Recover Lost Windows NT Administrator Password

by Wayne Maples [Published on 7 Sept. 2004 / Last Updated on 7 Sept. 2004]

This tip is in the Administrators section. Use this information at your own risk. Any attempt to circumvent an OSs normal security can be disastrous. If you are really, really stuck - this tip may be for you. No warranty is suggested or implied. I have used some of these tools. Sometimes successfully and sometimes not. Those that attempt to overcome Syskey, in particular, seem risky. I have had the most success with the Linux boot disks and a manual brute force dictionary attack using L0phtcrack. These are do-it-yourself tools. There is something to be said for the comfort level of the commercial tools. Consider ElcomSoft for a commercial approach.

If you are interested in these tools or procedures, I suggest download the code and print the procedures now (I have had to remove dead links from this page more than any other - this kind of data seems to disappear fast).

This article kicked off my interest in Penetration Testing. In particular, depending on what you are searching for, you may want to check on my Penetration Testing Tip #12: Password Recovery Resources tip. For core security issues see Wayne's Security Resources.

If your organization has not brought in a team to do a full scope penetration test, you really have no idea how insecure and vulnerable your network really is to internal and external hackers. I guarantee that you will be shocked but its a better security practice to make penetration testing part of your yearly risk analysis than to wait until you have a real incident. Given my experience as an NT systems admin and my experience hacking just such an environment, I will be writing white papers to help the NT admin protect his/her *ss. A critical resource is the administrator's workstation. I strongly recommend you read my paper on how to protect this resource.

There are various offline attacks. Do you have auditing turned on so you can detect when a server has been turned off? Making it vulnerable to offline attacks. If you are not aware of it:

Without physical security, there can be no security.

If you have a resource which needs to be protected, the single most important protection is to restrict physical access.

Easiest: Linux boot disks

There are Linux boot disks that have DOS and NTFS filesystem drivers and software that will read the registry and rewrite the password hashes for any account including the Administrators. It is as simply as:

  • shutdown or turnoff the PC
  • put the book disk in the PC and reboot
  • respond to the Linux prompts
    the highest barrier is understanding unix media descriptors
  • select the account whose password hash needs to be rewritten & enter a new password
  • reboot & access using the new password

This process requires physical access to the console and an available floppy drive.

The following site provides the downloadable boot disk image, image to disk utility, source code, and supporting documentation: Offline NT password utility. This version can disable syskey protect. They do note that turning off syskey under Windows 2000 damages the SAM and is not to be attempted except as a last resort to reinstallation. Watch for updates.

See Analysis of Alleged Vulnerability in Windows 2000 Syskey and the Encrypting File System for Microsoft's perspective.

I have seen the Linux boot disks fail primarily on scsi-based boxes when the boot disk did not have the proper scsi driver or when there was some problem detected in the scsi setup. I have also seen PCs where the Linux boot disk works but the SAM seems to be invisible to Linux (although its in its standard location and later access with NTFSDOS allows it to be copied).

What would raise barriers to these types of tools?

  • Lock the PC up.
    Recognized requirement for servers. How many workstations are behind locked doors? Given what you have learned here, shouldn't at least a select set of workstations be secured? Say the officers, personnel, security personnel, ...
  • Power on passwords.
    A decent barrier. There are physical hacks. Are the cases locked?
  • Set BIOS to boot from HD and not from floppy
    Raises the barrier a little.
  • Remove the floppy and lock the case - higher barrier. For a high security environment. Would this fly where you work?
  • Apply Microsoft's syskey to encrypt the hashes. See atips92. Syskey stymies the freeware Linux offline attacks at this point in time. Some of the commercial products state they can reset the password even if Syskey has been applied.
  • Encrypt the hard drive. There are commercial products to do this. NT2000 includes encryption as an NT feature similar to NT4's NT compression feature. None of the methods I am aware of at this time will work under NT2000, even without the encrypting file system feature.

It is not practical in most environments to have high security applied to workstations. But one or more of the less intrusion barriers would increase the time to break in and would increase the probability of exposure to the hacker. This would increase the probability of management acceptance of usage of these tools by legitimate support personnel trying to solve a difficult problems.

