Applies to: Microsoft Windows 95, 98, ME, 2000, XP.
Last updated: Monday May 02, 2011
Often times we are faced with a PC where all the user accounts are password protected and we don't know the passwords. Either someone changed it and forgot the new one, or in a corporate environment, an employee has left the company and didn't tell us the password. This is a quick tutorial on how to regain control of the Administrator account on such a machine in order to clear or change all the other passwords and regain control of the system, all user accounts, and all the data on it. This cannot be done from within Windows itself since it keeps this data in one of two "hive" files that make up the registry. These "hive" files are actually databases that regedit gets its info from but not passwords. We need an offline editor like Linux to access and edit these files. Luckilly its not as scary as it sounds thanks to the EBCD and its NT Password Editor.
The first method is the simplest and is often overlooked. Windows always creates a default "Administrator" account that may not be password protected. To check this, log out of the current user so you are at the Windows login screen. In Windows XP this is the one with the big icons for each user the says "To begin, click your user name". If one of the usernames on this screen is not specifically "Administrator" you may be in luck. Earlier OS's have different login screens but the principle is the same. Now try the following.
From the login screen tap crtl-alt-del twice. This will give you a different login screen (on previous OS's you are probably already there) where you can enter the username and password into a dialog box. If there are multiple user accounts they will all be in a dropdown box. You will not see "Administrator" in this list. Don't worry. Simply enter "Administrator" as the username and leave the password blank. Then click "OK". You will now be logged in. If it returns an error screen saying the system could not log you on, then the system administrator account has been setup with a password and you will need to wipe it using some kind on Unix/Linux tools. I recommend E.B.C.D. (Emergency Boot CD).
First you will need to create the bootable CD. Download the EBCD iso file from the link below. Burn this disk image to a blank CD and label it E.B.C.D.. This is a disk you will want to keep in your toolbox for the future. It is a linux based bootable disk with a lot of diagnostic, service and repair utilities including the NT Password Editor.
E.B.C.D.: EBCD.iso (60.6 MB) Last updated: May 01, 2011.
Boot the suspect PC with the EBCD disk. From the disk's boot menu select 5 and hit enter. This will launch the NT password editor (linux based)
You will be asked about SCSI drivers – Press enter
Probe for SCSI-drivers: [n] – press Enter
Next it will show a chart of all partitions on all the physical drives and mark the bootable ones with an asterisk. Most systems will show /dev/hda1 with an asterisk. This is the system drive.
What partition contains your NT installation? [/dev/hda1] : - press enter
What is the full path to the registry directory?
[windows/system32/config] : - press enter
Which hives (files) do you want to edit (leave default for
password setting, separate multiplenames with spaces)
[sam system security] : - press enter
Now you are presented with a menu that looks like this:
1 – Edit user data and passwords
2 – syskey status & change
- - - -
9 – Registry editor, now with full write support!
Q – Quit (you will be asked if there is something to save)
What to do?  -> press enter (this will select option 1 - "Edit user data and passwords")
You will now see a list of all user acconts including the Administrator account
Select: ! - quit, . - list us . . . . . .
. . . . . . . . to change: [Administer] press enter (we want to edit the Administrator password)
next prompt about password expiry (y/n) [n] press enter (this leaves the existing password expiry flag alone)