Page 1 of 4 123 ... LastLast
Results 1 to 10 of 39

Thread: WinXP Home SAM damaged?

  1. #1
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197

    WinXP Home SAM damaged?

    So, there I am sat in my office today when in walks a user with her home box. The story is that they can't log in any way they try. Questioning proves that they have reasonable internet habits, Norton's Securuty Suite etc. etc. etc. The fun thing is that this happened before and they didn't know what else to do but to run the repair, (Read: reinstall), CD that, needless to say, lost all their data.

    NP, thinks me.... I boot it up and it comes to the welcome screen.... But there are no names... I click around in case someone has been clever enough to hide a username there.... None. I hit CTRL ALT DEL and after doing it 10 times or so up pops the normal login box with "Owner" already typed in the username... I hit enter and bingo, I'm in. Turns out Owner is a limited/guest account. I try the old "AT 3:30pm net localgroup administrators Tiger_Shark /ADD" and get an "Access denied"... POOH!!!

    Not to be outdone I get out my Password Reset floppy and boot to it. When I open the SAM I find an "issue".... Users listed:-

    HelpDesk, (or whatever it is called)
    Laura (Her)
    Mark (Her Hubbie)
    Owner (The un-passworded limited/guest account)

    Glaringly absent is the Administrator.... It is my understanding that in XP Home the admin can't be deleted, (like any other system), but it can be renamed or reduced in "rank" but only if another user is promoted to admin status.....

    I don't believe that these two would mess with this kind of thing.... She is very careful, (call her a worrier), about this though I don't know him..... Bearing in mind that this is the second time this has occurred I have some questions before I start working on it again because when I logged in as him the box all but froze and there wasn't much going on - It wasn't plugged into the network which _may_ have contributed to the freeze.... At this point I decided that since it was already past 4:15 that a trip to the Satellite office and a message posted here might be a wise way to proceed.... So, the questions:

    1. Are my assumptions correct about XP home that the Admin can't be deleted?

    2. Has anyone seen this behaviour before, (no users listed at "Welcome" screen, no admin account), if so do you have any insight, solutions, theories?

    3. While I can't think of any virus that does this I can't pass up the thought of a trojan or other malware..... Anyone hear of any Trojan/Malware that might display similar behaviour?

    4. If the SAM is damaged, (thus the no users on the "Welcome" screen), and there is no system recovery set up, (it looks like SP2 and it's on by default there right?), then the SAM can't just be replaced... obviously.... But could it be deleted? Would the system recreate the SAM with a blank admin password or is the system foxxed?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #2
    TigerShark,
    I have seen this on a relatives computer. It would also, at times, show the user name but wouldn't accept the password. Sometimes it would allow me to log in without any problems. It was a Compaq that was bought from Walmart. I wanted to blame this on a virus, or SP2. The relative admitted to me that he had been to a few XXX websites. His wife swears it is his fault. I scanned the PC with Norton and AVG. He used Mcafee. Nothing was found. Scanned for spyware too. It had the usual stuff...nothing major. I did get it to let me log in, and saved pictures and some documents for them, then reformatted and re-installed the OS. I didn't know what else to do. When I saw this post, it naturally caught my attention. I googled for SP2 problems. I really think it was somehow related to SP2. But SP2 had been installed weeks before the problem occured. I also wondered if the SAM and Sysem files could have become corrupt from an impropper shutdown because that has happened to me in the past on a Windows 2000 box. It appeared to have hung up during shutdown while "saving settings". So I impatiently powered it off. But that caused an error during bootup which identified the files that were damaged. (Sam and System)
    If you solve it, please post your findings.

    Good Luck!

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I'm pretty sure that this lady isn't a secret porn surfer..... I'm inclined to believe that the husband isn't but I am fully aware that spouses aren't always that honest with eachother when it comes to internet use....