Some of the Linux boot disk utility variants leave a footprint. The password is changed. Some include backup/restore features for the sam. With this feature, one could boot a Windows NT PC; backup the sam data; overwrite the pw; reboot; login using the compromised account and do mischief including sending inappropriate email or deleting bits and pieces here and there - darn those unreliable PCs; restore the sam and the owner's pw; since the attack was offline, unless the shutdowns are monitored, the episode is essentially invisible.

The automated nature of these tools makes this available to putzes, baby hackers, and the guy/gal in the office next door. It took me 5 minutes with a very simple search to find the utilities and procedures documented on this page. The security by ignorance barrier is incredibly low.

The level of expertise to take advantage of physical access does vary. These baby tools for NT should make one seriously consider how to improve server and workstation security. Server physical security is generally good except in departmentally distributed servers. Workstation security is a nonentity in all but the most paranoid shops. These tools should give one pause, a act to protect your officers and other PCs with highly sensitive data from hackers.

Sunbelt released NTAccess which can replace the administrator password of a Windows NT; Windows 2000 system with or without Active Directory; or XP. It can bypass syskey protection. NTAccess can replace the administrator password of a Windows XP, Windows NT or Windows 2000 system by rebooting the computer with a special set of boot disks or CD-ROM (XP only). This is useful if you forgot the administrator password and cannot access the Windows XP/2000/NT system.

AccessData are in the business of password recovery and sell toolkits which can reset the administrator password under Netware and NT as well as office and personal application products such as Word and Quicken. They provide technical support should things go awry. Given the consequences of problems, tech support can be worth every penny. They also have a set of freebies utilities.

The Passware Kit also offer a fairly extensive password recovery suite including NT and many applications fairly inexpensively. They have recently announced a version of their product to reset Administrator password, secure boot password or key disk if lost: Windows 2000 password product with the following features:

  • 100% recovery rate
  • Windows XP Home and Professional Editions are supported
  • Windows 2000 Professional, Server and Advanced Server are supported
  • Windows NT Workstation and Server 3.50, 3.51, 4.0 are supported
  • Loads third party mass storage (SCSI, RAID, etc.) drivers when using Windows XP, 2000 or NT 4.0 setup disks
  • All secure boot options are supported
  • All Service Packs are supported

WInternals offer NTLockSmith to reset lost NT passwords. It only works in conjunction with NT Recover which is designed to recover data from damaged NT boxes. It sounds much like the Linux solution but uses NT Recover to get to the registry of the target NT box. I suggest you take a close look at their admin tools. Their product is Windows 2000 compatible.

Dieter Spaar's NTAccess uses boot disks to access the NT / Windows 2000 system and change the administrator password. It can turnoff Syskey protection at the cost of the loss of all passwords except the administrators account which it resets. My guess is that they achieve this by deleting the LSA SecureBoot value and replacing the Administrator's password hash. They are not breaking the encryption. Just are turning it off. See my Syskey tip for more information.

Many sites document a rather complex method of resetting the administrator's password. The method takes advantage of the fact that certain system services, such as the spooler, operate under the security context of the local system. By changing the file name of the spooler to another executable it is possible to launch an application with privilege to change password. There are several versions. They work. They are complex. They have the advantage that they do not appeal to hackers - take too long - too much danger of exposure. This technique has the disadvantage that there must be enough space to install another copy of NT. This method is documented : here, here, here, and many other locations.

Some take a much more direct approach. This is actually a method to escalate a user's account to admin level. If you have another account on the box, even though it is not admin, lets say account manager or backup account, you can log onto the system, rename spoolss.exe to spoolssbak.exe, rename usrmgr.exe to spoolss.exe, reboot. When you logon after reboot, User Manager will be running in the foreground running as localsystem. This gives you the ability to reset the admin password to whatever you want, or to create an new admin account for example. You need to logoff and back on using the administrator command to get the renamed files back under their proper names.
Note: for NT workstation, User Manager is musrmgr.exe.

kira bomba states

       I have found out that this method (as described above) doesn't work 
       on a Windows 2000 box. However, you can make it work if you consider 
       the following:
       
       1. It happens that you can't delete the "spoolsv.exe" (win2000 version 
       of "spoolss.exe") file from your harddisk (usually it's in the 
       \winnt\system32 directory). This file is loaded on start-up and can't 
       be stopped using the Task Manager. As long as you can't stop the 
       corresponding process, you can't delete the file, it's locked by the 
       operating system. Even if you find a way to stop the process you can't 
       delete or substitute the file, Windows will automatically replace it 
       with the default version.

