Forgot your NT admin password?
Reinstall? Oh no.. But not any more..
Offline NT Password & Registry Editor
Overview
- This is a utility to (re)set the password of any user
that has a valid (local) account on your NT system, by modifying
the crypted password in the registrys SAM file.
- You do not need to know the old password to set a new one.
- It works offline, that is, you have to shutdown your computer
and boot off a floppydisk. The bootdisk includes stuff to
access NTFS partitions and scripts to glue the whole thing together.
- Note: It will now also work with SYSKEY, including the option to turn it off!
Why?
NT stores it's user information including crypted versions of the passwords
in a file called 'sam', usually found in \winnt\system32\config.
This file is a part of the registry, in a binary format previously
undocumented, and not easily accessible. But thanks to a German(?) named
B.D, I've now made a program that understands the registry.
As far as I know, Microsoft provides no way of changing the password
if you cannot log in as someone with appropriate privileges, except
restoring the registry files from the rescuefloppy.
- You don't forget passwords?
- You never get boxes to admin when someone quits suddenly?
- Your vendor delivers a preconfigured system to you, but never
have "freak" accidents and lose the password they've set on it?
- If so, what are you doing reading this?? Go read propaganda
from your favourite software vendor instead.
NEWSBREAK:
2000-06-07:
Fixed bug in chntpw that showed when trying to trawerse a registry
key with lots (>200-400?) subkeys. Caused a "Not a 'nk' node"-errors
and in most cases a crash. This was caused by the index/hash-lists
being split up and accessed in two levels (very much like some
filesystems do with datablock-tables on large files).
This problem was evident when accessing SAM's with many users, like
on domain controllers.
2000-04-01: (not an April's fools joke):
- Disabling syskey on Win2000 corrupts the SAM somehow, makes it
unable to reenable + leaves it in a partial mode 1 syskey.
Also corrupts the Domain Trust password, making it impossible
to join og leave a domain.
Delete HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC (the trust key,
may need to change ACLs to get to it) to leave the domain and make it
possible to rejoin. So, don't disable syskey on Win2k unless
you're in really deep trouble anyways (like lost key-floppy etc)
- Added support for changing passwords without disabling or
changing syskey, simply by inserting old type password hash
into the sam. It gets converted to syskey-hash on next boot.
Why I didn't discover this before is beyond me.
- A few smaller bugfixes.
2000-02-23:
WARNING: There seems to be some problems with syskey on Win2k,
after turning it off it can not be reenabled and domain associations gets
weird. I'm trying to solve the problem, but it may take a while. Sorry for this.
An alternative solution is to delete (or rename) \winnt\system32\config\sam
if you can access the disk. This wipes the userdatabase but
recreates the sam, with a blank admin-password.
2000-02-16:
NEW RELEASE!
- 1. Switches off SYSKEY if active!
- 2. Write-in-place (same datalength) registry-editor. (see
regedit.txt)
This has been verified to work with Windows 2000 Release version.
Documentation on syskey coming up soon.
DISCLAIMER:
THIS SOFTWARE COMES WITH NO WARRANTY WHATSOEVER. THE AUTHOR IS NOT
RESPONSIBLE FOR ANY DAMAGE CAUSED BY THE (MIS)USE OF THIS SOFTWARE!
It's VERY ALPHA yet, and relies heavily on undocumented structures and
methods. You have been warned!
How to get it?
No problem.. It's right here, and free!
Look here for more info on:
Ports & other versions:
000607, pnordahl@eunet.no