Hi y'all,
At a yard sale the other day, about 75 miles from home, I found a nice desktop computer at an irresistible price. But, when I took it to a nearby friend's house, after replacing a dead power supply fan and renewing the thermal compound on the CPU, I was confronted with the roadblock shown in the photo below, a demand for an XP password (the seller, the former owner's father, did not know the password and the former owner is a now a missionary in Brazil, unavailable):
So, since I wanted to be able to dual-boot Puppy and XP, the challenge was to find a way to crack that password. The subject has been covered before on this forum at
http://www.murga-linux.com/puppy/viewtopic.php?p=145995
but this solution requires you to have the XP install CD, and at
http://www.murga-linux.com/puppy/viewtopic.php?t=24751
but this solution requires OphCrack, about which see below.
A little Google'ing found this website, which lists seven free XP password crackers available as ISO bootable-CD images.
First I tried OphCrack. OphCrack requires you to download one or more hash tables, from here. The smallest OphCrack hash table for XP is 380 MB in size, and that one alone did not succeed in cracking the password, and I did not care to download further, even larger hash tables. For a truly fiendish XP password it is possible for OphCrack to require up to 16 GB in downloaded hash files. Toooooo much. So...adios, OphCrack.
Second I tried Kon-Boot. Kon-Boot comes with a large set of drivers to cover every possible hard disk controller. But when I selected the driver for this computer's (sata-nv) controller, I was thrown into an endless loop. Eventually I managed to hack the Kon-Boot script to force the disk controller driver to load and get out of the loop, but then I received an error message to the effect that this driver's header is in an incorrect format. So, adios Kon-Boot.
Third I tried Offline Windows Password & Registry Editor. With a modest amount of editing of three of its scripts, I was able to get OWP&RE to do the job of deleting the passwords and resetting the "disabled/locked" flags on the two vital accounts, Administrator and the user whose name is shown in the above screen photo. Woo-hoo, success; I was at long last able to log onto XP, become Administrator, and create an account with a username more to my liking.
I have decided to share the fruits of my labors with the Puppy community. *Usual disclaimer warnings*:
1. It worked on mine but it may not work on yours; and, I *think* I packaged all the necessary files in this PET...
2. In making my edits I *assumed* that XP resides on an NTFS partition;
3. I *also assumed* that the NTFS partition with XP on it is already mounted. I accomplished this by simply using Puppy Universal Installer to install the Puppy I had onto sda1, and then I booted into that frugal install, and shut down and created a savefile, then I rebooted into the Puppy (which now automatically mounts the NTFS XP partition as /initrd/mnt/dev_save) and then ran the modified OWP&RE.
4. I do not know what will happen if you try it on a non-NTFS XP install.
5. I do not know what will happen if you try it on an NTFS partition on which a frugal install of Puppy does not reside (whether you mount the partition first or not).
6. OWP&RE *claims* to be able to work with Vista but I have not tried this.
I take no responsibility for anything bad that happens. What. So. Ever.
What's in this PET:
The PET package attached provides a new subdirectory, /scripts, which contains the OWP&RE scripts. I edited the three scripts disk.sh, path.sh, and write.sh to eliminate a silly "verify that this *really is* an NTFS partition" check, which requires a binary executable Puppy does not provide (ntfs-3g.probe), and to bring OWP&RE's disk-and-subdirectory naming conventions into accord with Puppy's. If you want to examine my edits, you can compare /scripts/disk.sh with disk.sh-original and search the three scripts disk.sh, path.sh and write.sh for comments including the string "by SHS".
This PET also adds into Puppy the following three files:
1. In /usr/bin:
-- cpnt (writes contents of memory to a file in an NTFS partition)
-- chntpw (utility for resetting or blanking local NT/XP/Vista passwords)
The above two executables are from SystemRescueCd version x86-1.6.3.
2. In /usr/lib:
-- libntfs-3g.so.80, a symlink to the library /usr/lib/libntfs.so.10.0.0. If your Puppy has a different version of libntfs.so.n.n.n then you must make the symlink point to that.
