This page has been robot translated, sorry for typos if any. Original content here.

Hacking a forgotten password Windows NT / 2000 / XP

  • [Introduction]
  • [How to "bypass" the BIOS password? ]
  • [View passwords stored by Windows]
  • [Windows XP User Passwords]
  • [Reset user passwords in admin mode]
  • [Making a disc that resets passwords]
  • [Utilities for changing passwords Windows NT / 2000 / XP]
  • [Windows XP User Passwords]
  • [You will need ...]

  • [Introduction]

    This guide will tell you what to do if you forget your Windows XP password and how to solve this problem without reinstalling the operating system. In addition, we will consider other possible problems with passwords.
    Windows 2000 and Windows XP operating systems have improved security features compared to earlier Windows 9x / Me systems. They have a more efficient password system designed for business use so that no one without the necessary authority can access the information on your computer. This is a double-edged sword. Most users forget at least once some important password. And then the user himself becomes the “enemy without access rights” for his computer.

    Naturally, for each method of protection there is a way to bypass it, especially if you have physical access to the computer.

    In this article we will look at various methods of protecting a computer with a password and ways to bypass them. We will not start with user account passwords, but with equally important passwords, such as BIOS and Internet Explorer passwords.

    [How to "bypass" the BIOS password? ]

    The BIOS password is one of the oldest ways to protect your computer from unauthorized access and one of the most common. Why? This is one of the most effective means if the user does not have access to the system unit. Otherwise, it is like locking a house with multiple locks and leaving the window open.

    The default BIOS settings on all motherboards do not store password information. So all you need to do to remove the BIOS password is to simply reset the current settings by restoring the default configuration. But remember that resetting the current BIOS settings will destroy not only the password, but also all those settings that you set yourself.

    There are two ways to reset the BIOS. Most motherboards have a special jumper for clearing the CMOS (the memory in which the BIOS settings are stored). Usually this jumper is located near the battery on the motherboard, but for complete certainty it is advisable to refer to the instructions from the motherboard. On some motherboards, instead of a jumper, there are just two contacts that, in order to reset the CMOS, need to be closed with a metal object, for example, with a screwdriver.

    If there is a jumper on your board, to clean the CMOS, turn off the computer, set the jumper so that it closes the jumper contacts, and press the power button on the computer. Your computer will not start, but the CMOS settings will be reset. Remove the jumper and turn on the computer again. Most likely, you will see on the screen a request to press F1 to set the BIOS parameters. If you are satisfied with the default settings, press F1, and on the BIOS menu, select the 'Save and exit' option. After that, the computer will boot as usual, except for the BIOS password.

    If you do not know where the required jumper is located on your board or there is none at all, it is quite possible that you will have to go some other way. Each system board has a battery that supplies power to the CMOS memory, allowing you to store information. As a rule, this is a standard CR2032 battery.

    To clear CMOS, turn off the computer and remove the battery (you may need a thin screwdriver). After 5-10 minutes, replace the battery and turn on the computer. The BIOS will set the default settings, but there will be no password. To continue the download, you will need to press the F1 key, and if you are satisfied with the default settings, select the 'Save and exit' item in the BIOS menu that appears.

    As you have seen, all this is very simple on the desktop, but with a laptop the BIOS password can be a serious problem. Due to frequent thefts of laptops, manufacturers took care to access, bypassing the password, was almost impossible. So, if you have forgotten the BIOS password on your laptop, you will most likely have to contact the manufacturer’s service center.

    [View passwords stored by Windows]

    In addition to the access passwords, various Windows users also store a number of other equally important ones: an Internet connection password, mailbox passwords, or access to websites. They are usually quite a lot, so it is quite natural that they are forgotten over time.

    The operating system offers an "auto-complete" feature for passwords and other frequently entered information in Internet Explorer. So it is not uncommon for a user to enter a password once, and after a few months, of course, he cannot remember it. Everyone understands that important passwords need to be written down, but not all of them do it. And if you do not already remember the password, how to recognize it, because it is displayed as a series of asterisks: ******?

    The solution is offered by programs from different manufacturers, which can get a password from this line of stars. There are quite a few freely distributed programs for decrypting Windows passwords or hidden passwords from Internet Explorer input strings.

    We will use the program Asterisk Key from the company Passware. This is an easy-to-use freeware program that analyzes passwords hidden with asterisks and tells them to you. It is very easy to work with her. It is enough to select a line with a password and press the 'recover' button.

    Of course, there are also commercial versions of programs, which, as a rule, have a large set of functions. For example, Password Recovery Toolbox scans the system and identifies saved passwords, data saved for automatic filling, Outlook Express passwords, passwords for connecting to the Internet, etc. This information is then presented in a convenient form.

    [Windows XP User Passwords]

    Windows XP stores user passwords in a modified form. For example, the password "password" will be stored as a string like this: 'HT5E-23AE-8F98-NAQ9-83D4-9R89-MU4K'. This information is stored in a file with the name SAM in the folder C: windowssystem32config.

    This part of the SAM file is encrypted with the syskey system utility to improve password security. The data needed to decrypt the information after syskey is stored in the system file in the same folder. But this folder is not available to any of the users. Only the operating system itself has access to it during its operation. You can access SAM and system files only under a different operating system or by connecting the drive to another Windows computer.

