Slashdot Mirror

I Forgot My Administrator Password! by Vic Ferri This article is protected by Copyscape! DO NOT COPY without permission! Skill rating level 4. Can't Log On to Windows XP? If that's your only problem, then you probably have nothing to worry about. As long as you have your Windows XP CD, you can get back into your system using a simple but effective method made possible by a little known access hole in Windows XP. This method is easy enough for newbies to follow - it doesn't require using the Recovery Console or any complicated commands. And it's free - I mention that because you can pay two hundred dollars for an emergency download of Winternals ERD with Locksmith which is a utility for unlocking lost Windows passwords. See here http://www.winternals.com/products/repairandrecovery/locksmith.asp ERD is an excellent multi purpose product, but you should know it is not a necessary one if you have a healthy system and your sole problem is the inability to logon to Windows due to a forgotten password. Not necessary because you can easily change or wipe out your Administrator password for free during a Windows XP Repair. Here's how with a step-by-step description of the initial Repair process included for newbie's. 1. Place your Windows XP CD in your cd-rom and start your computer (it's assumed here that your XP CD is bootable - as it should be - and that you have your bios set to boot from CD) 2. Keep your eye on the screen messages for booting to your cd Typically, it will be "Press any key to boot from cd" 3. Once you get in, the first screen will indicate that Setup is inspecting your system and loading files. 4. When you get to the Welcome to Setup screen, press ENTER to Setup Windows now 5. The Licensing Agreement comes next - Press F8 to accept it. 6. The next screen is the Setup screen which gives you the option to do a Repair. It should read something like "If one of the following Windows XP installations is damaged, Setup can try to repair it" Use the up and down arrow keys to select your XP installation (if you only have one, it should already be selected) and press R to begin the Repair process. 7. Let the Repair run. Setup will now check your disks and then start copying files which can take several minutes. 8. Shortly after the Copying Files stage, you will be required to reboot. (this will happen automatically - you will see a progress bar stating "Your computer will reboot in 15 seconds" 9. During the reboot, do not make the mistake of "pressing any key" to boot from the CD again! Setup will resume automatically with the standard billboard screens and you will notice Installing Windows is highlighted. 10. Keep your eye on the lower left hand side of the screen and when you see the Installing Devices progress bar, press SHIFT + F10. This is the security hole! A command console will now open up giving you the potential for wide access to your system. 11. At the prompt, type NUSRMGR.CPL and press Enter. Voila! You have just gained graphical access to your User Accounts in the Control Panel. 12. Now simply pick the account you need to change and remove or change your password as you prefer. If you want to log on without having to enter your new password, you can type control userpasswords2 at the prompt and choose to log on without being asked for password. After you've made your changes close the windows, exit the command box and continue on with the Repair (have your Product key handy). 13. Once the Repair is done, you will be able to log on with your new password (or without a password if you chose not to use one or if you chose not to be asked for a password). Your programs and personalized settings should remain intact. I tested the above on Windows XP Pro with and without SP1 and also used this method in a real situation where someone could not remember their password and it worked like a charm to fix the problem. This security hole allows access to

Err... Not quite. Not all of the SysInternals tools were migrated, and NONE of the source code was. Microsoft's hiding behind some pretty lame excuses (e.g. "They're using undocumented APIs!" or "Hackers are using it to make spyware!") for not distributing the source code.

The Winternals Administrator's Pak is also ">being discontinued, and have its functionality available only to those with Software Assurance agreements.

I used to carry BartPE and I still recommend it to budget-constrained folks. However, spending some money for Winternals was one of the best things my employer ever did. It boots faster, comes with more and better tools by default, and gives me the easy network awareness that makes it possible for me to do my job better.

On the free side, when trying to revive the virus-infested home computers of friends, I find Chronomium to be wonderful. You plug in a USB key with a current Clam AV signature file and boot from the disk. It then runs through the drive and deletes all virus-infected files. For a very quick "either fix it or pronounce it fully broken so we can start over" situation, it's without peer.

netr00t's got solid advice for you.

