key that stores this value is remotely readable by the Authenticated Users group.
As a result, this setting is only appropriate for cases where the computer is physically secured, and steps have been taken to ensure that untrusted users cannot remotely access the registry.
1. Start/Run/Regedit, and then locate the following registry subkey:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon
2. Using your account name and password, double-click the DefaultUserName entry, type your user name, and then click
    OK.
3. Double-click the DefaultPassword entry, type your password, and then click OK.

NOTE: The DefaultPassword value may not exist. If it does not:

a. Click Add Value on the Edit menu.
b. In the Value Name box, type DefaultPassword, and then click REG_SZ for the Data Type
c. Type your password in the String box, and then save your changes.

Also, if no DefaultPassword string is specified, Windows automatically changes the value of the AutoAdminLogon key
from 1 (true) to 0 (false), thus disabling the AutoAdminLogon feature.

4. Click Add Value on the Edit menu, enter AutoAdminLogon in the Value Name box, and then click REG_SZ for the Data
    Type.
5. Type "1" (without the quotation marks) in the String box, and then save your changes.
6. Quit Regedit.
7. Click Start, click Shutdown, and then click OK to turn off your computer.
8. Restart your computer and Windows. You are now able to log on automatically.

NOTE: To bypass the AutoAdminLogon process, and to log on as a different user, hold down the SHIFT key after you log off or after Windows restarts.

Note that this procedure only applies to the first logon. To enforce this setting for subsequent logoffs, the administrator must set the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon

Value: ForceAutoLogon
Type: REG_SZ
Data: 1
After you upgrade a Microsoft Windows 2000-based computer, Windows XP Professional may start directly to the desktop without stopping at the Welcome screen or requiring you to type a username and password. If you then create a new user account, you may not receive any option that allows you to log on by using the new account.
This behavior can occur if Windows 2000 was configured for automatic logon (Autologon). Windows XP inherits this configuration setting. 
To resolve this behavior, turn off the automatic logon feature and require a username and password at logon:

1. Click Start on the Windows taskbar, and then click Run.
2. In the Open box, type control userpasswords2, and then click OK.
3. In the dialog box that appears, click to select the "Users must enter a user name and password to use this computer"
    check box, and then click OK.

To work around this behavior, log off from the Autologon account, and then log on by using the new account.

When you create a new user on a Microsoft Windows XP Home Edition-based computer, you are not prompted to create a password.  To create a password for a user account, click the icon for the account, and then click "Create a Password".

Stored User Names and Passwords Feature Interoperability at a Command Prompt
By default, the Stored User Names and Passwords feature creates a "key" for any connection that you make in the graphical user interface (GUI) that requires alternate credentials. When you make a connection at a command prompt by using the net use command and by passing alternate credentials, a key is not created.
For the net use command to save the credentials in Credential Manager, use the /savecred switch. When you use the /savecred switch, any credentials that you are prompted for when you use the net use command are saved as a key.
Therefore, if you are prompted for the user name and password (or if you are prompted only for the password) when you use the net use command (but not because you used an asterisk [*] in the net use command for password prompting) and the /savecred switch, the credentials are saved.
When you type the net use * \\ computer_name \ share_name /savecred command, the user is prompted for a user name, and then the user is prompted for a password.

When you type the net use * \\ computer_name \ share_name /u: domain_name \ user_name /savecred command, the user is prompted for a password.

However, when you type one of the following commands, a key is not created:
net use * \\ computer_name \ share_name * /user: domain_name \ user_name /savecred
-or-
net use * \\ computer_name \ share_name * /savecred /user: domain_name \ user_name

If you type net help use at a command prompt, more information is displayed about the net use command.
Password Has Expired Message
Start/Programs/Administrative Tools/Local Security Policy/Account Policies/Password Policy.  In the right pane, right click, properties, modify (use accordingly). And Start/Programs/Administrative Tools/Computer Management/Local Users and Groups/Right Click "User"(intended)/Properties...Or with Admin privileges, at a command prompt type: net accounts /maxpwage:unlimited.
To Create a Password Reset Disk
The Forgotten Password Wizard lets you create a password reset disk that you can use to recover your user account and personalized computer settings if you forget your password.  The steps to perform this task differ depending on whether your computer is a member of a network domain or is part of a workgroup (or is a stand-alone computer).

My Computer is on a Domain

Press CTRL+ALT+DELETE to open the Windows Security dialog box.  Click Change Password.
Click Backup to open the Forgotten Password Wizard. Click Next and then follow the instructions as they appear on the screen.

My Computer is not on a Domain

The steps to perform this task differ depending on the type of user account you have. If you have a computer administrator account:  Open User Accounts in Control Panel. Click your account name. Under Related Tasks located on the left side of the window, click Prevent a forgotten password. In the Forgotten Password Wizard, follow the instructions as they appear on the screen.

If you Have a Limited Account

Open User Accounts in Control Panel. Under Related Tasks located on the left side of the window, click Prevent a forgotten password. In the Forgotten Password Wizard, follow the instructions as they appear on the screen.

