March 4th, 2005, 10:14 PM
WinXP Home SAM damaged?
So, there I am sat in my office today when in walks a user with her home box. The story is that they can't log in any way they try. Questioning proves that they have reasonable internet habits, Norton's Securuty Suite etc. etc. etc. The fun thing is that this happened before and they didn't know what else to do but to run the repair, (Read: reinstall), CD that, needless to say, lost all their data.
NP, thinks me.... I boot it up and it comes to the welcome screen.... But there are no names... I click around in case someone has been clever enough to hide a username there.... None. I hit CTRL ALT DEL and after doing it 10 times or so up pops the normal login box with "Owner" already typed in the username... I hit enter and bingo, I'm in. Turns out Owner is a limited/guest account. I try the old "AT 3:30pm net localgroup administrators Tiger_Shark /ADD" and get an "Access denied"... POOH!!!
Not to be outdone I get out my Password Reset floppy and boot to it. When I open the SAM I find an "issue".... Users listed:-
HelpDesk, (or whatever it is called)
Mark (Her Hubbie)
Owner (The un-passworded limited/guest account)
Glaringly absent is the Administrator.... It is my understanding that in XP Home the admin can't be deleted, (like any other system), but it can be renamed or reduced in "rank" but only if another user is promoted to admin status.....
I don't believe that these two would mess with this kind of thing.... She is very careful, (call her a worrier), about this though I don't know him..... Bearing in mind that this is the second time this has occurred I have some questions before I start working on it again because when I logged in as him the box all but froze and there wasn't much going on - It wasn't plugged into the network which _may_ have contributed to the freeze.... At this point I decided that since it was already past 4:15 that a trip to the Satellite office and a message posted here might be a wise way to proceed.... So, the questions:
1. Are my assumptions correct about XP home that the Admin can't be deleted?
2. Has anyone seen this behaviour before, (no users listed at "Welcome" screen, no admin account), if so do you have any insight, solutions, theories?
3. While I can't think of any virus that does this I can't pass up the thought of a trojan or other malware..... Anyone hear of any Trojan/Malware that might display similar behaviour?
4. If the SAM is damaged, (thus the no users on the "Welcome" screen), and there is no system recovery set up, (it looks like SP2 and it's on by default there right?), then the SAM can't just be replaced... obviously.... But could it be deleted? Would the system recreate the SAM with a blank admin password or is the system foxxed?
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides