There are utilities available which can directly edit Windows NT\2000\XP user
accounts and change or blank their passwords. These generally work by
booting the computer into a minimal version of an alternate operating system
like Linux, then directly accessing and editing the system32\config files.
An excellent and fairly easy to use example of this can
here. Files to create a bootable floppy or CD are available from the site,
as are instructions. This utility uses a text-only Linux version to allow you to
edit user accounts and change passwords. Very effective.
Please note that if you have encrypted files using the
built in Windows encrypted file system (EFS), you will lose access to
them if you change your password with this program. See the below
method for a non-catastrophic
Extracting a lost password from your hard
If all else fails, but you still
have physical access to your computer, all is not lost! You can
get hold of the actual file on the hard drive that contains your
password information, and use some third-party software to extract the passwords from this
As mentioned above, Windows 2000/XP stores its
password information in a numerical hash found within the SAM (Security Accounts
Manager). The file that contains the SAM cannot be directly accessed by a
user (even the administrator) while Windows XP is running. However, if you
start your computer with an alternate operating system that has the ability to
read the data on your Windows drive, suddenly things become a lot more
The idea here is to use an alternate operating system
(like DOS or Linux) to access the SAM file found in c:\Windows\system32\config
and make a copy of it. This file can then be analyzed by one of several password
cracking utilities like LC4 or Proactive Windows Security Explorer,
which will attempt to obtain the passwords to each user account.
not that this procedure is quite a bit more complicated than
those in the rest of the article. Unfortunately there is not
really an easy way to do this... Please ensure that you read the
instructions below very carefully before you attempt the procedure.
We cover three discrete methods of
transferring the necessary files to an alternate computer, where you can use a
password cracking utility to (hopefully) recover your passwords.
What you will need:
1) Access to another computer. There's no getting around this.
2) At least 2 empty 1.44MB floppy disks.
3) A copy of a command line compression utility like RAR.
4) A DOS boot disk (such as a Windows 98 boot disk which
can be obtained from www.bootdisk.com)
4A) Portable Linux distribution like Knoppix.
4B) You will need to transfer the main hard disk
(the C:\ drive) from your locked computer physically to your alternate
system and install it as a secondary drive, allowing you to copy off the SAM and
SYSTEM files easily. For more information on how to do this, see our article on
installing a hard disk drive here.
If you use a DOS boot disk and your system drive uses
the NTFS file system (the default for Windows XP), you will also need a program
that allows DOS to see NTFS formatted drives, such as NTFSDOS.
Copy the NTFSDOS executable file onto the boot disk.
5) Password auditing program. For the purpose of this
article, we recommend using Proactive Windows Security Explorer, since the beta of this
program is freely available, (up to January the 1st, anyhow). LC4, or Lopht
better known, but the evaluation version of this now commercial software limits