This page has been robot translated, sorry for typos if any. Original content here.

Windows NT / 2000 / XP password hacking

  • [Introduction]
  • [How to get around the BIOS password? ]
  • [View passwords stored by Windows]
  • [Windows XP user passwords]
  • [Reset user passwords in administrator mode]
  • [Creating a password reset disk]
  • [Utilities for changing Windows NT / 2000 / XP passwords]
  • [Windows XP user passwords]
  • [You will need ...]

  • [Introduction]

    This guide will tell you what to do if you forgot your Windows XP password and how to solve this problem without reinstalling the operating system. In addition, we will consider other possible problems with passwords.
    Windows 2000 and Windows XP have enhanced security features compared to earlier Windows 9x / Me systems. They have a more efficient password system designed for business use so that no one without the necessary permissions can access information on your computer. This is a double edged sword. Most users forget at least once some important password. And then the user becomes the "enemy without access rights" for his computer.

    Naturally, for each protection method there is a way around it, especially if you have physical access to the computer.

    In this article, we will look at various methods to protect your computer with a password and ways to get around them. We will start not with user account passwords, but with no less important passwords, such as BIOS and Internet Explorer passwords.

    [How to get around the BIOS password? ]

    The BIOS password is one of the oldest ways to protect your computer from unauthorized access and one of the most common. Why? This is one of the most effective means if the user does not have access to the system unit. Otherwise, it’s the same as locking the house with many locks and leaving the window open.

    The default BIOS settings on all motherboards do not store password information. So all you need to do to remove the BIOS password is simply reset the current settings, restoring the default configuration. But remember that resetting the current BIOS settings will destroy not only the password, but also all those settings that you set yourself.

    There are two ways to reset BIOS settings. Most motherboards have a special jumper to clear CMOS (the memory in which BIOS settings are stored). Usually this jumper is located near the battery on the system board, but for complete certainty it is advisable to refer to the instructions from the motherboard. On some motherboards, instead of a jumper, there are just two contacts that you need to close with a metal object, for example, a screwdriver, to reset the CMOS.

    If your board has a jumper, then turn off the computer to clear CMOS, set the jumper so that it closes the jumper contacts, and press the power button on the computer. Your computer will not start to boot, but the settings in CMOS will be reset. Remove the jumper and turn on the computer again. Most likely, you will see on the screen a request to press F1 to set the BIOS parameters. If you are satisfied with the default settings, press F1 and select 'Save and exit' from the BIOS menu. After that, the computer will boot as usual, with the exception of the BIOS password.

    If you don’t know where your jumper is located on your board or if it doesn’t exist at all, that is quite possible, you will have to go the other way. Each system board has a battery, which is the power source for the CMOS memory, allowing you to store information. This is usually a standard CR2032 battery.

    To clear the CMOS, turn off the computer and remove the battery (you may need a thin screwdriver). After 5-10 minutes, replace the battery and turn on the computer. The default settings will be set in the BIOS, but there will be no password. To continue the download, you will need to press the F1 key, and if you are satisfied with the default settings, select the 'Save and exit' item in the BIOS menu that appears.

    As you have seen, all this is very simple on a desktop computer, but with a laptop, the BIOS password can be a serious problem. Due to the frequent thefts of laptop computers, manufacturers made sure that access without a password was almost impossible. So, if you forgot the BIOS password on your laptop, most likely you will have to contact the manufacturer’s service center.

    [View passwords stored by Windows]

    In addition to access passwords for various users, Windows stores a number of other equally important passwords: an Internet connection password, mailbox passwords or access to web sites. As a rule, there are a lot of them, so it is quite natural that they are forgotten over time.

    The operating system offers an "auto-complete" function for passwords and other frequently entered information in Internet Explorer. So it’s not uncommon for a user to enter a password once, but after a few months, of course, cannot remember it. Everyone understands that important passwords need to be recorded, but not all do it. And if you don’t remember the password, how to find it out, because it is displayed as a series of asterisks: ******?

    The solution is offered by programs from different manufacturers that can get a password from this string of stars. There are quite a few freeware programs for decrypting Windows passwords or hidden passwords from Internet Explorer input lines.

    We will use the Asterisk Key program from Passware. This is an easy-to-use freeware program that analyzes passwords hidden by asterisks and reports them to you. It is very easy to work with her. Just select the password line and press the 'recover' button.

    Of course, there are commercial versions of programs, which, as a rule, have a large set of functions. For example, Password Recovery Toolbox scans the system and determines the saved passwords, data saved for automatic completion, Outlook Express passwords, passwords for connecting to the Internet, etc. This information is then presented in a convenient form.

    [Windows XP user passwords]

    Windows XP stores user passwords in a modified form. For example, the password "password" will be stored as a string like this: 'HT5E-23AE-8F98-NAQ9-83D4-9R89-MU4K'. This information is stored in a file called SAM in the C: windowssystem32config folder.

    This part of the SAM file is encrypted with the syskey system utility to improve password security. The data necessary to decrypt the information after syskey is stored in the system file in the same folder. But this folder is not accessible to any of the users. Only the operating system itself has access to it during its operation. You can access SAM and system files only under the control of another operating system or by connecting the drive to another Windows computer.