How to use this PET to overcome an unknown XP password:
1. Create a frugal install of Lucid Puppy 5.20 or newer on the XP partition, using Puppy Universal Installer (and Grub4DOS Bootloader Config if Grub is not already installed).
2. Reboot into this new Puppy install, shut down, create a savefile.
3. Reboot again into the new Puppy install. Install the attached PET.
NOTE: If the Windows subdirectory system32/config resides somewhere other than in /initrd/mnt/dev_save/WINDOWS then you will need to edit the "DSK=" lines in path.sh and write.sh; case matters. If the WINDOWS subdirectory shows as "windows" then you will need to edit the defroots= and defpath= lines in path.sh.
4. Open a console (rxvt or what-have-you) window and issue:
Code: Select all
cd /scripts
./main.sh
Code: Select all
# [b][color=purple]cd /scripts[/color][/b]
# [b][color=purple]./main.sh[/color][/b]
=========================================================
There are several steps to go through:
- Disk select with optional loading of disk drivers
- PATH select, where are the Windows systems files stored
- File-select, what parts of registry we need
- Then finally the password change or registry edit itself
- If changes were made, write them back to disk
DON'T PANIC! Usually the defaults are OK, just press enter
all the way through the questions
=========================================================
¤ Step ONE: Select disk where the Windows installation is
=========================================================
/scripts/diskscan.sh: line 7: mdev: command not found
Disks:
Disk /dev/sda: 250.0 GB, 250059350016 bytes
Disk /dev/sdb: 2000.3 GB, 2000398934016 bytes
Candidate Windows partitions found:
1 : /dev/sda1 238472MB BOOT
Please select partition by number or
q = quit
d = automatically start disk drivers
m = manually select disk drivers to load
f = fetch additional drivers from floppy / usb
a = show all partitions found
l = show propbable Windows (NTFS) partitions only
Select: [1] [b][color=purple](NOTE: I simply pressed Enter here two times. I found that simply pressing Enter once, or pressing 1 once, didn't work. Dunno why. But entering either the candidate Windows partition number or pressing Enter twice, works.) [/color][/b]
Please select partition by number or
q = quit
d = automatically start disk drivers
m = manually select disk drivers to load
f = fetch additional drivers from floppy / usb
a = show all partitions found
l = show propbable Windows (NTFS) partitions only
Select: [1]
Please select partition by number or
q = quit
d = automatically start disk drivers
m = manually select disk drivers to load
f = fetch additional drivers from floppy / usb
a = show all partitions found
l = show propbable Windows (NTFS) partitions only
Select: [1][b][color=purple]q[/color][/b]
=========================================================
¤ Step TWO: Select PATH and registry files
=========================================================
DEBUG path: WINDOWS found as WINDOWS
DEBUG path: system32 found as system32
DEBUG path: config found as config
DEBUG path: found correct case to be: WINDOWS/system32/config
What is the path to the registry directory? (relative to windows disk)
[WINDOWS/system32/config] :
DEBUG path: WINDOWS found as WINDOWS
DEBUG path: system32 found as system32
DEBUG path: config found as config
DEBUG path: found correct case to be: WINDOWS/system32/config
total 25208
-rwxrwxrwx 1 root root 262144 2011-08-28 07:56 default
-rwxrwxrwx 1 root root 262144 2011-08-28 07:56 SAM
-rwxrwxrwx 1 root root 262144 2011-08-28 07:56 SECURITY
-rwxrwxrwx 1 root root 17563648 2011-08-28 07:56 software
-rwxrwxrwx 1 root root 4718592 2011-08-28 07:56 system
drwxrwxrwx 1 root root 4096 2006-05-05 06:24 systemprofile
-rwxrwxrwx 1 root root 262144 2006-05-02 22:35 userdiff
Select which part of registry to load, use predefined choices
or list the files with space as delimiter
1 - Password reset [sam system security]
2 - RecoveryConsole parameters [software]
q - quit - return to previous
[1] : [b][color=purple]1[/color][/b]
Selected files: sam system security
Copying sam system security to /tmp
=========================================================
¤ Step THREE: Password or registry edit
=========================================================
chntpw version 0.99.6 100627 (vacation), (c) Petter N Hagen
Hive <SAM> name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf>
Page at 0x7000 is not 'hbin', assuming file contains garbage at end
File size 262144 [40000] bytes, containing 6 pages (+ 1 headerpage)
Used for data: 242/19568 blocks/bytes, unused: 7/4816 blocks/bytes.