Notes:  To open User Accounts, click Start, point to Settings, click Control Panel, and then click User Accounts.
     Certain Programs Do Not Work Correctly If You Log On Through a Limited User Account. 
     After you log on to a computer by using a Limited User Account, you may observe one or more of the following
     behaviors when you try to use a program that is not expressly designed for Windows XP. Information here.
Password Reset Disk Overview

To protect user accounts in the event that the user forgets the password, every local user should make a password reset disk and keep it in a safe place. Then, if the user forgets his or her password, the password can be reset using the password reset disk and the user is able to access the local user account again.
After you reset the password of an account on a Windows XP-based computer that is joined to a workgroup, you may lose access to the user's:  Web page credentials, File share credentials, EFS-encrypted files, Certificates with private keys (SIGNED/ENCRYPTed e-mail). More information in detail here.
I assume no responsibility for the purpose to which this information is used. This includes employees attempting to bypass restrictions put into place by System Administrators on corporate machines.
Boot up with DOS and delete the sam.exe and sam.log files from Winnt\system32\config in your hard drive. Now when you boot up in NT the password on your built-in administrator account will be blank (No password). This solution works only if your hard drive is FAT.  [Editor's note: Use with caution, there may be other ramifications from performing this tip.]
This is a utility to (re)set the password of any user that has a valid (local) account on your NT system, by modifying the crypted password in the registrys SAM file.  You do not need to know the old password to set a new one.

It works offline, that is, you have to shutdown your computer and boot off a floppydisk. The bootdisk includes stuff to access NTFS partitions and scripts to glue the whole thing together. Note: It will now also work with SYSKEY, including the option to turn it off!  More information here.  Download here.
All Passwords-Master Copy
With Darn! Passwords! Just one password opens the safe that holds all those other ones for programs and web sites that require you to log in.  Download Here.

Just pick the password, and drag it and it's log-in (if there is one) into the program that uses it. No retyping is necessary (even in programs that do not accept the drag, you can just paste the password in). Go to the URL of a password protected site with the click of a button.
Passwords That Are Restored:

1. Program passwords are restored, such as Hotmail Messenger, AOL Messenger, Yahoo Messenger, and other Web server-based passwords. This behavior is by design: The programs simply cache these passwords; the actual passwords are
stored on a Web server. System Restore does not actually change the password, but it changes the password that is remembered by the program. You can use the current password for the program to log on to the server.

2. Domain and Computer passwords are restored. This behavior is by Design and is a limitation of System Restore. System Restore only rolls back the local machine state. Part of the information about joining domains resides in Active Directory, and Active Directory is not rolled back by System Restore.
The Migration Wizard does not migrate passwords. Passwords for Dial-Up Networking connections, Microsoft Outlook Express accounts, Microsoft Internet Explorer saved passwords, mapped drives, and so on will need to be reconfigured once the migration is complete.
The administrator account and password created during Setup are used to log on in Safe Mode only. To create a password for user accounts, double-click Manage Users in Control Panel.
Therefore, if you are prompted for the user name and password (or if you are prompted only for the password) when you use the net use command (but not because you used an asterisk [*] in the net use command for password prompting) and the /savecred switch, the credentials are saved.
When you type the net use * \\ computer_name \ share_name /savecred command, the user is prompted for a user name, and then the user is prompted for a password.

When you type the net use * \\ computer_name \ share_name /u: domain_name \ user_name /savecred command, the user is prompted for a password.

However, when you type one of the following commands, a key is not created:
net use * \\ computer_name \ share_name * /user: domain_name \ user_name /savecred
-or-
net use * \\ computer_name \ share_name * /savecred /user: domain_name \ user_name

If you type net help use at a command prompt, more information is displayed about the net use command.
When the Welcome screen is appears, the names that are displayed do not match any of the names of users' folders under the Documents and Settings folder or any of the names on the Users tab in Task Manager.

This behavior may occur if you have changed the name of the account in the User Accounts tool in Control Panel. By doing so, the new name appears on the Welcome screen, but the actual account name remains the same. The folders under the Documents and Settings folder and the names that are listed in Task Manager show the actual account name.

To resolve this behavior, if the display name for a user account has been changed, you can find out which account the new display name belongs to by logging on as that user, starting Task Manager, and then clicking the Users tab.

The user account that is marked as active is the one that is currently logged on. Also, you can find out which of the folders under Documents and Settings belongs to the currently logged-on user by right-clicking Start, and then clicking Explore. Windows Explorer will then start in the Start Menu folder of the currently logged-on user's folder.
This behavior can occur for either of the following reasons:  When the default screen saver is set to use a non-existent screen saver program. And/or When you use a corrupted screen saver that is password protected.  More Information.
The following registry setting is received every time the computer is locked:  Start/Run/Regedit

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

ForceUnlockLogon
REG_DWORD

0 - Do not force authentication inline (default)
1 - Require online authentication to unlock

The preceding value controls whether a full logon is performed during the unlock process. This can force a validation at the domain controller for the user attempting the unlock process.

NOTE: If the value is not present, it functions as if it had been set to 0 (zero).
To use the shortcut, press the Windows logo key+L. The following list has different computer lock-up scenarios that are available to you, as well as other ways to lock the computer: Click Here.
Create a Shortcut to Lock Computer
Right click a blank space on the desktop, select new, shortcut. Copy and Paste this line: "rundll32.exe user32.dll,LockWorkStation" in the program location box. Click next and create a name for your shortcut, click finish.
Lock the Taskbar
This restriction is used to force the locking of the taskbar and restrict users from making any changes to its position. Start/Run/Regedit:  Navigate to this key and create a new DWORD value, or modify the existing value, called 'LockTaskbar' and edit the value according to the settings below.  Exit your registry, you may need to restart or log out of Windows for the change to take effect.
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
Value Name: LockTaskbar
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = Unlocked, 1 = Locked)
Posted by Madhu at 11/15/2009 04:27:00 PM 0 comments
Labels:
Subscribe to: Posts (Atom)