    [Reset user passwords in admin mode]

    All versions of Windows XP have an "administrator" account. This name gives the user full access to the system and the ability to reset passwords for all other users. This can save you if for some reason you cannot log in with your normal user password. The specifics of using the administrator password depend on the version of Windows XP:

    XP Professional. The administrator password is set during the installation of the operating system. If you write it down or simply press enter, leaving it empty, you can easily log in as an administrator and reset user passwords. To log into the system in administrator mode, on the screen with the system greeting, press CTRL + ALT + DEL twice, the window for entering the administrator password appears.

    When the computer starts up, go to 'startcontrol paneluser accounts' (start-up panel for managing user accounts) and change the required password. If you are already here, this is a good opportunity to correct your mistake if you left the administrator password blank. In addition, it is desirable to change the name of the account 'adminisrator'. This name is known to all, and it is used first to access your computer. To change the account name, right-click on 'my computer' (my computer) and select 'manage'. Expand 'local users and groups' (local users and groups) and open the 'users' folder. Right-click on the 'administrator' entry and change it.

    XP Home. This system will not allow you to simply access the computer in administrator mode. First you need to boot the computer in failsafe mode. To do this: restart the computer; immediately after testing the BIOS, press F8 several times; in the menu that appears, select 'start Windows XP in safe mode' (load Windows XP in crash protection mode). When the computer starts up, log in with the user name 'administrator'. The default password is missing. Now you can change user passwords by logging into 'startcontrol paneluser accounts' (start-up panel for managing user accounts). When you're done, restart your computer in the usual way.

    [Making a disc that resets passwords]

    Windows XP allows you to write to a regular diskette information that provides the ability to reset the password. Naturally, if you have already forgotten the password and cannot access the system, you will not be able to create a disk, but it’s worthwhile to get such a diskette in advance to protect yourself from such accidents.

    To create a diskette: go to 'startcontrol paneluser accounts' (start-up panel for managing user accounts); select the name under which you are logged in; in the menu of related tasks, select 'prevent a forgotten password'; follow the instructions of the running wizard.

    To reset passwords using a floppy disk: if you enter the password when you log in to the system incorrectly, the system will ask, or you will not forget it; At this stage, you will be able to use your floppy disk, following the step-by-step instructions of the operating system.

    Be careful: if you used the built-in Windows file and folder encryption capabilities, but did not install the operating system update (service pack 1), deleting the password will result in the loss of encrypted information.

    [Utilities for changing passwords Windows NT / 2000 / XP]

    There are special utilities that allow you to edit or reset passwords for Windows NT / 2000 / XP users. The principle of operation of most of them is to download a minimum version of an alternative operating system, such as DOS or Linux, under which you can access files with passwords.

    An example of such a utility can be found at this address: Instructions for working, as well as files for creating a Linux boot disk, are available on the same site.

    Please note that if you used the operating system to encrypt files and folders by changing the password using any program, you will lose access to the encrypted data. In this case, the following method can help, allowing you not to replace a forgotten password with a new one, but to find out the old one.

    [Windows XP User Passwords]

    Selection and decoding of passwords

    If nothing else helps, but you have physical access to the computer, then all is not lost. You can rewrite the config and SAM files and try to decrypt the passwords that are stored in them using special third-party utilities. As we have said, for this you have to use an alternative operating system, such as DOS or Linux. And when the files are at your disposal, you can use one of the programs to decrypt passwords, for example, LC4 or Proactive Windows Security Explorer.

    [You will need ...]

    Access to another computer.
    At least two empty floppy disks.
    Archiver, designed to work with the command line, for example, RAR.
    A DOS or Windows 98 boot disk (the image of the required disk can be obtained at or a minimal version of Linux (for example, Knoppix). There is no need for boot disks if you can simply connect your hard disk to another computer. If you use a DOS boot disk, and partitions on your hard disk use the NTFS file system, then to access them you will need a program that allows you to view NTFS partitions, such as NTFSDOS, under DOS management.
    Program to get passwords. We recommend using Proactive Windows Security Explorer, since the beta version of this program is free and the free version of LC4 is very limited.
    Using a DOS boot floppy:

    If your hard disk has NTFS-formatted partitions, copy the NTFSDOS file to your boot diskette.
    Copy the archiver (RAR) to a bootable diskette.
    Boot the computer from this floppy disk. If there are partitions with NTFS, type the NTFSDOS command, this program will show which letter is assigned to your system disk, and you will need to use it instead of the letter C in the next paragraph.
    Archive system files with passwords. For example, if you use the rar32 archiver, the corresponding command will look like this: Rar32 a -va: systemandsam c: windowssystem32configsystem c: windowssystem32configsam If the files do not fit on one diskette, the archiver will ask you to insert the second one.
    Password cracking

    Each of the programs you select will display a list of accounts found in the SAM file. Select those passwords you need to define. If you are using Proactive Windows Security Explorer, select Atack type: Brute-force. If you used only numbers in the password, check the box 'all digits (0-9)'. Begin the password guessing process using the Recovery menu command.

    Password selection can last from 10 minutes to several hours, or even several days, and may end in failure. Especially if the password uses letters in different registers, numbers and special characters.

    This is a good way to check the reliability of your passwords. If you just want to check your password, follow the steps above and see how long it will take to pick it up.


    We hope that you do not have to resort to the methods we have described. To avoid this need, remember that all important passwords need to be recorded. And if there is a real need to protect information on your computer, then use passwords from characters in both registers and numbers and do not use common words. In this case, your passwords will be very difficult to crack.