    [Reset user passwords in administrator mode]

    All versions of Windows XP have an "administrator" account. This name gives the user full access to the system and the ability to reset the passwords of all other users. This can save you if for some reason you cannot log in with your normal user password. The specifics of using the administrator password depends on the version of Windows XP:

    XP Professional. The administrator password is set during the installation of the operating system. If you wrote it down or simply hit enter, leaving it blank, then you can easily log in as an administrator and reset user passwords. To enter the system in administrator mode, on the screen with the system welcome, press CTRL + ALT + DEL twice, a window for entering the administrator password will appear.

    When the computer boots up, go to the 'startcontrol paneluser accounts' and change the required password. If you are already here, this is a good opportunity to correct your mistake if you left the administrator password blank. In addition, it is advisable to change the account name 'adminisrator'. This name is known to all, and it is used first to access your computer. To change the name of the account, right-click on 'my computer' (my computer) and select 'manage' (management). Expand 'local users and groups' and open the 'users' folder. Right-click on the 'administrator' entry and change it.

    XP Home. This system will not let you just access your computer in administrator mode. First you need to boot the computer in crash protection mode. To do this: restart the computer; immediately after testing the BIOS, press F8 several times; in the menu that appears, select 'start Windows XP in safe mode' (load Windows XP in crash protection mode). When the computer boots up, log in with the username 'administrator'. There is no default password. Now you can change user passwords by going to the 'startcontrol paneluser accounts' (start control panel user accounts). When you're done, restart your computer in the usual way.

    [Creating a password reset disk]

    Windows XP allows you to write to a regular diskette information that provides the ability to reset the password. Naturally, if you have already forgotten the password and can’t access the system, you won’t be able to create any disk, but it’s worth it to set up such a diskette in advance to protect yourself from such accidents.

    To create a diskette: go to the 'startcontrol paneluser accounts' (start-up control panel user accounts); select the name under which you are logged in; in the related tasks menu, select 'prevent a forgotten password'; follow the instructions of the starting wizard.

    To reset passwords using a floppy disk: if you enter the password when entering the system incorrectly, the system will ask or you did not forget it; At this point, you can use your floppy disk following the step-by-step instructions of the operating system.

    Be careful: if you used the built-in capabilities of Windows to encrypt files and folders, but did not install the operating system update (service pack 1), deleting the password will result in the loss of encrypted information.

    [Utilities for changing Windows NT / 2000 / XP passwords]

    There are special utilities that allow you to edit or reset user passwords for Windows NT / 2000 / XP. The principle of operation of most of them is to download the minimum version of an alternative operating system, such as DOS or Linux, under which you can access files with passwords.

    An example of such a utility can be found at this address: Operating instructions, as well as files for creating a bootable Linux disk, are available on the same site.

    Please note that if you used the functions of the operating system to encrypt files and folders by changing the password using any program, you will lose access to encrypted data. In this case, the following method may help, allowing you not to replace the forgotten password with a new one, but to find out the old one.

    [Windows XP user passwords]

    Password cracking and decryption

    If nothing else helps, but you have physical access to the computer, then not everything is lost. You can rewrite the config and SAM files and try to decrypt the passwords that are stored in them using special third-party utilities. As we already said, for this you will have to use an alternative operating system, such as DOS or Linux. And when the files are at your disposal, you can use one of the programs for decrypting passwords, for example, LC4 or Proactive Windows Security Explorer.

    [You will need ...]

    Access to another computer.
    At least two empty floppy disks.
    An archiver designed to work with the command line, for example, RAR.
    A DOS or Windows 98 boot disk (the image of the required disk can be obtained at or the minimum version of Linux (for example, Knoppix). There is no need for bootable disks if you can simply connect your hard drive to another computer. If you use a DOS boot disk, and partitions on your hard disk use the NTFS file system, then to access them you need a program that allows you to view partitions in NTFS format, for example, NTFSDOS, under DOS.
    A program for obtaining passwords. We recommend using Proactive Windows Security Explorer, since the beta version of this program is free, and the free version of LC4 is very limited.
    Using a DOS boot diskette:

    If your hard drive has NTFS partitions, copy the NTFSDOS file to your boot disk.
    Copy the archiver (RAR) to the boot diskette.
    Boot the computer from this diskette. If there are partitions with NTFS, type the NTFSDOS command, this program will show which letter is assigned to your system disk, and you will need to use it instead of the letter C in the next paragraph.
    Archive system files with passwords. For example, if you use the rar32 archiver, the corresponding command will look like this: Rar32 a -va: systemandsam c: windowssystem32configsystem c: windowssystem32configsam If the files do not fit on one diskette, the archiver will ask you to insert the second.
    Password cracking

    Each of the programs you have selected will list the accounts found in the SAM file. Select the ones you need to identify passwords for. If you are using Proactive Windows Security Explorer, select Atack type: Brute-force. If you used only digits in the password, check 'all digits (0-9)'. Start the process of password selection using the command from the Recovery menu.

    Password guessing can last from 10 minutes to several hours, or even several days, and may fail. Especially if the password uses letters in different registers, numbers and special characters.

    This is a good way to check the strength of your passwords. If you just want to verify your password, follow the steps above and see how long it takes to find it.


    We hope that you do not have to resort to the methods described by us. To avoid such a need, remember that all important passwords must be recorded. And if there is a real need to protect information on your computer, then use passwords from characters in both registers and numbers and do not use ordinary words. In this case, your passwords will be very difficult to crack.