       A solution to this problem is to delete the file "offline", i. e. after 
       booting from a DOS floppy. If the harddisk is FAT formatted it will work 
       out just fine. If the harddisk is NTFS formatted you'll need a NTFS driver, 
       like NTFSDOS Pro, downloadable from 
       www.sometips.com/goodstuff/default.htm. 
       When you have booted from  a floppy it's no problem any more to delete 
       "spoolsv.exe" or to replace it. Replace with what? In Windows 2000, there 
       is no "usrmgr.exe" nor "musrmgr.exe". Well, compile the following C program, 
       name it "spoolsv.exe" and put it to where the original file was:
 
        *****************
        #include 

        int main(void)
         {
          system("control userpasswords");
          return 0;
         };
       *****************
       "mmc lusrmgr.msc" instead of "control userpasswords" should work too. When you 
       start Windows next time, as a normal user or as an admin, the User Manager 
       window will open... 
        

Another technique reported on the web which requires a 2nd copy of NT :

  • Install an alternate copy of Windows NT.
  • Boot up the alternate install.
  • Use Start / Control Panel / System / Startup to change the default boot instance to your original install.
  • In the original Windows NT folder, navigate to the \System32 sub-folder.
  • Save a copy of logon.scr, the default logon screen saver.
  • Delete logon.scr.
  • Copy CMD.EXE to logon.scr.
  • Shutdown and restart your original install.
  • Wait for the logon screen saver to initiate. It will actually open a CMD prompt, in the security context of the local system account. Be patient, it sometimes takes several minutes for the command window to popup.
  • Type MUSRMGR, into the CMD prompt to execute User Manager, and reset the Administrator's password.
  • Delete the logon.scr from %SystemRoot%\System32.
  • Rename the saved default screen saver back to logon.scr.

If you have an old ERD from when you knew the admin password, you could use it during a Windows NT repair install to get back to that point. Just be careful, any accounts created since that point will be lost and those not lost will have their passwords reset to an old version.

A method involving removing the HD and placing it in another NT box as an additional drive, is documented here . This approach normally works when nothing else will in most OSs not using encrypting file systems. Guess whether I have tried this approach. Not in NT.

If you have access to current ERD disks or the repair directory, you can use L0phtCrack to access the password hashes and perform a brute force attack on the password hashes. It will break any password (it may take a day or two). L0phtCrack has the advantage that it does not modify the passwords. Additionally in another context, a run by the administrator against the password hashes using a simple dictionary will give you an idea if your users passwords are too weak. See ElCOM for dictionaries that you can download as well as a significant suite of password breaker software.

L0phtCrack can be used as an offline method:

  • Create an DOS bootable floppy
  • If NT is installed as a FAT partition, use the DOS boot disk to copy the SAM, winnt\system32\config\sam
  • If NT is installed on NT, use NTFSDOS.EXE to get the SAM.
  • Copy the SAM to a temp directory on a working NT box
  • Use pwdump to pull out the hashes and break them with l0phtcrack.
See atips174 if you are unfamiliar with NTFSDOS.EXE.

If you need to break a password set by an application or perhaps a password for zipped files, see these sites:

www.passwordservice.com/
www.lostpassword.com
www.elcomsoft.com
www.soft4you.com
www.pwcrack.com
Microsoft Office pw crackers

These sites were just a few I am aware of. There are many. Unfortunately, as this article should make you aware of, passwords can give one a false sense of security when its all you have protecting your a$.

As an aside, if you have Win9x and have set a password and forgot it, you can bypass Windows with F8 during startup and choose the Command Prompt Only option. At the prompt, go to the Windows directory and delete .pwl files. No password will be required on the next boot. A new password can be set if you wish at the Start|Settings|Control Panel|Passwords and click on Change Windows Password.

CMOS/BIOS password info:

PC BIOS Security and Maintains Toolkit
Cracking Programs
Forgotten Password Utilites

Microsoft has reprint a Windows NT Magazine background article on Where Windows NT Stores Passwords.

See Also

Featured Links