Everhart, Glenn From: shark@lawyer.com Sent: Monday, November 30, 1998 11:16 AM To: ntsecurity@iss.net; lassaf@owss.com Subject: [NTSEC] How to recover a lost Admin password TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net Contact ntsecurity-owner@iss.net for help with any problems! --------------------------------------------------------------------------- This sort of thing was covered earlier this month. If you don't have Syskey, you can use the Linux disk. You could use NTFSDOS to read the SAM and try and crack the admin password using L0phtcrack (could take a long time). Failing that you could try the following. The person in question could logon using an ordinary user account. I assume you can't logon period, so things like "sechole" are out. Basically, install a temporary NT on the machine, trojan the system screensaver with UserAdmin and change the administrator password. Matthew S Cramar wrote to ntsecurtiy@iss.net on 3rd Nov 98: For the record this laptop was SP4 domestic, SYSKEYed, and NTFS all around. For those interested most people just sent me info on the old getadmin.exe, which doesn't work of course with SP4. The file I was originally looking for was called sechole.exe - only a couple of people remembered it. I found it over the weekend by reading all the archives of these lists - a tedious process but I found an MS note concerning it. With the name and altavista I found a site that had it for download. However, I couldn't get it to work under SP4. I continued reading archives and came across a discussion concerning how *.scr files are really just *.exe files, and also that NT runs the default (when no user is logged on) screen saver as system. So I used a a temporary NT installation on the same machine to trojan the original logon.scr with USRMGR.EXE. Another person sent me instructions for this on Monday so it appears to be widely useful. Many others sent info recommending the stuff at www.sysinternals.com, but that costs $$$$ I knew I didn't want to spend. Others recommended the Linux boot disk that can write to the SAM and change the password, but of course that wouldn't work since I had SYSKEY. Thanks anyway. Hope this is useful to anyone else in the same boat. And, as I was able to get in Saturday night, everyone can stop sending me zips of the original getadmin (15 and counting) :-). Matt BTW, the "bug" I exploited can be disabled by changing HKEY_USERS\.DEFAULT\Control Panel\Desktop ScreenSaveActive key to be 0. This should prevent the screensaver from ever starting. Hopefully in Win2000 (NT 5) MS will have fixed this and won't spawn processes running with the System privilege unless they *need* the system privilege. // Shark --------------------------------------------------- Get free personalized email at http://www.iname.com