http://slashdot.org/~netr00t

I would add, get a Lawyer, as in, have a Lawyer (anyway).
If you're in the USA, you should know by now, mostly morons make the "rules" of conduct, try not to participate.
Pay the Man:

http://www.forescout.com/index.php?url=products&se ction=activescout

http://www.winternals.com/

Useful:
http://www.sysinternals.com/SecurityUtilities.html

http://www.porcupine.org/forensics/forensic-discov ery/

http://www.fish2.com/tct/help-when-broken-into

Firewalls and Internet Security
http://www.wilyhacker.com/

First Ed. (online)
http://www.wilyhacker.com/1e/

Practical UNIX and Internet Security
http://www.oreilly.com/catalog/puis3/

FWIW
http://exuberant.ms11.net/index.html

http://exuberant.ms11.net/98sesp.html

http://exuberant.ms11.net/links.html

http://www.oldversion.com/

You could just as easily put all those on a CD as well. Howver, what gives my setup character is that I've collected a ton of freeware and free for personal use stuff over the years that I install on all my clients machines (they all use Windows, sad to say). Firewalls, AdAware SE Personal, ClamWin, Spybot S&D, Hijack This!, IrfanView, WinRAR (and I encourage them to register it!), CacheMem 5.11, Easy Burn, X-SetUp free or Pro depending on if they want to register it which they usually do, and a ton of other stuff. It's a tight fit actually. Between the NewOwner folder, my massive collection of drivers, and those service packs, it's a wonder it fits at all. Still it beats trying to get this stuff via dial-up which is what most of my clients, even business (!), are still using.

Locksmith is part of ERD2005: http://www.winternals.com/Common/Images/Products/A dministratorsPak/Screenshot-ERDCommander2005.jpg

btw look at the image, I guess they will replace the firefox with ie now...

The locksmith tool has been moved into the Administrator's Pak.

http://www.winternals.com/Products/AdministratorsP ak/Default.aspx

That suit is already settled: http://www.winternals.com/Company/PressRelease90.a spx

"Locksmith .. has been incorporated into .. you may purchase the emergency-download version of ERD Commander 2005"

Google Cache

http://tinyurl.com/s2jjy

Locksmith, a powerful utility for unlocking lost passwords on Windows NT/2000/XP/Server 2003 systems has been incorporated into other Winternals products, and is no longer sold as an add-on module.

Includes the Locksmith utility to reset lost Administrator passwords

http://www.winternals.com/products/repairandrecove ry/locksmith.asp

what a surprise... Microsoft takes down the locksmith. Anyone have it for me?
Thanks

You can make any program run with administrator privileges with PolicyMaker Application Security or ProtectionManager, neither of which ask for the admin password. The first if free if you don't use remote administration, don't know about the second.

...according to http://www.winternals.com/legal/ (see Motion for Restraining Order). BB employes were caught with unlicensed Winternals software in 50% of the cases, in Boston, Washignton, Pennsilvania and California. And with same "License No" too...

http://www.winternals.com/legal/ - see Motion for Expedited Discovery there. There is a question eh.. sorry "interrogatory" No. 6:

"Please provide a complete list of all licensed software provided by you to Geeks in the last 5 years..."

It looks like it. According to docs on http://www.winternals.com/legal/ the "license" number on the cracked program was the same in Boston and Pennsilvania.

You may want to check http://www.winternals.com/legal/Plaintiff's%20App% 20for%20Temporary%20Restraining%20Order%20and%20In junction.pdf . It's a hilarious doc in itself, describing in details how exactly BB employers were caught using unlicensed software (on video included). And there are receipts for their service attached. Nowhere near $30/hour, nowhere near...

Unlikely Hero: If you are an ex-Geek Squad employee and willing to help Winternals with its investigation, go to http://www.winternals.com/survey/ and fill out the survey.

Wininternals is a respected company which the chief software architech is Mark Russinovich (syinternals.com owner)

http://www.winternals.com/Company/Management.aspx

Yes, the same guy busted Sony Entertaintment installing vandal tools to audio CD customers machines. Also the same guy giving some excellent,opensource freeware to windows users via his personal site.

In case you are confused...

It is not a "lets sue a big company" type of company I mean. Also IT HAS NOTHING TO DO WITH MY RIGHTS (YRO?). I don't have piracy right and happy with it. If I can't/don't buy software, I use freeware alternatives and donate them.

You have no idea what you're talking about - the recovery console runs in protected mode just as Windows itself does. The only part of Windows that's in real mode is the NTLDR.

There are products available that offer a better recovery environment than the Windows recovery console. Two that come to mind are Bart's PE Builder and ERD Commander.

Bart PE is a completely reverse engineered version of WinPE, with it's own build process.

Correct.

It is not his own code.

Excuse me?

It uses Microsoft's own code,

You have evidence of that?

If you mean he used Microsoft's SDK to build his reverse engineer product, then you are probably right. In that case, everyone who has ever written code using Microsoft's products, including these folks is illegally copyrighting code. Check out the licensing on the linked website. Those silly people actually believe they own that code!

...and boots using 99.999% of the code WinPE uses.

Where is the proof of your five-nines claim?

It IS WinPE.

Then why hasn't Microsoft's legal division shut them down? Are you telling me that a Microsoft Project Manager knows BartsPE exists and they haven't slapped him with a C&D order?

Bullshite indeed.

Bart PE is a completely reverse engineered version of WinPE, with it's own build process.

Correct.

It is not his own code.

Excuse me?

It uses Microsoft's own code,

You have evidence of that?

If you mean he used Microsoft's SDK to build his reverse engineer product, then you are probably right. In that case, everyone who has ever written code using Microsoft's products, including these folks is illegally copyrighting code. Check out the licensing on the linked website. Those silly people actually believe they own that code!

...and boots using 99.999% of the code WinPE uses.

Where is the proof of your five-nines claim?

It IS WinPE.

Then why hasn't Microsoft's legal division shut them down? Are you telling me that a Microsoft Project Manager knows BartsPE exists and they haven't slapped him with a C&D order?

Bullshite indeed.

Why not just use a CD? I use ERD Commander.

If you were Google, you would actually buy Winternals, which is the for-profit side. But, I don't think Google wants to buy a Windows utilities company.

• Am I condemned to stay with NTFS?

Windows supports FAT32 and ISO9660 out of the box. FAT32 does not provide enough error recovery to be recommendable. People using ISO9660 as a hard-drive file system are crazy masochists -- enough said. There are seemingly abandoned ports of Ext2 and ReiserFS out there. None of them are in any sense stable for production use.

Why aren't there more file systems available on Windows? The first clue is that Windows is not an open-source platform; open-source hackers tend to live on open-source platforms. The people who work on kernel-level development under Windows are likely to be pursuing commercial software from the outset.

Furthermore, Windows kernel development is something of a black art; it is hard enough that you need to have some vested interest in the platform in order to stay; you would want to live and breathe Windows kernel APIs. (APIs, incidentally, that don't seem constructed for use by humans; for example, due to the limited size of the kernel addressing space, there are several different "kinds" of memory you must carefully allocate and manage yourself. Add to this the awkwardness involved in debugging this stuff, the poor kernel-level development tools offered by Microsoft, the limited documentation, the fact that much third-party information is non-gratis, and of course that the kernel sources themselves are closed, and you have one painful hobby.) In short, you would want to become a kernel specialist.

These painfully-accrued skills are worth their weight in gold, and used to leverage careers as highly-paid consultants or highly-paid trainers, or both. And some, of course, are driver writers for hardware companies.

There's a further reason: Linux file system drivers, in my experience, are designed to be, well, Linux file system drivers. Witness the amount of effort taken by IBM and SGI to port their proprietary journaling file systems to Linux -- and this was from one Unix-like kernel to another. Windows' internal file-system driver API is completely different from Linux'. Porting one file system not only requires a lot of knowledge about the different kernel APIs, but also about the file system itself, because most likely the file-system code is not cleanly separated from the kernel-specific code; you can't just sit down and write an adapter layer. (This is actually mostly speculation, but based on casual perusal of some existing driver code.)

There will be viable, open-source file systems on Windows the day somebody takes the time and effort do implement (and maintain) one. As for myself, I bought the book and started; I gave up not because it was technically challenging, but because it was no fun, and there were more interesting knowledge out there that I wanted to store in my brain.

1. It is way too complex. There is no way you can understand it all or hand edit it if required.

That's a programmer problem, not a design problem. Not to mention that many config files are way too complex as well. One thing that's nice about config files, however, is that you can include comments. While you could do this with the registry (with the EXPAND_SZ, expand string, type) it's not optimal as it increases the size. And nobody does it. [aside]If programmer's don't want you to change values or the values are meaningless...why make it changeable? Why not hard code it?

A redesign of the registry with a seperate table for comments would be interesting, I think. That way, when using editing tools, the comment table could be referenced. But, when loading or executing software, the comments would not hinder performance.

If it is corrupted, your whole OS won't even boot.