    She had pe-contacted me and I told her to tell all the users of the box that I would be "investigating" it and would report to her what the box has been used for and that if they have any "problems" it might be better for them to "come clean" up front rather than have her have to tell them what a "dumbass" they may be.... Yes, they could be lying still, but she brought in the box with a "story" that implied it was all "good".
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4

    Cool

    Seen this on a xp pro sp1 box ........................X-FILES????????????
    I did a format and clean install after a vew hours trying to figure out what caused it.
    What i remember .....i simply did delete the admin(drunk)..........restart.........still no admin

  5. #5
    Senior Member
    Join Date
    Dec 2004
    Posts
    3,171
    TS,

    Don't know if these will help or not...

    http://www.kellys-korner-xp.com/win_xp_passwords.htm
    Administrator and User Passwords in Windows XP

    http://www.connectedhomemag.com/Home...rticleID=24808
    Where Is Windows XP's Administrator Account?

    http://www.kellys-korner-xp.com/xp_wel_screen.htm

    http://forum.iamnotageek.com/history.../627776-1.html

    if they do, great...if they don't, ignore.




  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Egal:

    Thanks.... The second link is really making me wonder about XP Home, (never really used it). From what it says the admin should be "there" in the SAM but might only be available from safe mode... It wasn't. I tried that... *SIGH*

    The third link will be the first thing I try on monday... Slave the drive off and see what I can mess with...

    You said, in another thread that we won't go back to, that you don't know anything about computers, (paraphrased). Needless to say I received a "You have to spread your AP's around" message a minute ago.....

    Thanks....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    ********** |ceWriterguy
    Join Date
    Aug 2004
    Posts
    1,608
    I would've hit him for ya TS, but I don't have near the pounce your ap stack does, and I also received the 'gotta spread 'em around' message... maybe Gore'll happen in and handle it on our behalf.
    Even a broken watch is correct twice a day.

    Which coder said that nobody could outcode Microsoft in their own OS? Write a bit and make a fortune!

  8. #8
    Senior Member PacketThirst's Avatar
    Join Date
    Aug 2004
    Posts
    258
    One of the things that i've noticed is that, it is possible to replace the SAM file with an earlier SAM file of that box. I have a backup of the SAM which i keep in a floppy. Incase the SAM file gets messed up somehow, all one needs to do is to replace the SAM using a live cd or just by entering the command prompt mode !. A cracked SAM file is one's unlimited passport to the box it was taken from. I'm not sure about deleting the administrator part. But isn't it possible to manually edit the SAM file or something and delete the administrator part???

    Cheers

  9. #9

    Re: WinXP Home SAM damaged?

    I know I'm mostly preaching to the converted here but I'll post it anyway.

    1) Correct & SAFE mode always displays privileged account(ADMIN)
    Originally posted here by Trusted Facility Manual aKa "Administrator's and User's Security Guide"
    Admin
    Cannot change his or her own account type to limited unless there is at least one other user with a computer administrator account. This ensures that there is always at least one user with a computer administrator account on the computer.
    Originally posted here by Tiger Shark
    Has anyone seen this behaviour before, (no users listed at "Welcome" screen, no admin account), if so do you have any insight, solutions, theories?
    2) I'll give a simple theory. An Admin installed some type of jerryrigger spoof login theme (process would be clearly in the taskmanager).

    Originally posted here by Trusted Facility Manual aKa "Administrator's and User's Security Guide" C2 Level Security
    All users should always press ctrl+alt+del before logging on. Trojan horse programs designed to collect account passwords can appear as a logon screen that is there waiting for you. By pressing ctrl+alt+del you can foil these programs and get the secure logon screen provided by Windows NT.

    Use separate accounts for administrative activity and general user activity. Individuals who do administrative work on the computer should each have two user accounts on the system: one for administrative tasks, and one for general activity. For example, viruses can do much more damage if activated from an account with Administrator privileges.

    The key to Windows NT security is the user accounts.

  10. #10
    AFLAAACKKK!!
    Join Date
    Apr 2004
    Posts
    1,066
    Dang !mitationRust! you beat me to it!

    start into safe mode and there should be a default admin account... also, on a security point of vew, you should always give this a password, otherwise it is a huge physical security risk!!
    I am the uber duck!!1
    Proxy Tools

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •