VerySimple Developer Blog
Technical Tips, Tricks and Rants.
 
May
22
Recovering a lost NT 4.0 Administrator Password
Filed Under (Windows) by Jason on 22-05-2007

Recently an old application server arrived at the office. The server was running NT 4 and MS SQL server. We needed to get the machine running to do some reverse engineering of the code and database, however the administrator password had been lost. The original developer had moved out of state and didn’t have records, nor did the owner. It seemed that the only choice left was to hack into the machine.

I started with various failed attempts to recover the password using boot disks that grab info from the SAM database and crack the passwords. Since this was older hardware with an old drive array configuration, though, several of these recovery disks couldn’t recognize the drive. One program did see the drive and recover the SAM information but was unable to crack the password.

I do think that strategy would have eventually worked. But, I decided it would be easier to re-set the password instead of recovering it. There is an old trick with NT and 2000 machines if you have physical access the the machine where you replace login.scr with cmd.exe.

First you boot from an NTFS boot disk. The NTFS boot disk above gives you a windows DOS prompt with full read/write access to the drives on the server, though you are not technically authenticated as a user on the system.  C:\winnt\system32\login.scr is the screensaver executable that Windows runs automatically at the login prompt. You can use this hack to fool Windows into opening up a DOS shell with system priviledges. At the boot disk command prompt enter the following to backup and replace login.scr with cmd.exe:


copy c:\winnt\system32\login.scr login.bak
copy c:\winnt\system32\cmd.exe login.scr

Now that login.scr was replaced, remove the boot disk and re-boot to the NT login prompt. I waited until Windows launched login.scr (default is 15 minutes) and a DOS command window opened right on top of the login prompt. The following DOS command changes the Administrator password:


net user Administrator mynewpass

The password is now changed. Finally, I gave the old Microsoft 3-finger salute (ctrl+alt+del) and logged on using the username/password I just created. Woot!

WARNING: If this is a domain controller or using active directory, I have read that this trick is not advisable and may cause you some file permission headaches.

Share This

 

Post a comment

Name: 
Email: 
URL: 
Comments: 
Close
  • Social Web

NOTE: Email is disabled

E-mail It