I had some reservations about writing this story up at all. A friend at work found an old discarded HP pavilion on the side of the road, fired it up and couldn’t log in as Administrator because somebody (smart) had changed the normally default [blank] password for that account. He had already asked several PC-smart folks to help him get in somehow to no avail, and had finally decided to impose on me. I love a challenge, and I thought it would be easy, so I hooked the machine up to my KVM at my work desk. I had some ideas about how to go about it, and as usual it included Linux.

As an administrator of an a company network that is composed largely of Windows machines, it seems like cracking the admin password on a Wintel box would be something that I wouldn’t want anyone to know how to do. However, I am not your typical ‘network Nazi’ admin, and almost all users are local admins of their own machines. I allow folks to install whatever programs they want with some simple restrictions which includes no IE (Internet Explorer), no OUTLOOK (we use Thunderbird), and no AOL or IM transports outside of the company Jabber system. I slide a bit on that for a trusted user who uses gadugadu to keep in touch with friends in Europe, and one MSN IM user. Since we’re in a domain environment, there are lots of more important policies in place that local admins can’t override anyway, but sometimes you need to be the local admin to install stuff, or many times to have stuff work AT ALL in Windows (like the UPS Worldship software which only works if you’re a local admin!)

Finding an otherwise working machine with an already installed version of Windows with all drivers installed and software all paid for and waiting to be used and having no way to log in was just too much of a challenge to pass up. The alternative for my friend would have been to buy another copy of Windows and all the ALREADY PAID FOR software on the machine, and reinstall everything needed to make the otherwise free hardware DO SOMETHING, right? Well, not true if you are willing to use Linux instead - I would never buy Windows again (at least for home use) now that I know better and can get around in most Linuxes. This was not an attractive option for my friend who intended to send it back to his nephews in the ‘old country’ and he wanted to have the machine work like what they are used to. The machine was slow - a 700MHz Celeron that originally had Windows 98 on it and had been upgraded to WinXP SP2.

The first thing I tried was just to attempt to log in using a blank password, just to verify his story. Then tried a couple simple numeric passwords that a lot of people use, no dice. Then I pulled out the big guns. I booted the machine off a Knoppix live CD and opened a terminal window. Since Knoppix automatically mounts all the hard drives as read only, I navigated into the main disk (/mnt/hda1) to the Windows/system32/config directory and copied out the SAM file. The SAM file keeps all the Windows user and password and group info. This is the file to hack into, crack, or hex edit as the case might require. The idea here was to copy the file off the machine onto my USB flash stick (success) and run l0phatcrack against it to attempt to crack the administrator password through brute force attack. I let it run and went on with my other work. I tuned in about 2 hours later and still no password! This was a bad sign, since a simple password would have already been guessed. This method might take all day to process and then it still might not work.

I bailed on l0phat and decided to use a small linux boot floppy instead called Offline NT Password & Registry editor. Basically, you boot the machine from the floppy, and it walks you through the process of finding the SAM file and editing the password for the account of interest. You don’t need to know the password to change it. The wonder of this software is brought to you via the open source chntpw sourceforge project, and it worked well in this case.

I removed the machine from the old user’s company domain, and changed the name of the PC. I checked for personal documents on the disk, and found the machine to be pretty clean - only one word document of a personal nature and I deleted it. Needless to say, my friend was ecstatic since he could now provide a working system to his family back home without having to pay AGAIN for software that was legally installed on the machine and still worked fine. Although I would have preferred to wipe the machine and install some variety of Linux, I can understand why he would be hesitant - but I thought it was ironic that it was only possible to freely continue using the installed Windows software on the machine because of Linux and open source software.