Chapter 12. Common Recovery Problems
Prev   Next

Chapter 12. Common Recovery Problems

Table of Contents

How Do I Clear A Windows XP User Password?
How Do I Erase A Partition or Entire Disk?

How Do I Clear A Windows XP User Password?

The Network Security Toolkit distribution contains the necessary tools to allow one to reset a forgotten user password on a Windows XP drive. This is done via the chntpw utility. The process involves the following:

  • Mounting the Windows drive. This is typically going to be the first partition on a IDE hard disk (it will be /dev/hda1 on 99% of the Windows XP systems you come across).

  • Locating the SAM file (typically found under the WINDOWS/system32/config directory).

  • Running the chntpw command on the SAM file.

  • Finally, its important to umount the Windows drive to make sure all data written to the SAM file is flushed to disk.

Warning

We have not encountered a problem using the chntpw utility. However, as it involves writing to a Windows XP NTFS partition, it makes Paul nervous each time he uses it (and he's pretty sure that he's had to re-install Windows at least once after using this utility). If the Windows box is important you should back up any data PRIOR to using this command.

First, lets mount the Windows XP disk and list what user's are on the system.


[root@probe ~]# mkdir /mnt/winxp
[root@probe ~]# mount /dev/hda1 /mnt/winxp
[root@probe ~]# ls /mnt/winxp/WINDOWS/system32/config
AppEvent.Evt  SAM           SECURITY.LOG  SysEvent.Evt   system.sav
default       SAM.LOG       software      system         TempKey.LOG
default.LOG   SecEvent.Evt  software.LOG  system.LOG     userdiff
default.sav   SECURITY      software.sav  systemprofile  userdiff.LOG
[root@probe ~]# chntpw -l /mnt/winxp/WINDOWS/system32/config/SAM
chntpw version 0.99.3 040818, (c) Petter N Hagen
Hive's name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf>
Page at 0x7000 is not 'hbin', assuming file contains garbage at end
File size 262144 [40000] bytes, containing 6 pages (+ 1 headerpage)
Used for data: 270/21264 blocks/bytes, unused: 7/3120 blocks/bytes.

* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length        : 0
Password history count         : 0
RID: 01f4, Username: <Administrator>, *disabled or locked*
RID: 03ed, Username: <erik>, *BLANK password*
RID: 01f5, Username: <Guest>, *disabled or locked*
RID: 03e8, Username: <HelpAssistant>, *disabled or locked*
RID: 03ec, Username: <megan>
RID: 03eb, Username: <pkb>
RID: 03ee, Username: <scott>, *disabled or locked*
RID: 03ea, Username: <SUPPORT_388945a0>, *disabled or locked*

Hives that have changed:
 #  Name
None!
[root@probe ~]#

Now that we've identified the user's on the system, lets clear the password for scott:


[root@probe ~]# chntpw -u scott /mnt/winxp/WINDOWS/system32/config/SAM
chntpw version 0.99.3 040818, (c) Petter N Hagen
Hive's name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf>
Page at 0x7000 is not 'hbin', assuming file contains garbage at end
File size 262144 [40000] bytes, containing 6 pages (+ 1 headerpage)
Used for data: 270/21264 blocks/bytes, unused: 7/3120 blocks/bytes.

* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length        : 0
Password history count         : 0
RID: 01f4, Username: <Administrator>, *disabled or locked*
RID: 03ed, Username: <erik>, *BLANK password*
RID: 01f5, Username: <Guest>, *disabled or locked*
RID: 03e8, Username: <HelpAssistant>, *disabled or locked*
RID: 03ec, Username: <megan>
RID: 03eb, Username: <pkb>
RID: 03ee, Username: <scott>, *disabled or locked*
RID: 03ea, Username: <SUPPORT_388945a0>, *disabled or locked*

---------------------> SYSKEY CHECK <-----------------------
SYSTEM   SecureBoot            : -1 -> Not Set (not installed, good!)
SAM      Account\F             : 0 -> off
SECURITY PolSecretEncryptionKey: -1 -> Not Set (OK if this is NT4)
Syskey not installed!
RID     : 1006 [03ee]
Username: scott
fullname: 
comment : 
homedir : 

Account bits: 0x0210 =
[ ] Disabled        | [ ] Homedir req.    | [ ] Passwd not req. | 
[ ] Temp. duplicate | [X] Normal account  | [ ] NMS account     | 
[ ] Domain trust ac | [ ] Wks trust act.  | [ ] Srv trust act   | 
[X] Pwd don't expir | [ ] Auto lockout    | [ ] (unknown 0x08)  | 
[ ] (unknown 0x10)  | [ ] (unknown 0x20)  | [ ] (unknown 0x40)  | 

Failed login count: 3, while max tries is: 0
Total  login count: 19
Account is probably locked out!
Do you wish me to reset the failed count, unset disabled and lockout,
and set the "password never expires" option? (y/n) [n]y


* = blank the password (This may work better than setting a new password!)
Enter nothing to leave it unchanged
Please enter new password: *
Blanking password!

Do you really wish to change it? (y/n) [n] y
Changed!


Hives that have changed:
 #  Name
 0  </mnt/winxp/WINDOWS/system32/config/SAM>
Write hive files? (y/n) [n] : y
writeHive: write of /mnt/winxp/WINDOWS/system32/config/SAM failed: Success.

[root@probe ~]# umount /mnt/winxp
[root@probe ~]#

Note

We aren't sure why the "failed" messages occur at the end of the output.

Prev   Next
Chapter 11. Add-On Hardware Components Home How Do I Erase A Partition or Entire Disk?