Article by: Sambhu Pradhan
OK, so you say you forgot your Windows administrator's password, huh? Oh well, it doesn't really matter if you did or you just say you did. The fact is that you need to gain access to a computer and you cannot "remember" the administrator's password. How can you get out of this situation without formatting and re-installing the operating १
Dont worry my Dear,as i do have the same problem while i was first trying to access my own system.Below im going to describe some methods and security flaws of windows operating system and also tips and tricks how to avoid them from attackers.my personal analysis on security flaws of Microsoft system tells that microsoft is trying its best to improve its security but due to a very little commitment or we can say a minor leak in its work bring out the result of being accessed to files and folders by bypassing user control mode.Any how let me explain u what is it all about? but this article does not represent or mean to initiate hacker opinion rather it is to help people and make them familiar to take some major steps so that the system could be 100% sucure.Method1One method of gaining access to the system is by trying hard to remember the forgotten password, or a password of another user which has the same level of administrative rights. However I don't think this approach will help you, otherwise you wouldn't be sitting here reading article, would you?)
Method 2Another method is by trying to restore a backed up System State (in Windows 2000/XP/2003) or a ERD (in NT 4.0) in which you do remember the password. The problem with doing so is that you'll probably lose all of the recently add users and groups, and all the changed passwords for all of your users since the last backup was made.
Method 3A third method might be to install a parallel operating system on a different partition on the same computer, then use a simple trick to gain access to the old system.
Forgot the Administrator password - Alternate Method - The LOGON.SCR trickThis is another trick that will easily work in Windows NT 4.0 and some versions of Windows 2000. The principal is that you need to install a second instance of your OS to your HD, then manipulate the default screen saver (the one that's used if you don't move your mouse while the CTRL-ALT-DEL box appears) for the original OS.
Note: The information found on this page is valid ONLY for Windows NT 4.0, and for some earlier versions of Windows 2000 (prior to more advanced service packs). DO NOT ATTEMPT TO TRY THIS ON WINDOWS XP PRO MACHINES, you will only waste your time.
The LOGON.SCR trick
To successfully reset the local administrator's password on Windows NT and some versions of Windows 2000 follow these steps:
1.Install an alternate copy of Windows NT or Windows 2000.
You must install this instance of NT/2000 on a different folder than WINNT, otherwise you'll end up with the same bad situation. Use ALTWINNT for example.
It is best that you install the alternate instance of the OS into a different partition than the one you have your original installation. You'll delete this folder anyway, and it's best that you just format that partition after you're done. Formatting the partition will be much easier than deleting individual files and folders.
Also, if you lost your password on NT - install a new instance of NT, not Windows 2000, as doing so will ruin your old NT installation (because of the difference between the NTFS versions). Same goes for W2K, XP and Windows Server 2003. Always install the same OS.
Note: On Windows NT 4.0 machines that were installed out-of-the-box you do not have to install a fresh copy if you still have access as a regular user to the system. E.g. if you can log-on as a regular, non-administrator user, you can still manipulate the file's permissions. This is simply because NT's default permissions are set for Everyone - Full Control. This is not true on W2K/XP/ machine
2. Boot the alternate install.
3. Use Control Panel/System/Startup (for NT) or Control Panel/System/Advanced/Startup and Recovery for W2K to change the default boot instance back to your original install.
Lamer note: If you don't do that you'll end up booting into the alternate installation next time you turn on your computer. You don't want that, do you?
4. Open Explorer. Browse to your original Windows NT/2000 folder, navigate to the %systemroot%\System32 sub-folder.
Lamer note: %systemroot% is a system variable used to point to the folder where NT/2000 is installed, usually \WINNT in NT/2000, or \WINDOWS in XP/2003.
5. Save a copy of LOGON.SCR, the default logon screen saver, anywhere you like. Just remember where you've placed it. You can also just rename the file to something you'll remember later, I user LOGON.SC1.
Lamer note: To rename a file use the REN command in the Command Prompt window, or just select the file in Windows Explorer and press F2.
6. Delete the original LOGON.SCR from the %systemroot%\System32 sub-folder. It is not necessary to delete the file if you renamed it, you can leave it there.
Note: You might not be able to delete the LOGON.SCR file because of permission settings. Regular users can only read and execute the file, not delete it. If that is the case (and it is in W2K, XP and Windows Server 2003) then you need to take ownership of the file and give the EVERYONE group FULL CONTROL permissions.
Lamer note: In order to take ownership of a file right-click it, select Properties, select the Security tab, click Advanced, and then click on the Owner tab. Select one of the users found in the list, click ok all the way out.
In order to change the LOGON.SCR permissions follow the previous instructions, in the Security tab click Add and browse to the Everyone group. Add it and make sure you give it Full Control. Click Ok all the way out.
7. Make a copy CMD.EXE in the %systemroot%\System32 sub-folder. CMD.EXE is located in %systemroot%\system32.
Lamer note: In order to copy a file via GUI, select the file, right-click and chose Copy, then go to the destination folder, right click the folder name and select Paste. You can also use the keyboard by typing CTRL-C to Copy, CTRL-V to Paste.
8. Rename the copy of CMD.EXE to LOGON.SCR.
Lamer note: See step #5.
9. Shutdown and restart your computer. Boot into the original install.
10. Wait for the logon screen saver to initiate - around 15 minutes. Oh, and no, do NOT move your mouse while you wait, duh...
After the screensaver is initiated, instead of running the normal LOGON.SRC actual screensaver, it will run the renamed CMD.EXE file (which is now called LOGON.SCR), and will actually open a CMD prompt in the context of the local system account.
In step #7 you could have used EXPLORER.EXE instead of CMD.EXE, and in that case a My Computer window will pop up.
Note: As noted earlier on this page, there is a way to make the wait time shorter, but you'll need to dig into the Registry for that.
11. Open the CMD.EXE prompt (it should already be opened if you've used CMD.EXE in step #7) and type:
net user administrator 123456
This will reset the local administrator (or domain admin if you are doing this trick on a DC) password to 123456.
Lamer note: You can, of course, use ANY password you want...
12. Delete the LOGON.SCR from %systemroot%\System32.
13. Rename the saved default screen saver from step 5 back to LOGON.SCR.
14. If you wish to remove the alternate install:
Delete its' folder.
ATTRIB -R -S -H c:\BOOT.INI
Edit c:\BOOT.INI and remove the alternate install's entries.
If you've used a different partition to install the alternate install then now you can simply delete or format that partition if you don't need it anymore, plus edit c:\BOOT.INI and remove the alternate installation entries.
This trick has been tested a zillion times. Don't bother to tell me it doesn't work, it does (for Windows NT and some versions of Windows 2000), and that's a fact.
