1: Clear sam file: The system account information of WinNT series is stored in the registry file %systemroot%\\system32\\config\\sam. If there are no important accounts in the system, or the account is relatively small, it is relatively simple to delete the %systemroot%\\system32\\config\\sam method, but because the system will be restored to only the administrator (password is empty) and guest two accounts, So some programs are lost because of the account they depend on, such as IIS, vmware can not be started. It turns out that this method can only be applied to the nt workstation series (2kpro), not for the server, I have been successful on the 2000professional and 2000 advanced server. I don't know why there is such a statement. It may not be possible under the Active Directory ad. Of course, you must first be able to access the system partition to rename or delete the sam file. If it is a fat32, fat partition, use the 98 boot disk. If it is ntfs partition, you can use winter ntfs for DOS, ntfs for 98 or boot CD that supports ntfs, or hang on other win2000, Linux and other machines, or re-install a new win2000. 2: Special tools: One way to lose the Windows administrator password is to use Petter Nordahl-Hagen's The Offline NT PassWord Editor (http://home.eunet.no/~pnordahl/ntpasswd/), which is modified offline. The registry file sam to set the password. Need to use his image file to create a boot disk to boot, and then access the ntfs partition to reset the password; although the author often updates his program, but I still worry about the security of his direct operation of the sam file, which may sometimes lead to system errors. There may be other similar tools, I am ignorant. 3: Another idea is to replace the necessary program for system startup with a small program that changes the password. Then the system will replace the password when it starts, and then the restored program will be restored. Of course, you must first be able to access the system partition to replace the program that is started with the system. One way to replace the necessary programs for system startup is to write a small program that cleans up the administrator password (CleanPwd: http://www.BingleSite.Net/myprog/CleanPwd/CleanPwd.rar). What he does is to put the administrator password. Empty. The usage is as follows: 1): Use dual system or boot disk or hang on other systems. If it is NTFS partition other system or boot disk should be able to read and write NTFS partition, rename system32\\svchost.exe in Windows installation directory to svchost Backup .bak.exe, copy CleanPwd.exe to svchost.exe. 2): Start the system, the password of the administrator is cleared, you can log in directly. 3): Restore svchost.bak.exe (if you use svchost instead, it is best to start rpc service). Why use svchost.exe instead of other programs, because each Windows 2000 system has these processes, System (kernel Executive and kernel), smss (session manager), csrss (win32 subsystem), winlogon (logon process), services ( Service control manager), lsass(local security authentication server ) If any one is killed or fails, the system will restart. However, you cannot change the password before lsass is started, so you cannot use these programs. In addition, there are generally some programs in the system: svchost.exe (Remote Procedure Call (RPC) and other services), WBEM\\WinMgmt.exe (Windows Management Instrumentation), mstask.exe (Task Scheduler), regsvc.exe ( Remote Registry Service) There may be other services. You may have disabled other services except RPC, but will not disable rpc, otherwise the system will not work properly. So I chose svchost, if you know that other services will start automatically, you can also choose it. Of course, if the system is installed with anti-virus software, you can also replace the anti-virus software, because the general anti-virus software will start the anti-virus firewall to kill the virus. 4): Other: This idea was a few months ago, but I have never written this program: (The program will record a simple log in c:\\CleanPwd.txt, I also attached the source code, you can modify it at will. To meet your own requirements, such as adding a user instead of modifying the administrator's password (or you renamed the administrator) 4: I also see a method on a website: just put %systemroot%\\system32\\logon Replace .scr with cmd.exe or explorer.exe, and wait at the system login. After a while, the system will run the logon.scr screen saver, because you replaced the screen saver file, so it actually runs cmd. Exe or explorer.exe, and localsystem permissions, so you can just use it, the easiest is to run net user administrator "" in cmd.exe, the administrator password is also cleared after successful, close cmd or explorer can be used The empty password is logged in. In fact, this method is consistent with the above idea. ================= code begin ============ =========== #include #include #include #include #include #pragma comment(lib, "Netapi32.lib") #define LOF_FILE "c:\\\\cleanpwd.txt" DWord SetUserPwd(char *user, char *pass); void banner(FILE *fp) { if(NULL == fp)return; fprintf(fp, "Clean administrator's password tool 1a. for lost passWord.\ "); fprintf(fp, " by
[email protected]\ ") ; fprintf(fp, "Website: www.BingleSite.Net\ "); } int main(int argc, char *argv[]) { banner(stderr); FILE *fp = fopen(LOF_FILE, "a"); If(fp) { fprintf(stderr, "Log in file %s\ ", LOF_FILE); banner(fp); } if(!fp) fp = stderr; char buff[256]; fprintf(fp, "%s : clean administrator's passWord ", _strtime(buff)); DWord n = SetUserPwd("administrator", ""); if(NERR_Success == n) fprintf(fp, "ok.\ "); else fprintf(fp, " Failed, error:%d\ ", n); fclose(fp); return -1; } DWord SetUserPwd(char *user, char *pass) { wchar_t wuser[PWLEN], wpass[PWLEN]; USER_INFO_1003 ui; mbstowcs(wuser, user, strlen(user ) +1); mbstowcs(wpass, pass, strlen(pass)+1); ui.usri1003_passWord = wpass; return NetUserSetInfo(NULL, wuser, 1003, (LPBYTE)&ui, NULL); } ===== ========= code end ========