More About Password Recovery

Last week, I wrote about recovering lost Administrator passwords. I received lots of responses from people who want to share other quick methods of password recovery. Thanks to everyone who responded! Here are the reader suggestions in summary.

Several readers wrote that Petter Nordahl-Hagen has a free tool available that can reset any user account password, including the Administrator account.

The tool uses a Linux 3.5" boot disk to access the SAM database and reportedly even works on systems that have SYSKEY enabled. Nordahl-Hagen has made the source code available, and Christophe Grenier has subsequently ported the tool to DOS so users can run it in a DOS command window under Windows NT. Find out more here.

Several other readers wrote to remind me that, in many cases, users can trick NT into running applications under privileged accounts. This tactic lets users gain system-level access and reset passwords with the User Manager application. For example, you can install a second copy of NT on a locked-out machine and boot that new copy. After the NT copy is running, you locate the logon.scr screensaver file in the locked-out system's %SYSTEMROOT%SYSTEM32 subdirectory, rename it, copy usrmgr.exe or cmd.exe to logon.scr on the locked-out system. You then boot the locked-out system and wait for the screensaver to kick in. At that point, instead of launching the normal screensaver, NT will launch User Manager or a DOS command window under the context of the SYSTEM account. You can then reset passwords.

In relation to the method described in the preceding paragraph, Steve French pointed out that you can replace system files using a modified Emergency Repair Disk (ERD), as Microsoft article Q164471 explains. Using the method outlined in the document, you can replace the logon.scr file with a renamed copy of usrmgr.exe, cmd.exe, or other application using NT's native recovery system to provide access to the file system.

Ted Tang wrote that another free password recovery utility is available from Ken Pfiel's NTToolBox. The utility is a Linux boot disk with NTFS support and a password-resetting tool. Download the file (LinNT.zip), unzip it, and run the rawrite.exe program to create the boot disk and associated files. Be sure to download the utility's updated binary file, also linked on the NTToolBox download page. This utility might not work on systems that have SYSKEY installed.

Other readers reminded me that when NT boots and finds the SAM database missing, NT creates a new SAM database with a blank administrator password. You can then log on and define the user accounts and passwords as you see fit. Keep in mind that if you delete the SAM database, you lose all account information held therein, so you probably don't want to try this method on a domain controller. Nonetheless, to access a system's NTFS file system to delete the SAM database, you can use a Linux boot disk, NTFSDOS Professional from Winternals Software, or a second NT installation on the same system, or you can install the drive to another accessible NT system. But if you can install the drive to another system, you'll find it simpler to use Christophe Grenier's DOS port of Nordahl-Hagen's utility to reset any unknown passwords.

Don't overlook the rather obvious value of using an ERD. If you keep updated ERDs for all your systems, you can usually recover locked-out systems without third-party solutions.

One final note: In last week's editorial, the URL for L0phtCrack was incorrect: I overlooked the fact that the L0pht's UNIX-based Web server is case sensitive. Here's the correct URL. http://www.l0pht.com/l0phtcrack