If you use a utility inside Windows to dump the SAM, like any of the samdump thingies, like pwdump2, it will spit out a passwd-style file which can then be cracked. This will work syskey or not.

Of course you need to get in as admin or localsystem for that, so theoretically you could run an offline registry editor, change the logon screensaver to cmd.exe and dump the SAM from there.

I have tried this on a system in "lab" conditions (my own box, with another OS on too) but it's not something you'll want to do to your system if you don't have a recent backup There is the obvious danger of breaking something rather important in the registry.

If you don't care about destroying the old admin password, you could always just reset the admin pasword and get in that way. That's the normal way of getting into forgotten password systems.

In my test system I was able to quicky retrieve the plaintext passwords after grabbing the sam with pwdump2. However my test system had very easy guessable passwords (it's behind a firewall anyway).

I have no idea how quickly it works if you have stronger passwords.

Slarty

PS: This message is not supposed to be a skript kiddies guide to cracking win2k boxes so I have been deliberately vague above.