This may be a bit controversial because this article is going to give step by step instructions on how to gain access to any computer running Windows regardless of whether or not you know the password. Let me start by saying that using this article to gain access to a computer you aren’t authorized to access is a Federal Crime under Title 18 Part 1 Chapter 47 Section 1030(a)(1) and punishable by up to 10 years in prison.
That being said, I have two reasons for wanting to write this article. First and foremost, as a tutorial for new techs entering the field because a forgotten password or accidentally (or maliciously) changed password is something you may need to repair. The second reason is for folks to realize that physical access to your computer is all it takes for anyone with basic technical skills to gain access to all of your files. At the end of this tutorial I’ll talk a little about protecting the data on your computer.
First, you will need to download a program called NTPASSWD. You can go to the main web site for it at http://pogostick.net/~pnh/ntpasswd/ and follow the links to download the “Bootdisk”. I recommend downloading the Bootable CD Image “cd110511.zip”. The reason for this is that you are more likely to find a computer that boots off the CD drive by default than off a USB drive. Once you download the ZIP file you will need to extract it. Most current versions of Windows will allow you to right-click on it and “extract” it. Once extracted you will have an ISO file.
An ISO file is a disk image that can be put on a CD or DVD. However, you need to be careful. Don’t try to just “copy” the file to the CD. You will need to use software that allows you to “burn” an ISO to a disk. If you don’t have a program to do this, IMGBurn is a simple little program that you can use to do the job. Find it at http://www.imgburn.com/. Download and install this application and then follow the instructions for writing the ISO file to a blank CD.
Once you have come this far you now have a bootable CD that can be carried around for whenever you need it. So long as the system you are working on has a working CD-ROM drive you’re pretty much set. Now, how to use the tool:
First, you are going to want to insert the disk into the CD-ROM drive. Obviously this is most easily done while the machine is powered up. For very infected computers I try to get the disk in the tray during the boot-up process and before Windows actually starts loading and then cut the power. Next, you want to boot from the disk during start-up. You may have to go into the Boot menu during start-up (the function key for this depends on the machine) or you may have to go into the BIOS to change the boot drive sequence. Since every machine is a bit different I’ll leave it up to you to figure out how to get the PC to boot off the CD-ROM as that is outside the scope of this little tutorial.
Once you have booted to the CD you will find that you get a welcome message with some optional commands. I’ve never found it necessary to use them. If you wait too long reading them, the program will move on and boot into the first step.
Here you will be asked to choose the Windows Partition you want to edit. The default is typically correct. As the instructions listed above Step 1 indicate, you can typically just press Enter through most of this process. When you choose your partition here you move on to Step 2.
First you are asked the path to the registry files. Again the default is typically correct. This programs has the flexibility to help you with unusual installations, however. That’s why the option is given.
This next part of step 2 shows you the core system files available and asks you what you want to do. The SAM file you see there is where the user passwords are stored. We’re going to do a Password reset so we can just press Enter for the Password Reset option. This begins Step 3.
Now that we have chosen to reset the password we are shown that the SAM, Security, and System files have been loaded. We now have the option to edit user data and passwords and we’ll do that by pressing Enter again.
We are now shown a list of all the users. Notice that there are users you didn’t know existed. There are more user accounts on a Windows machine than you typically see. This is true of all operating systems. Notice you can also tell which are administrator accounts and which are disabled or locked. We can choose which account we want to change. If I only need the user account (Michael) then I could simply choose it. I can alternatively choose the Administrator account (that all Windows machines have) to log in with that account alter and makes any changes to any user accounts I need. That’s what we’ll do in this example simply by pressing Enter.
I am now given more information about the Administrator account. I am also able to make certain changes to the account. I can clear the password, change it (notice that this is considered risky), make a user account an administrator, or unlock the account if it’s been locked. I’ll choose to clear the password by pressing 1. Notice I can’t use the default value any more.
I now receive a message saying the password is cleared. However, the changes to the registry have not been made yet so I’m not really done. I’m now going to quit by pressing the exclamation mark.
I’m now given the option to go back and do more editing but instead I will press Q to quit which will bring up the final step. Step 4.
Here I am asked if I want to write the files. I have to press Y for yes. The default is no so watch for that.
Then I am asked if I want to try again if there were any problems in writing. Sometimes there will be and you will have to reboot and start the process over again. In this case I can press Enter for the default.
I am now out of the menu system and sitting at a prompt. This is where I will eject the CD and reboot the machine. I now can log in as administrator with an empty password and make any changes to the machine I need.
So how can you protect your computer from data theft when it’s this easy to get into any computer? Well, there are some great encryption programs available that will encrypt either certain folders or your entire disk depending on how you want to approach it. I recommend TrueCrypt http://www.truecrypt.org/ for most Windows systems. If you are running the Ultimate or Enterprise editions of Windows then encryption is built-in with BitLocker. If you run Ubuntu, encryption is also built in as an option when you install it on the computer. The reason encryption works is that the password for loggin into the computer is not necessarily the same as the password for the drive encryption. And, even if it is, if you blank out the password then the wrong password is sent to the encryption program. This is why encrypting your drive protects you even if someone can erase your user password.