Well, Windows NT-based systems store local user information in the SAM (Security Accounts Manager) database. This file is located, by default, in \%systemroot%\system32\config, where the system root is the directory where the operating system files are installed. This would be \winnt (for Windows NT or Windows 2000) or \windows (for Windows XP). This database file is part of the system registry, and necessarily hard to access and modify. From my experience, it has not been possible to change a user’s password if neither the user nor the administrator is unable to successfully logon to the system initially.

I have found that this is no longer the case!

It seems that, recently, previously undocumented settings of the Windows Registry have allowed some engineering programmers to write a utility that can assist with these missing password problems. To gain access to their labor, perform a Web search for “cracking Windows NT passwords” or simply navigate ro eunet

It was at this Website that I found the downloadable code and instructions for resetting local account passwords on any Windows NT-based computer system, without having to know any passwords to begin with. You are given two options for using the program. The first is to create a set of floppy disks. The first disk is the main program for resetting passwords. The second disk is a set of common SCSI controller drivers, in case the hard drive that you need to access is not on a standard IDE controller. The second option is to download and burn a bootable CD-ROM image of the program, which incorporates both the IDE and SCSI drivers into a single package.

Once the method of delivery (meaning floppy or CD) is chosen, the implementation of this package is fairly straight forward. Boot the computer with the chosen media. You are greeted by the Linux kernel and a series of messages and command-line statements that initialize the system. It is in this stage that you may elect to scan for SCSI devices.

After scanning the bus, the computer will then identify hard drive partitions it finds on the system. By default, the program will select the first bootable NTFS partition it finds. Fortunately, this is most likely the correct partition if a default install of the NT operating system was performed. The system will then prompt you for which data files to copy into system memory. Again, the default settings will load the files required for editing passwords: the SAM file, along with a “system” file and a “security” file.

You will then be presented with menu options. The first option allows you to edit passwords. After selecting this option, a list of available user accounts is displayed. You will also be told if any of these accounts has been locked out or disabled. Odds are, if you have been trying to logon to the computer several times without an appropriate password, the account will be locked out. You are given the option to unlock and enable the account of your choice. Once this is done, you are given the option to reset the password to ANY password you choose.

You are finally prompted to verify and commit the changes and you are left at the shell prompt, signified by a # sign. At this point, the password has been reset and you may reboot the system.

Remove the floppy or CD, and boot into the operating system. Logon using the local account you modified, using the password that you set with the utility (a blank password if you followed recommendations). If all is well, you will be granted access to the operating system and be able to make any further changes that you require. You have now successfully cracked Windows NT passwords!

As of this writing, I’ve performed this process on two Windows NT 4.0 workstations with Service Pack 6. One system used standard IDE hard drives, and the other used SCSI hard drives. The process worked exactly as outlined above and I gained full administrative access to both operating systems.

Lessons learned:
On the positive side, losing the local administrator’s password on a Windows NT-based machine is no longer an issue that requires you to reinstall the operating system and lose all your settings. On a more cautious note, any system with a bootable floppy or CD-ROM is extremely vulnerable to attack if the attacker can gain physical access to the computer. Be aware!

Until next month. . .