Plan A: “Administrator” User

The “admin” method” is pretty straightforward. On many Windows XP systems, especially on the Home editions preconfigured by third-party OEM manufactures like Dell and Compaq, the installation creates a user called “Administrator” with, of course, administrator group policy privileges. It creates this user so consumers can fix what they’ve messed up if locked out of their accounts. This user can only be accessed in safe more. Conveniently, it is not password protected at all!

1. Just restart the computer. In between the appearance of the BIOS POST screen and the Windows XP boot screen, alternate pressing Ctrl and F8.
2. The Windows boot menu should appear. Select any “safe mode.”
3. On the login screen, you should see “Administrator.” If you don’t, press Ctrl + Alt + Del twice and manually enter the “Administrator” in without at password.
4. Once successfully logged in, go to the “Control Panel” and make necessary modifications to the user profiles.

If you are stuck at any of these steps or if it flat-out does not work, you’ll have to switch to “Plan B” … not the morning after pill.

Plan B: “SYSTEM” User

There are many variations of this method. Basically, you gain control of the “SYSTEM” user, which is the highest user on the power hierarchy. The two main ones involve either the windows internal scheduling system or the screensaver. There are a couple of requirements for this method. First, you will need any type of user access, be it Limited User or Guest. Second, either the scheduling system has to be enabled or the screen saver has to be configured. Lastly, Windows cannot be patched. I’m pretty sure Microsoft would have plugged the hole since this discovery was a breakthrough in the tech world last year.

google_protectAndRun("ads_core.google_render_ad", google_handleError, google_render_ad);

“AT” Command

The “AT” command schedules the operating system to run programs automatically. For example, if you want the operating system to make a backup of a crucial file or if you want the operating system to update the dynamic DNS provider with the current IP address, “AT” is at your command. It is the windows equivalent to the *nix cron command. The loophole is who runs the program when it is time to execute it. The “SYSTEM” user runs the command instead of the original user. So, if you schedule the OS to run “cmd” in the next minute, you’ll get the console DOS prompt for the “SYSTEM” user.

1. Go to “Start Menu” then “Run”
2. Type in “cmd.exe”
3. In the command prompt type “at 4:25pm /interactive cmd.exe” replacing the time with the next minute.
4. When the new command prompt appears, type “net user username password” replacing “username” with your target user and “password” with the password combination that you want to set.

Screen Saver Variation

When it is time for Windows to display the screen saver, the SYSTEM runs the screensaver file (which is pretty much an *.exe file renamed *.src). If you replace the default screensaver file with the cmd.exe file, again, you will obtain access to the “SYSTEM” console.

1. Go to “Start Menu” then “Run”
2. Type in “cmd.exe”
3. Type “cd\”
4. Type “cd\windows\system32″
5. mkdir temphack
6. copy logon.scr temphack\logon.scr
7. copy cmd.exe temphack\cmd.exe
8. del logon.scr
9. rename cmd.exe logon.scr
10. exit

The next time the screen saver is supposed to run, the command prompt will display. Then you can type “net user username password” replacing “username” with your target user and “password” with the password combination that you want to set.

Plan C (or the Nth Plan)

If you still are unable to crack the password. It’s time to bust out a CD and burn Ophcrack. Read my previous article on the specifics. But if your file system is an EFS (encrypted file system), you’re pretty much out of luck. The file system is encrypted with the Windows password. If you reset the password, you loose access to the files. Sorry, but that’s the way the cookie crumbles!

Good Luck! If you have any problems, check my references.

---------------------------------------------------------

Method 2

1. Place your Windows XP CD in your cd-rom and start your computer (it’s assumed here that your XP CD is bootable – as it should be - and that you have your bios set to boot from CD)

2. Keep your eye on the screen messages for booting to your cd Typically, it will be “Press any key to boot from cd”

3. Once you get in, the first screen will indicate that Setup is inspecting your system and loading files.

4. When you get to the Welcome to Setup screen, press ENTER to Setup Windows now

5. The Licensing Agreement comes next - Press F8 to accept it.

6. The next screen is the Setup screen which gives you the option to do a Repair.

It should read something like “If one of the following Windows XP installations is damaged, Setup can try to repair it”

Use the up and down arrow keys to select your XP installation (if you only have one, it should already be selected) and press R to begin the Repair process.

7. Let the Repair run. Setup will now check your disks and then start copying files which can take several minutes.

8. Shortly after the Copying Files stage, you will be required to reboot. (this will happen automatically – you will see a progress bar stating “Your computer will reboot in 15 seconds”

9. During the reboot, do not make the mistake of “pressing any key” to boot from the CD again! Setup will resume automatically with the standard billboard screens and you will notice Installing Windows is highlighted.

10. Keep your eye on the lower left hand side of the screen and when you see the Installing Devices progress bar, press SHIFT + F10. This is the security hole! A command console will now open up giving you the potential for wide access to your system.

11. At the prompt, type NUSRMGR.CPL and press Enter. Voila! You have just gained graphical access to your User Accounts in the Control Panel.

12. Now simply pick the account you need to change and remove or change your password as you prefer. If you want to log on without having to enter your new password, you can type control userpasswords2 at the prompt and choose to log on without being asked for password. After you’ve made your changes close the windows, exit the command box and continue on with the Repair (have your Product key handy).

13. Once the Repair is done, you will be able to log on with your new password (or without a password if you chose not to use one or if you chose not to be asked for a password). Your programs and personalized settings should remain intact.