1998-03-24: Please note: Due to change of webservers soon, please access this page through: http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html and not the old with login.eunet.no etc.. Offline NT Password Utility, Bootdisk --------------------------------------------------------------------------- I've put together a single floppy which contains things needed to edit the passwords on most systems. It uses Linux as the OS, because it's freely distributable, easy to program, and supports compressed bootdisks/ramdisks. The bootdisk supports standard (dual)IDE controllers, and most (if not all) SCSI-controlles supported in the Linux 2.0.29 kernel distribution. It does not need any other special hardware, it will run on 486 or higher, with 16mb ram or more. (Who wants to run NT in less than 16mb ram?? *shrug*) There's full FAT filesystem support, including long filenames (VFAT) but only limited NTFS support through Martin von Löwis NTFS utilities for Linux. This implementation of NTFS is still very ALPHA/BETA, and mostly read-only. However, there's a utility (ntchange) that can write back an already exsisting file of the same length. And that's just what we need. --------------------------------------------------------------------------- How to use? * WARNING 1: IF RUN ON SYSTEMS WITH THE SERVICE PACK 3 SYSKEY (for stronger password encryption) THIS UTILITY WILL VERY LIKELY RUIN YOUR PASSWORD (SAM) FILE. It seems to work on SP3 without the syskey installed, however. I'm working on this thing.. * WARNING 2: There's NO SUPPORT FOR STRIPES/MIRRORS in the NTFS driver. Trying it on stripes/mirrors MAY DESTROY THE STRIPESET! Thanks to Joe Ashley from the UK for pointing this out. * Shut down machine and insert floppy. * Let the machine boot from the floppy, some computers may require adjustments in the BIOS setup to allow booting from floppy. * The "LILO boot:" prompt will hopefully appear. * Press enter/return to start loading the kernel. People with knowledge of linux may of course give parameters to the kernel here if neccessary. * The kernel will start, and soon show a message that it is loading a compressed ramdisk image from the floppy. (this is the root filesystem with the utilities) * After loading the filesystem, the bootfloppy is no longer required, and you may remove it if you wish. * The scripts to automatically control the process will start, saying it's creating a 2MB ramdisk for temp data & such. After that, it will ask you to press return to continue. * Some banners will be shown, press return to continue. * It will now prompt for SCSI-controller drivers, you may: 1. answer 'y' to probe all available drivers. It will stop probing once it manages to initialize one controller. 2. answer 'n' to skip searching for SCSI cards. Use this if you only have IDE-disks. 3. or at the prompt, enter the linux module name of the driver, and optionally parameters for it, to go directly for one. * Next comes a list of all found partitions on all disks, followed by a list of what it thinks is NTFS partitions. * At the prompt to select a partition, the first bootable NTFS partition will be the default selection. You may however select another partition (also a FAT partition) by giving its full name (like /dev/hda1 , or /dev/sda1). * If the partiton you selected was NTFS, it will show the dir listing of the root (\) of the partition. Else it will try to mount the partition as FAT filesystem with long filenames (VFAT) * Next up is the prompt for Backup or Restore, which allows you to write the sam file (or others) to a floppy, for later restore to the harddisk. The floppy must already be formatted, but don't need to be empty, nothing will be deleted, unless you overwrite an already existing file. Just follow the prompts, or enter ! to skip the backup/restore part. You select path, and direction (backup or restore), then you will be prompted for filename(s). You may give multiple names, separated with spaces, or use wildcards, or a combination. NOTE: This is unix type shell wildcards, * expands to ALL FILES, *.* expands to all files with one or more . in the name - files without . will be left out. * Then you must select the full path (relative to the partition) of the sam file. This is usually 'winnt\system32\config\sam', which is the default selection. * Then the sam file will be copied to /tmp (in the ramdisk), if this fails, it will prompt for another path. * Now it has everything it needs, so the 'chntpw' utility will be started, working on the file in /tmp. There: 1. All usernames it can find (may miss some, see below..) in the file will be listed. 2. You will then be prompted for the user which you want to change the password of. (default selection is administrator) It will continue to prompt for a username until '!' is given. 3. Some information on the user will be shown (and still with some debug info) before the prompt for new password. 4. Enter the new password, max 14 chars (it will show on the screen). Or enter nothing to keep unchanged. 5. Then confirm the change (this is for the change to the file, which at this point is located as a temp file in the ramdisk, writeback comes later) * If the 'chntpw' utility succeeds, you will be prompted to confirm the writeback to the NT disk/filesystem. Only 'y' is accepted for it to commit the changes. * After everything is complete, you will get the "# " shell prompt. You may then reset the computer (three-finger-salute). What can go wrong? Lots of things can go wrong, but most faults won't damage your system. The most critical moment is when writing back the sam file to NTFS. Also, the file written back may be corrupt (from chntpw messing it up), preventing your NT system from booting properly. YOU HAVE BEEN WARNED! An indication of a corrupt SAM is that the Netlogon service will fail to start, which again means it's impossible to log in. The most likely things to happen is: cannot find your scsi-controller, cannot parse the partition tables correctly, cannot read the NTFS (I told you it was ALPHA-code), the scripts crap out in some way or another due to a bug or something, or cannot find some or all users in the sam file. For linux-knowledged people, you may do things manually if the scripts fail, you have shells on tty1-tty4 (ALT F1 - ALT F4). --------------------------------------------------------------------------- Bootdisk history 980211: (bootdisk update only) * Contains updated NTFS-driver (from December 1997), not sure if it's any better. * Some SCSI-drivers updated. (I know at least the Adaptec 2940 is better). * Note that probing one of the NCR-drivers if you don't have the card may hang. Fix for this coming soon. 970615: (bootdisk update only) * You now have the option to backup or restore files from floppy. This will happen after the partition select, but before the 'select sam path' You may backup any file, as long as it fits the floppy. * It's now possible to restart the script procedure with the command: sh /etc/main.rc without rebooting. 970611: * When selected filesystem was FAT, it failed (the mount was commented out for debugging purposes..) Works now, I hope. * Messed up the SAM file (causing Netlogon to fail -> impossible to login) if blank password was edited. chntpw will now flag accounts with blank passwords and refuse to change it. * Password changing now looping, will ask for account name to edit until ! (exclamation point) entered. * Not a bug, but please note that NTFS and OS2 HPFS uses the same partition ID number. The bootdisk uses linux fdisk, which says OS2 HPFS. 9705xx * First public release. --------------------------------------------------------------------------- Download * bd980211.bin (1.4MB) - Bootdisk image (980211) * rawwrite.exe - DOS Program to write the image. NOTE THAT THE BOOTDISK CONTAINS CRYPTHOGRAPHIC CODE, and that it may be ILLEGAL to RE-EXPORT it from your country. Use: rawrite bootdisk.bin a: Or from unix: dd if=bootdisk.bin of=/dev/fd0 bs=1024 --------------------------------------------------------------------------- TODO: Backup of SAM file to floppy. Support for syskey.. gotten closer, but still a long way to go.. --------------------------------------------------------------------------- [Back to main page] --------------------------------------------------------------------------- 980309, pnordahl@eunet.no