While I somewhat agree on this point, I have to note that corrupted config files will also prevent Linux from booting. I don't know the format that Windows uses for the registry tables, but it should be recoverable. Also note that I've yet to see any registry corruption on Win2000+, except with HW failures. I think the inclusion of something similar to BartPE or ERD Commander would also be a worthwhile replacement to MSFT's extremely limited Recovery Console. And frequent, automated, timed backups of the registry (at least OS configuration) should be done.

3. Its huge! 45MB of my fairly clean XP box.(although it is in a domain and has policies applied to it, etc, etc, but not much software)

My Win2003 server, excluding registry backups and the user.dat portion, is only 23MB. 17MB of that is in HKLM\SOFTWARE (I have a lot of software installed). Perhaps someone handier than me in Linux could tell us what size all of the config files for a normal desktop come to (actual space on disk, ot just data size).

You can't move the registry between machines, let alone between different versions of Windows. I can move my .config file between the 2.4 & 2.6 kernel if necessary, it just ignores what it doesn't know.

While true that you can't move some parts of the registry between machines (parts dealing with hardware and the like), software configuration is easily moved. I don't recommend moving the entire hive, as it would no doubt cause problems, but .REG files can be imported/exported with no problem. And .REG files are pretty portable (and text based), though it does require some editing and checking of data types to move from NT based to 9x based machines. With NT becoming the standard, though, that concern should go away.

Several smaller independent registiries might work better. e.g. one for linux conf, one for X, one for KDE, etc. So each one has a small well definied file for all configs.

Perhaps a DBA could chime in with better info, but I think that you would then be duplicating database structure overhead on each of those files. While I see the concern of a single point of failure for all software in the machine, automated backups and sensible defaults should mitigate that somewhat.

I think the main advantage of the registry is a central location for configurable values. By using a database, you should also have the advantage of database reliability and performance. Of course, the real problem with it would be getting everyone to use it.

I want to create a custom data recovery, virus scanning and hopefully spyware detection CD using SystemRescueCd and Sophos AV for Linux. The only thing missing in this equation is anti-spyware software that runs on Linux but scans Win2k/XP partitions. My alternative to this solution is using a DOS boot disk then use something like Winternals NTFSDOS Pro and finally run Sophos AV for DOS - which would still not give me an anti-spyware tool unless the host OS is used. The Linux CD would make use of the Captive project to access the NTFS partitions with R/W capabilities. Obviously I would prefer using the Linux solution, I guess I could scan for viruses first and then boot into Windows to run Ad-Aware but I'm curious if there's an opensource or commercial project that deals with this on Linux.

I manage a second level support group at a fairly large company. We've found that On-Track's
Easy Recovery Professional is AWESOME. It fixes 200-some file extensions. All office suite files, zips, etc. We used it a lot on enormous PST files that would blow up at 2gb~. It fixes them in half the time of M$'s ScanPST tool.

Further, this product will do all sorts of HDD checks, and can does great file recovery. It's saved our asses a bunch of times. Just take a read.

It might seem kind-of expensive to someone on their own, but not to a mid-sized company. It's worth it's weight to me. They do have different licensing options and offer different/lighter versions of the product for less $$$.

The sucky thing about it's licensing scheme is that it's based on how many drives you run it on.

I've also heard that wininternals has an great product but if I remember correctly it was really expensive.

I manage a second level support group at a fairly large company. We've found that On-Track's
Easy Recovery Professional is AWESOME. It fixes 200-some file extensions. All office suite files, zips, etc. We used it a lot on enormous PST files that would blow up at 2gb~. It fixes them in half the time of M$'s ScanPST tool.

Further, this product will do all sorts of HDD checks, and can does great file recovery. It's saved our asses a bunch of times. Just take a read.

It might seem kind-of expensive to someone on their own, but not to a mid-sized company. It's worth it's weight to me. They do have different licensing options and offer different/lighter versions of the product for less $$$.

The sucky thing about it's licensing scheme is that it's based on how many drives you run it on.

I've also heard that wininternals has an great product but if I remember correctly it was really expensive.

As far as I am conserned... ERD Commander from Winternals has allways been my tool of choice.

You can boot up a stripped version of Windows. Unlock admin-accounts. Access local-net, make backups of documents on an otherwise f**ked up harddrive... And yes, there is a command prompt.

And no, I am not affiliated with Winternals, but ERD Commander has been around since NT4.0-days, if I remember correctly.

Maybe this is some kind of free tool, unlike ERD Commander, but it isn't news.

The Winternals product costs maybe $300. Bart's is free.

Also, it doesn't matter if Bart's is new. What matters is that more people need to hear about it.

