There are utilities available which can directly edit Windows NT\2000\XP user accounts and change or blank their passwords. These generally work by booting the computer into a minimal version of an alternate operating system like Linux, then directly accessing and editing the system32\config files.

An excellent and fairly easy to use example of this can be found here. Files to create a bootable floppy or CD are available from the site, as are instructions. This utility uses a text-only Linux version to allow you to edit user accounts and change passwords. Very effective.

Please note that if you have encrypted files using the built in Windows encrypted file system (EFS), you will lose access to them if you change your password with this program. See the below method for a non-catastrophic alternative.

Extracting a lost password from your hard drive:

If all else fails, but you still have physical access to your computer, all is not lost! You can get hold of the actual file on the hard drive that contains your password information, and use some third-party software to extract the passwords from this file.

As mentioned above, Windows 2000/XP stores its password information in a numerical hash found within the SAM (Security Accounts Manager). The file that contains the SAM cannot be directly accessed by a user (even the administrator) while Windows XP is running. However, if you start your computer with an alternate operating system that has the ability to read the data on your Windows drive, suddenly things become a lot more accessible.

The idea here is to use an alternate operating system (like DOS or Linux) to access the SAM file found in c:\Windows\system32\config and make a copy of it. This file can then be analyzed by one of several password cracking utilities like LC4 or Proactive Windows Security Explorer, which will attempt to obtain the passwords to each user account.

Please not that this procedure is quite a bit more complicated than those in the rest of the article. Unfortunately there is not really an easy way to do this... Please ensure that you read the instructions below very carefully before you attempt the procedure.

We cover three discrete methods of transferring the necessary files to an alternate computer, where you can use a password cracking utility to (hopefully) recover your passwords.

What you will need:

1) Access to another computer. There's no getting around this.

2) At least 2 empty 1.44MB floppy disks.

3) A copy of a command line compression utility like RAR.

4) A DOS boot disk (such as a Windows 98 boot disk which can be obtained from www.bootdisk.com)

Or

4A) Portable Linux distribution like Knoppix.

Or

4B) You will need to transfer the main hard disk (the C:\ drive) from your locked computer physically to your alternate system and install it as a secondary drive, allowing you to copy off the SAM and SYSTEM files easily. For more information on how to do this, see our article on installing a hard disk drive here.

If you use a DOS boot disk and your system drive uses the NTFS file system (the default for Windows XP), you will also need a program that allows DOS to see NTFS formatted drives, such as NTFSDOS. Copy the NTFSDOS executable file onto the boot disk.

5) Password auditing program. For the purpose of this article, we recommend using Proactive Windows Security Explorer, since the beta of this program is freely available, (up to January the 1st, anyhow). LC4, or Lopht Crack4 is better known, but the evaluation version of this now commercial software limits you considerably.