Everhart, Glenn From: Demetrius Metsos [demet@global.co.za] Sent: Friday, December 04, 1998 3:57 AM To: ntsecurity@iss.net Subject: [NTSEC] Recovering The Admin Password From Nt TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net Contact ntsecurity-owner@iss.net for help with any problems! --------------------------------------------------------------------------- HOW TO RECOVER THE ADMIN PASSWORD One of the NT administrator's worst nightmares is a lost domain administrator password. There is a widespread myth that it is impossible to recover from this situation. Actually, it is not that hard to recover from. You just have to install NT in a different directory to gain access to the system. You can remove it later and delete it from the boot.ini, but an emergency boot directory comes in handy and I usually leave it there. This process was tested on an NT 4.0 primary domain controller. Shut the primary domain controller down and load the NT install disks. If you cannot shut it down gracefully, unplug the network cable and wait a few minutes before hitting the reset button, and make sure to chkdsk /f the disks when you are done. Boot from the NT installation disks. Perform a new install in a different directory on the system drive. For example, if the existing system is called C:\WINNT, install in C:\WINEMRG. Boot the system from C:\WINEMRG. You now have access to your system disk. If necessary, use an NT boot floppy to start up from C:\WINEMRG. Copy SRVANY.EXE from the resource kit to C:\TEMP. Run REGEDT32.EXE. Bring up the HKEY_LOCAL_MACHINE on Local Machine window and highlight the root (HKEY_LOCAL_MACHINE.) Choose Registry/ Load Hive. In the File Name box, enter: (the ending period is required) C:\WINNT\SYSTEM32\CONFIG\SYSTEM. and click Open. At the Key Name prompt enter DomainSystem and click Ok. Now write down the value of the key: HKEY_LOCAL_MACHINE\DomainSystem\ControlSet001\Services\Spooler\ImagePath On my machine it was: %SystemRoot%\system32\spoolss.exe Change this key to C:\TEMP\SRVANY.EXE Go to the key: HKEY_LOCAL_MACHINE\DomainSystem\ControlSet001\Services\Spooler\Parameters Create two values in the Parameters folder. Name: Application Type: REG_SZ Value: C:\WINNT\SYSTEM32\NET.EXE Name: AppParameters Type: REG_SZ Value: user Administrator newsecret where "newsecret" is the domain administrator password you want to set. You can choose any password, of course. Now shut the system down and reboot the domain controller. Wait a minute after the CTRL-ALT-DEL prompt comes up, then logon as domain administrator with the new password you set above. Go into REGEDT32.EXE to undo your changes. Remove the values: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler\ Parameters\Application "and" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler\ Parameters\AppParameters Change the value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler\ImagePath back to the original you wrote down above. Stop and start the spooler service to re-enable your printers. How this process works By reinstalling in a different directory, you gain access to your files without destroying your domain controller. The Load Hive command allows you to load a file into the registry and edit it. Use SRVANY to execute a "net user" command to change the password when the system starts up. The LocalSystem account, under which the spooler and most other services runs, has the power to change a password on the local machine. As far as a domain controller is concerned, domain accounts are local. Demetrius Metsos Security Administrator Information Technology Maintenance Services demet@global.co.za Tel: +27 82 921 1831 Demetrius Metsos BiGDoM "And so, may evil beware, and may good dress warmly and eat fresh vegetables"