Hive <system> name (from header): <SYSTEM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c <lh>
Page at 0x463000 is not 'hbin', assuming file contains garbage at end
File size 4718592 [480000] bytes, containing 1016 pages (+ 1 headerpage)
Used for data: 85881/4512688 blocks/bytes, unused: 1703/50512 blocks/bytes.
Hive <SECURITY> name (from header): <emRoot\System32\Config\SECURITY>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf>
Page at 0xc000 is not 'hbin', assuming file contains garbage at end
File size 262144 [40000] bytes, containing 11 pages (+ 1 headerpage)
Used for data: 920/41808 blocks/bytes, unused: 6/2896 blocks/bytes.
* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length : 0
Password history count : 0
<>========<> chntpw Main Interactive Menu <>========<>
Loaded hives: <SAM> <system> <SECURITY>
1 - Edit user data and passwords
- - -
9 - Registry editor, now with full write support!
q - Quit (you will be asked if there is something to save)
What to do? [1] -> [b][color=purple]1[/color][/b]
===== chntpw Edit User Info & Passwords ====
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrator | ADMIN | dis/lock |
| 03ec | ASPNET | | dis/lock |
| 03eb | Gabe | ADMIN | dis/lock |
| 01f5 | Guest | | dis/lock |
| 03e8 | HelpAssistant | | dis/lock |
| 03ea | SUPPORT_388945a0 | | dis/lock |
Select: ! - quit, . - list users, 0x<RID> - User with RID (hex)
or simply enter the username to change: [Administrator] [b][color=purple](I pressed Enter)[/color][/b]
RID : 0500 [01f4]
Username: Administrator
fullname:
comment : Built-in account for administering the computer/domain
homedir :
User is member of 1 groups:
00000220 = Administrators (which has 2 members)
Account bits: 0x0210 =
[ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
[X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) |
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |
Failed login count: 43, while max tries is: 0
Total login count: 0
- - - - User Edit Menu:
1 - Clear (blank) user password
2 - Edit (set new) user password (careful with this on XP or Vista)
3 - Promote user (make user an administrator)
4 - Unlock and enable user account [probably locked now]
q - Quit editing user, back to user select
Select: [q] >[b][color=purple]4[/color][/b]
Unlocked!
Select: ! - quit, . - list users, 0x<RID> - User with RID (hex)
or simply enter the username to change: [Administrator] [b][color=purple](NOTE: I pressed Enter)[/color][/b]
RID : 0500 [01f4]
Username: Administrator
fullname:
comment : Built-in account for administering the computer/domain
homedir :
User is member of 1 groups:
00000220 = Administrators (which has 2 members)
Account bits: 0x0210 =
[ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
[X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) |
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |
Failed login count: 0, while max tries is: 0
Total login count: 0
- - - - User Edit Menu:
1 - Clear (blank) user password
2 - Edit (set new) user password (careful with this on XP or Vista)
3 - Promote user (make user an administrator)
(4 - Unlock and enable user account) [seems unlocked already]
q - Quit editing user, back to user select
Select: [q] > [b][color=purple]1[/color][/b]
Password cleared!
