January 30th, 2004, 04:38 PM
Didn't think about that, MsMittens, sure could use rdisk. Gotta love MS and they're love of annonymous access!
January 31st, 2004, 12:01 PM
I am fiddlingaround with my own comp, just wanted to know if the passwords can be recovered.
Since its my own comp, I did the rdisk , got the sam file.
Enough of accusations.
And 4 ur info --> I dont like keeping friends.
\"I\'d hate to have a kid like me\"
January 31st, 2004, 01:00 PM
If syskey is enabled (Windows 2000 + ?) then the hashes are also encrypted in the SAM and cannot normally be read. There are several ways around this.
- Use the running Windows to decrypt the hashes itself - use pwdump2 as localsystem or admin to dump them
- Copy the SAM file into another (non-running) copy of the same version of Windows, boot it, and run pwdump2 on that
- Ask M$ what the encryption algorithm is and where the syskey is stored (not likely to work). It is widely believed that it's in the registry somewhere (although perhaps not in the SAM).
Getting admin or localsystem access without changing the existing administrator password is not too difficult - in practice it's usually just a matter of using an offline registry editor (Google for those three words) to change the default screensaver to cmd.exe. Then you get a localsystem shell which can run pwdump2 with no problem.
Changing the admin password is also a no-brainer, although of course that changes the hash for the administrator's password in SAM. The other accounts can then be dumped of course.
January 31st, 2004, 03:20 PM
Of course, if the guy's worth anything, he also changed the name of the admin account. That's OK though, because it's still easy to find the admin account using the method slarty mentioned to obtain a local system command prompt.