JSI Tip 0554 - Lost your Administrator password and need the ultimate hack?

There is no security without physical security!

If you have lost the Administrator password, you must have the following to recover:

1. A regular user account that can logon locally to your Windows NT Workstation, Server,
     or PDC whichever you are recovering.

               If you already have an alternate install of NT, skip to The Process, Set 02.

2. The Windows NT CD-ROM and setup diskettes (winnt /ox to make them from the CD-ROM).
3. Enough room to install a temporary copy of NT (Workstation will suffice, even to recover on a PDC).
4. Your latest Service Pack.

The Process:

01. Install a copy of Windows NT as TEMPNT, on any drive. Install your latest Service Pack.

02. Boot the alternate install.

03. At a command prompt, type AT HH:MM /INTERACTIVE CMD /K where HH:MM is 10 minutes from now
     (or however much time you need to complete the remaining steps and logon to your primary installation).

04. Use Regedt32 to edit:

     HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Schedule

05. Double click Schedule and click the one sub-key.

06. Double click the Schedule value name in the right hand pane and copy the REG_BINARY string to the clipboard.

07. Select HKEY_LOCAL_MACHINE and Load Hive from the Registry menu.

08. Navigate to your original installation\System32\Config folder and double-click System.

09. At the Key Name prompt, type ORIGSYS.

10. Navigate to ORIGSYS\Select and remember the value of Current; i.e. n.

11. Browse to ORIGSYS\ControlSet00n\Services\Schedule and if Start is not 0x2, set it to 0x2.

12. With Schedule selected, Add Key from the Edit menu.

13. Type 001 in Key Name and click OK.

14. Select 001 and Add Value name Command as type REG_SZ and set the string to CMD /K.

15. Select 001 and Add Value name Schedule as type REG_BINARY and paste the string from step 06.

16. Select ORIGSYS and Unload Hive from the Registry Menu.

17. Use Conrol Panel / System / Startup... to make your original install the default.

18. At a CMD prompt:

     attrib -r -s -h c:\boot.ini
     edit c:\boot.ini and either change the id of the TEMPNT lines to Maint 4.0 on both entries
     if you intend to keep this maintenance install or delete them. attrib +r +s +h c:\boot.ini

19. Shutdown and restart your original install.

20. Logon as your user account and wait for HH:MM from step 03.

21. When the CMD prompt opens, it will be under the context of the Schedule user,
     either the System account or an administrative account.
     If this machine is the NOT the PDC, type MUSRMGR.EXE, if it is the PDC, type USRMGR.EXE.
     If you get an error, click YES and type your domain name.

22. Set the Administrator password and logoff.

23. Logon as Administrator.

24. If you are deleted the TEMPNT entries in step 18, delete \TEMPNT

25. Promise to:

     never forget the Administrator password again
     implement physical security
     buy all your future software from

JSI, Inc.

Note: If the Schedule service runs under the context of a Domain Administrator on any member workstation, all you need to recover the PDC Administrator is a network login.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish