The ultimate guide to recovering lost Windows passwords.

Users most commonly protect data on their systems with a standard Windows password.

This is a good first step that keeps out the average user, but it can be circumvented in just a few minutes. Find out what I'm talking about on "The Screen Savers" when I give you the ultimate guide to recovering lost Windows passwords.

Where oh where is my password?

Windows 2000 and XP passwords are stored in a file called SAM (Security Accounts Manager). It's located in the windows\system32\config directory. Passwords are encrypted and stored within SAM as a password hash. Passwords look something like this: 8F J7 F3 GK S3 lL O4 E1 G9. To figure out your lost password, you have to extract the encrypted hash from SAM and crack it.

To crack or not to crack?
Before you proceed, you must make a decision. Do you want to recover the old Windows password, or do you want to reset the password? If you want to reset the password, use a nice little utility called ntpasswd. Ntpasswd uses password hash insertion -- it inserts a new password hash that you've created into the SAM. This works great, but remember, if you have encrypted anything using the Windows Encrypted File System (EFS), you will need the original user password. That means you have to crack the password.

Cracking Windows passwords
To crack a Windows password you need to extract it from SAM.
  1. Boot with Knoppix STD and launch a shell.
  2. From the shell, you can view all your NTFS partitions via the LinuxNTFS built into Knoppix STD.
  3. Navigate to the windows\system32\config directory.
  4. Copy the SAM and system files to a cheap USB thumbdrive.
  5. Take each of these files back to another Windows machine and fire up SAMInside. SAMInside uses SAM and system files to extract the encrypted hash (the SAM file is double encrypted with SYSKEY. SAMInside gets around that).
  6. Launch LC4. It will brute-force and dictionary-attack the hash marks. Once the hash has been matched, the final password is displayed.


Questions or comments?

Send me email or visit my forums.