I wish Bart's was better documented and easier to customize.

Note that Bart is doing for Microsoft customers what Microsoft should have done. Microsoft provides PE only for its biggest customers. Everyone else gets a crippled version of the OS.

Even if you have Bart's Windows XP is still crippled: "Microsoft Windows 2000 and Windows XP have crippled file systems." The file system cannot copy some of the files that are necessary to the operating system. Microsoft provides no way of making functional backups of its newer operating systems! (Yes, I know about Sysprep and NTBackup and third-party methods. Microsoft technical support agrees with my statement.)

There is a pattern here: Put in passwords, call it "protection", and allow users to believe they have security, when then don't. For example, Bart's PE Builder allows access to Windows XP systems, and changing the passwords, even when the password to the recovery console is not known. Recovery Manager changes passwords.

I think this is how NTFSDOS does it. Before you use it, you install their product on a working Windows machine (with NTFS) and generate boot floppies or CDs that then include the Microsoft-owned NTFS code.

Usually, this is mainly for data recovery - its almost easier to image broken workstations than it is to waste 2 hrs fixing it.

Maybe so, but theres always this little DOS util if write access is needed.
There is no problem building a boot disk for BSD to bypass security either, by the way....

Another backdoor found!!!!!

Stop the presses!!!! MS is full of holes!!!! OMG GASP!

YET Another backdoor found!!!!!

Another backdoor found!!!!!

To a point. But the problem with firewalls is that they lead admins to believe that their boxes are secure. Before I install a firewall for a customer, I always tell them that it won't provide more security, if the box is already insecure.

That's a blatant lie. Why wouldn't a machine, whether secure or insecure to begin with, be more secure behind a firewall? If that was the case, there really wouldn't be a market for firewalls, would there? The point is that a Windows box CAN be hardened, but even so, it's wise to put it behind a firewall...just like a UNIX box.

Yes, and that shows which processes are listening on those ports? See, on any modern Unix, I can do netstat -ap. This will show not only the ports, but which processes are using them, which was pretty much my point. Once you know which process is responsible, you can make an informed decision as to whether the port needs to be open or not.

Jeez..if you want to be picky, here you go. ActivePorts (freeware), AntiY, and the one I use TCPView Pro. Oh, and here's a list of about 10 more. Or do a Google search (or Snort) on the port number and take an intelligent look at your taskmanager.

The method in the article seems like a lot of trouble.

This software provides you a new administrator password: Locksmith.

With this I meant that NTFSDOS can not open encrypted files, normal unencrypted files on NTFS work fine, of course. Also, the link for this program is here.

GekkePrutser

ZDnet has an article reviewing a few of these tools.

You can even download NTFSDOS for free and try it out.

I think winternals might be able to help you to a certain extent.

1) Users with multiple OS's on one machine.

... which happens to include most desktop and laptop Linux installations, that I know of anyway.

2) Users who wish to have one of those linux versions that run off of a floppy disk (I don't remember any for linux, just picobsd for bsd)

See this, and this. All of these are using a Linux boot disk to break NT security. Mostly useful for admins who don't know the password of the box they're trying to administrate!

It makes me wonder... What was their attitude towards stuff like Norton Utilities back when these things first emerged? Did Norton have permission from M$ to write things like undelete and defrag ? Or did he reverse engineer DOS ?

The company Winternals provide (and have done for some time) tools which allow you to read and now write ntfs volumes under Dos and Win9x.

I recall reading a M$ knowledgebase article about some methods for deploying NT 4 (I think) that actually recommended using these third party tools. (Oh and they provide fat32 support under NT4)

Now why is it acceptable to make tools that enable microsoft operating systems to read microsoft disk formats, but not make those same tools for other operating systems.

Surely winternals have set a precedent for acceptance of tools capable of utilising NTFS and the DoJ would have a fit if they weren't attacked when the linux version was :)

Anyway the last I recall FAT, FAT32 & Jolliet systems have been supported in linux for sometime. Is hacking thier flagship (as if) filesystem more punishable?

That's why NT, even with it's crippled "administrator" user, is affected by about half the viruses of W9x. (Why do I call "administrator" crippled? See this)

Unix systems, in contrast, have fairly good protection of root privileges. It's not perfect, and nothing stops a sysadmin from doing something Really Stupid. But with tools like sudo and ksu it's straightforward to ensure that anyone who does something stupid once won't be given a second chance, so you won't see the wildfire propogation that is quickly becoming Micros~1's legacy.