Introduction This document describes how to obtain an administrator password under Windows NT/2K/XP. All experiments were done under Windows 2000, and I did not test it on other NT or XP systems. SAM file The SAM file is one of the places where the encrypted password is saved. Copying files directly to the directory where the SAM file is located does not work. (!) Note: In Windows 2000 and subsequent systems, SAM files are generally encrypted by SYSKEY. This means that the general crack tool can't crack the password. However, passwords that are not encrypted with SYSKEY can still be obtained by other means. See the Pwdump(2) section. SAM file save directory: 1. (The active sam file) \\"windows folder(winnt/Windows)"\\system32\\config\\ 2. (The "repair" sam file (Used when creates rescue/repair disc I belive)) "Windows folder"\
epair\\ 1. The currently used SAM file: \\"windows directory (winnt/Windows)"\\system32\\config\\ 2. Repair SAM backup file (I think it is used when creating the repair disk)\\"Windows The directory "\
epair\\ file is named SAM or SAM._ or something similar. (!) Note: The second SAM file is likely to have been deleted. (!!) Note: SAM files are hidden files and are generally not visible under Windows. If you can see the SAM file, try to copy it directly. Because you may be a normal user (otherwise, go to the "Pwdump" section), so you can't copy files directly. It's ok. So, how can I get the SAM file? Need a boot disk. 98 on the boot disk, as long as you make some minor changes. If the target computer is using the NTFS file system, an additional program called NTFSDOS is required. The program can be found on GOOGLE. Step 1. Make a boot disk (actually I am using a Windows 98 boot disk (made with win98se-bootfloppy.exe)) 2. Copy NTFSDOS.exe to the boot disk. If you use the win 98se boot disk, remove the fdisk.exe free space to store the NTFSDOS.exe file. 3. Start the computer with a floppy disk (you may need to change the BiOS settings) 4. After entering the DOS system. If your computer uses an NTFS partition, run NTFSDOS.exe. It may display information similar to NTFS partion mounted to X: (X is the drive where the disk is located) 5. Go to the Windows installation directory. If it is at X;, type x: and press Enter. 6. Go to the Windows\\system32\\config directory. Copy the SAM._ file (the file name may change). The command to enumerate files is dir or dir/p. Copy files can use copy SAM._ X: (X is the drive letter of the stored copy file) 7. Open the SAM file in a cracker such as L0phtCrack. Successful? ! Pwdump(2) Pwdump, specifically Pwdump2, is a good program. The SAM file is encrypted with SYSKEY, but Pwdump2 (written by Todd Sabin) reads the password hash from the operating system memory. Pwdump2 can obtain the password file encrypted by non-SYSKEY. Then use the crack program to crack it. But running Pwdump2 requires administrator privileges. Pwdump2 is best run from the command line (run as administrator) Steps: 1. Download Pwdump2. (Hint: www.google.com) 2. Start > Run > cmd. Go to the directory where Pwdump2.exe is located and run the command: pwdump2>passWord.txt 3. Import passWord.txt into the cracker (Import > Import from PWDUMP file in L0phtCrack) If you do not have administrator privileges; first download Pwdump2. Zip and unzip. The command line must be run with localhost(Admin). One way is to replace logon.scr with cmd. Rename logon.src to logobak.src, copy cmd.exe to the directory where logon.src is located and rename it to logon.src. Then reboot and wait for a while, about 5-25 minutes. Windows then runs the default login screen saver (logon.src), which will get the command line running with localhost(Admin). Go to the directory where pwdump2 is located and run: pwdump2 > password.txt to get the non-syskey encrypted password from the operating system memory and store it in password.txt. Import passWord.txt into the cracker (Import > Import from PWDUMP file in L0phtCrack)