kira bomba states

       I have found out that this method (as described above) doesn't work         on a Windows 2000 box. However, you can make it work if you consider         the following:                1. It happens that you can't delete the "spoolsv.exe" (win2000 version         of "spoolss.exe") file from your harddisk (usually it's in the         \winnt\system32 directory). This file is loaded on start-up and can't         be stopped using the Task Manager. As long as you can't stop the         corresponding process, you can't delete the file, it's locked by the         operating system. Even if you find a way to stop the process you can't         delete or substitute the file, Windows will automatically replace it         with the default version.         A solution to this problem is to delete the file "offline", i. e. after         booting from a DOS floppy. If the harddisk is FAT formatted it will work         out just fine. If the harddisk is NTFS formatted you'll need a NTFS driver,         like NTFSDOS Pro, downloadable from         www.sometips.com/goodstuff/default.htm.         When you have booted from  a floppy it's no problem any more to delete         "spoolsv.exe" or to replace it. Replace with what? In Windows 2000, there         is no "usrmgr.exe" nor "musrmgr.exe". Well, compile the following C program,         name it "spoolsv.exe" and put it to where the original file was:           *****************         #include           int main(void)          {           system("control userpasswords");           return 0;          };        *****************        "mmc lusrmgr.msc" instead of "control userpasswords" should work too. When you         start Windows next time, as a normal user or as an admin, the User Manager         window will open...          

Another technique reported on the web which requires a 2nd copy of NT :

• Install an alternate copy of Windows NT.
• Boot up the alternate install.
• Use Start / Control Panel / System / Startup to change the default boot instance to your original install.
• In the original Windows NT folder, navigate to the \System32 sub-folder.
• Save a copy of logon.scr, the default logon screen saver.
• Delete logon.scr.
• Copy CMD.EXE to logon.scr.
• Shutdown and restart your original install.
• Wait for the logon screen saver to initiate. It will actually open a CMD prompt, in the security context of the local system account. Be patient, it sometimes takes several minutes for the command window to popup.
• Type MUSRMGR, into the CMD prompt to execute User Manager, and reset the Administrator's password.
• Delete the logon.scr from %SystemRoot%\System32.
• Rename the saved default screen saver back to logon.scr.

If you have an old ERD from when you knew the admin password, you could use it during a Windows NT repair install to get back to that point. Just be careful, any accounts created since that point will be lost and those not lost will have their passwords reset to an old version.

A method involving removing the HD and placing it in another NT box as an additional drive, is documented here . This approach normally works when nothing else will in most OSs not using encrypting file systems. Guess whether I have tried this approach. Not in NT.

If you have access to current ERD disks or the repair directory, you can use L0phtCrack to access the password hashes and perform a brute force attack on the password hashes. It will break any password (it may take a day or two). L0phtCrack has the advantage that it does not modify the passwords. Additionally in another context, a run by the administrator against the password hashes using a simple dictionary will give you an idea if your users passwords are too weak. See ElCOM for dictionaries that you can download as well as a significant suite of password breaker software.

L0phtCrack can be used as an offline method:

• Create an DOS bootable floppy
• If NT is installed as a FAT partition, use the DOS boot disk to copy the SAM, winnt\system32\config\sam
• If NT is installed on NT, use NTFSDOS.EXE to get the SAM.
• Copy the SAM to a temp directory on a working NT box
• Use pwdump to pull out the hashes and break them with l0phtcrack.

See atips174 if you are unfamiliar with NTFSDOS.EXE.

If you need to break a password set by an application or perhaps a password for zipped files, see these sites:

www.passwordservice.com/
www.lostpassword.com
www.elcomsoft.com
www.soft4you.com
www.pwcrack.com
Microsoft Office pw crackers

These sites were just a few I am aware of. There are many. Unfortunately, as this article should make you aware of, passwords can give one a false sense of security when its all you have protecting your a$.

As an aside, if you have Win9x and have set a password and forgot it, you can bypass Windows with F8 during startup and choose the Command Prompt Only option. At the prompt, go to the Windows directory and delete .pwl files. No password will be required on the next boot. A new password can be set if you wish at the Start|Settings|Control Panel|Passwords and click on Change Windows Password.

CMOS/BIOS password info:

PC BIOS Security and Maintains Toolkit
Cracking Programs
Forgotten Password Utilites

Microsoft has reprint a Windows NT Magazine background article on Where Windows NT Stores Passwords.