Select: ! - quit, . - list users, 0x<RID> - User with RID (hex)
or simply enter the username to change: [Administrator] [b][color=purple]. (NOTE: I pressed period (.), Enter)[/color][/b]
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrator | ADMIN | *BLANK* |
| 03ec | ASPNET | | dis/lock |
| 03eb | Gabe | ADMIN | dis/lock |
| 01f5 | Guest | | dis/lock |
| 03e8 | HelpAssistant | | dis/lock |
| 03ea | SUPPORT_388945a0 | | dis/lock |
Select: ! - quit, . - list users, 0x<RID> - User with RID (hex)
or simply enter the username to change: [Administrator] [b]color=purple]Gabe[/color][/b]
RID : 1003 [03eb]
Username: Gabe
fullname: gaben
comment :
homedir :
User is member of 1 groups:
00000220 = Administrators (which has 2 members)
Account bits: 0x0210 =
[ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
[X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) |
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |
Failed login count: 1, while max tries is: 0
Total login count: 93
- - - - User Edit Menu:
1 - Clear (blank) user password
2 - Edit (set new) user password (careful with this on XP or Vista)
3 - Promote user (make user an administrator)
4 - Unlock and enable user account [probably locked now]
q - Quit editing user, back to user select
Select: [q] > [b][color=purple]4[/color][/b]
Unlocked!
Select: ! - quit, . - list users, 0x<RID> - User with RID (hex)
or simply enter the username to change: [Administrator] [b][color=purple]Gabe[/color][/b]
RID : 1003 [03eb]
Username: Gabe
fullname: gaben
comment :
homedir :
User is member of 1 groups:
00000220 = Administrators (which has 2 members)
Account bits: 0x0210 =
[ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
[X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) |
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |
Failed login count: 0, while max tries is: 0
Total login count: 93
- - - - User Edit Menu:
1 - Clear (blank) user password
2 - Edit (set new) user password (careful with this on XP or Vista)
3 - Promote user (make user an administrator)
(4 - Unlock and enable user account) [seems unlocked already]
q - Quit editing user, back to user select
Select: [q] > [b][color=purple]1[/color][/b]
Password cleared!
Select: ! - quit, . - list users, 0x<RID> - User with RID (hex)
or simply enter the username to change: [Administrator] [b][color=purple]. [/color][/b]
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrator | ADMIN | *BLANK* |
| 03ec | ASPNET | | dis/lock |
| 03eb | Gabe | ADMIN | *BLANK* |
| 01f5 | Guest | | dis/lock |
| 03e8 | HelpAssistant | | dis/lock |
| 03ea | SUPPORT_388945a0 | | dis/lock |
Select: ! - quit, . - list users, 0x<RID> - User with RID (hex)
or simply enter the username to change: [Administrator] [b][color=purple]![/color][/b]
<>========<> chntpw Main Interactive Menu <>========<>
Loaded hives: <SAM> <system> <SECURITY>
1 - Edit user data and passwords
- - -
9 - Registry editor, now with full write support!
q - Quit (you will be asked if there is something to save)
What to do? [1] ->[b][color=purple]q[/color][/b]
Hives that have changed:
# Name
0 <SAM> - OK
=========================================================
¤ Step FOUR: Writing back changes
=========================================================
About to write file(s) back! Do it? [n] : [b][color=purple]y[/color][/b]
cat: /tmp/fs: No such file or directory
cat: /tmp/disk: No such file or directory
Writing SAM
***** EDIT COMPLETE *****
You can try again if it somehow failed, or you selected wrong
New run? [n] :[b][color=purple] n[/color][/b]
=========================================================
* end of scripts.. returning to the shell..
* Press CTRL-ALT-DEL to reboot now (remove floppy first)
* or do whatever you want from the shell..
* However, if you mount something, remember to umount before reboot
* You may also restart the script procedure with 'sh /scripts/main.sh'
#
Disclaimer: I am by no means an expert in the XP password cracking arena, so don't expect me to provide tech support. This is the result of much trial-and-error and what I consider to be a series of lucky guesses. If it doesn't work for you, try posting a detailed description of what you did, but *it's likely I won't help you*, as my time these days is very limited. Et cetera et cetera et cetera. However, maybe someone more versed in the subject will happen along.
I wish you the best of luck with it,
Now go forth and multiply those dual-booting XP+Puppy machines...
SHS