UGN Security Forums UGN Security: Knowledge Base Operating Systems Windows & Windows Security win XP administrator

I am a bit of a newbie to hacking and my dad recently put an account on my computer and made himself system administrator so i can't do much on my account. I was wondering if anyone knew how to take that off and make me system administrator?

does he have his account password protected? if not just log on his name and change your account to an admin too. if he has a password on it, download a keylogger and get his password from that, than log on and change your account.

i can't install the keylogger because only the system administrator can install things. And yes he does have a password!

There's a file in the %systemroot%\WINDOWS\system32\config folder called SAM. This is the file that contains all the users and passes for the machine (or network, depending). It's being run by the SYSTEM so you can't access it directly. There's a prog out there called PWDUMP2 (i think) that will extract the passes out of that file for you to abuse at your leisure. You're gonna need a pass cracker though cause they are encrypted. However, there *MAY* be a copy of the SAM file in the %systemroot%\WINDOWS\repair folder that is not in use. If I remember right, this backup is made during install, so unless your Dad created his acount while Windows was being installed the backup will only have the default account and passwords in it.

sum

i downloaded that program, ran it but i don't know where the password file is located if there is one and i've tried searching for passwd.txt and no results came up! Any suggestions?

Dude, I told ya where to find it. %systemroot% is a way of saying 'whatever drive your windows dir is on', usually the C:\ drive. Go look in there and/or where I said the backup copy was/is. As well read the instructions for that program, just running things blindly will get you absolutely nowhere.

sum

Here, READ THIS FROM TOP TO BOTTOM!!!

PWDUMP2 README

Those are the exact instructions to do what you want. READ IT. And after you read it, READ IT AGAIN to make sure you understand it. If you still don't understand it after that then you shouldn't be messing with this [censored].

sum

i have put the files pwdump2.exe and samdump.dll in C:\WINDOWS\SYSTEM32\config where SAM is located and i ran the file! Now what?

A way that may be easier that I did once when I forgot the admin pass on my NT box (heh, yeah, shutup), was to boot to a floppy, you'll need to use NTFSDOS if your drive is using NTFS, otherwise just boot to a floppy and copy the SAM file to the floppy because the system won't be using it when you are running from the floppy. Then crack the file using LC3 from http://www.l0pht.com (that's a zero)

[censored] u guys, this guy is NEW remember!

I mean pwdump is not a bad choice, but l0pht is not good to him since he cant install [censored] and l0pht is distributed in a commercial installation format.

I suggest booting to safe mode, usually that should not ask you for any pwd, and create a new user. if that dont work return to pwdump.

Also try booting to safe mode without networking that should defiantely do it.

Well it looks like I need to take a little of my own advice. After glancing through the readme file myself I noticed something I have overlooked.

So it would appear that this won't help you at all paleothol.

/me tries to remove foot from mouth and swallow his pride in one motion

So, paleothol, I guess I should apologize for being short with you when the info I was giving you wouldn't even help you anyways.

Sorry paleothol.

sum

No fear, paleothol. What you need is a handy Linux bootdisk with a handy binary on it that will do the hard work for you. The one I'm about to point you to will enumerate the user accounts and let you modify their passwords. What I'd recomend that you do is set a new password for the Administrator account, login as such and add your user account to the Administrator group, and then log in as you. Make sure that you log in and out again as yourself so that your dad doesn't boot up to find the Administrator account as last logon!

Keep in mind, this assumes that he is using an account with Admin privs, but that isn't Administrator. If you change HIS password, he's obviously gonna know about it.

Anyway, this tool actually works with SYSKEY encryption now - pretty handy. Select the "reset NT Password" from the list of bootdisks. Enjoy!