Clarify Technical Services - Tip #9

Breaking login passwords on Windows 9X, 2000 and XP.

Applies to: Microsoft Windows 95, 98, ME, 2000, XP.
Last updated: Monday May 02, 2011


Often times we are faced with a PC where all the user accounts are password protected and we don't know the passwords. Either someone changed it and forgot the new one, or in a corporate environment, an employee has left the company and didn't tell us the password. This is a quick tutorial on how to regain control of the Administrator account on such a machine in order to clear or change all the other passwords and regain control of the system, all user accounts, and all the data on it. This cannot be done from within Windows itself since it keeps this data in one of two "hive" files that make up the registry. These "hive" files are actually databases that regedit gets its info from but not passwords. We need an offline editor like Linux to access and edit these files. Luckilly its not as scary as it sounds thanks to the EBCD and its NT Password Editor.

First attempt:

The first method is the simplest and is often overlooked. Windows always creates a default "Administrator" account that may not be password protected. To check this, log out of the current user so you are at the Windows login screen. In Windows XP this is the one with the big icons for each user the says "To begin, click your user name". If one of the usernames on this screen is not specifically "Administrator" you may be in luck. Earlier OS's have different login screens but the principle is the same. Now try the following.

From the login screen tap crtl-alt-del twice. This will give you a different login screen (on previous OS's you are probably already there) where you can enter the username and password into a dialog box. If there are multiple user accounts they will all be in a dropdown box. You will not see "Administrator" in this list. Don't worry. Simply enter "Administrator" as the username and leave the password blank. Then click "OK". You will now be logged in. If it returns an error screen saying the system could not log you on, then the system administrator account has been setup with a password and you will need to wipe it using some kind on Unix/Linux tools. I recommend E.B.C.D. (Emergency Boot CD).

What you will need and where to get it:

First you will need to create the bootable CD. Download the EBCD iso file from the link below. Burn this disk image to a blank CD and label it E.B.C.D.. This is a disk you will want to keep in your toolbox for the future. It is a linux based bootable disk with a lot of diagnostic, service and repair utilities including the NT Password Editor.

E.B.C.D.: EBCD.iso (60.6 MB) Last updated: May 01, 2011.


Boot the suspect PC with the EBCD disk. From the disk's boot menu select 5 and hit enter. This will launch the NT password editor (linux based)

You will be asked about SCSI drivers – Press enter

Probe for SCSI-drivers: [n] – press Enter

Next it will show a chart of all partitions on all the physical drives and mark the bootable ones with an asterisk. Most systems will show /dev/hda1 with an asterisk. This is the system drive.

What partition contains your NT installation? [/dev/hda1] : - press enter

What is the full path to the registry directory?
[windows/system32/config] : -
press enter

Which hives (files) do you want to edit (leave default for
password setting, separate multiplenames with spaces)
[sam system security] : -
press enter

Now you are presented with a menu that looks like this:
1 – Edit user data and passwords
2 – syskey status & change
- - - -
9 – Registry editor, now with full write support!
Q – Quit (you will be asked if there is something to save)

What to do? [1] ->
press enter (this will select option 1 - "Edit user data and passwords")

You will now see a list of all user acconts including the Administrator account

Select: ! - quit, . - list us . . . . . .
. . . . . . . . to change: [Administer]
press enter (we want to edit the Administrator password)

next prompt about password expiry (y/n) [n] press enter (this leaves the existing password expiry flag alone)


* = blank the password (This may work better than setting a new password!)
Enter nothing to leave it unchanged
Please enter new password:
press * then enter (this will blank the existing password)

Do you really wish to change it? (y/n) [n] press y then enter (of course or we wouldn't be here)

At the next prompt, press ! Then enter

You will be back to the menu.

What do you want to do? [1] press q then enter (we already edited the user data and passwords so new we want to quit)

Hives that have changed:
# Name
0 <.sam>.
Write hive files? (y/n) [n]
press y then enter ( we came this far so we might as well save our work and rewrite the hive files)

About to write file(s) back! Do it? [n] : press y then enter ( the last sanity check before writing the files)

Now eject the CD and press ctrl-alt-del to reboot

Now go to the login screen and again hit ctrl-alt-del twice. Enter Administrator as the username and leave the password blank. Boom goes the dynamite! You are in!

Now that you are in as Administrator click "Start" "Run" and enter "control userpasswords2" in the run box and press enter.

Now you can select any other users on the system and simply click the "Reset Password..." button. You will be asked for a new password. You can leave these fields blank and just press "OK"

Now you can log out as Administrator and log in as any other user.

And they thought they were smarter than you!!