Last month, I wrote about automatically cracking the Windows XP password with Ophcrack. In the article, I revealed the simplicity of downloading the Live-on-CD *.iso Linux distribution file and running it at the computer startup.
But sometimes, it is not even necessary to obtain access to a locked Windows machine by that means. There are even easier ways to access an account in Windows XP. These methods do not even require any downloads or storage media (like CDs or floppy disks) to perform them. The only caveat is that these methods will never reveal the password. They will only reset and change the password to any combination that pleases you.
Microsoft Windows operating systems – all built on or based off of the NT kernel – host several users other than the ones we see everyday like “Mom,” “Dad,” “Sister,” and “Brother.” You rarely ever notice “SYSTEM,” “NETWORK SERVICE,” or “LOCAL SERVICE.” But these unseen automated users work with us everyday to ensure that everything runs smoothly. Since every program cannot be run with a user executing it, the Windows kernel creates artificial users to run these processes.
Want proof? Press Ctrl + Alt + Del (or “Start Menu,” “Run,” and “taskmgr.exe”). Then click the “Processes” tab. Make sure “Show processes from all users” is checked at the bottom. If your current user is in the “administrators” group policy, you can see these hidden entities.
Want more proof? Go to the “Start Menu.” Click “Run.” Type in “control userpasswords2” and see what happens. You’ll probably discover the “ASPNET” user. Most of these hidden entities fall under the administrator group policy, which pretty much gives them full reign on your system. Their privileges are the Linux equivalent to the “root” user. By exploiting these hidden users, you can force them to change or reset (clear) the password of any other users or administrators.
I’ll be focusing on two different methods involving the hidden users “Administrator” and “SYSTEM.”
Plan A: “Administrator” User
The “admin” method” is pretty straightforward. On many Windows XP systems, especially on the Home editions preconfigured by third-party OEM manufactures like Dell and Compaq, the installation creates a user called “Administrator” with, of course, administrator group policy privileges. It creates this user so consumers can fix what they’ve messed up if locked out of their accounts. This user can only be accessed in safe more. Conveniently, it is not password protected at all!
- Just restart the computer. In between the appearance of the BIOS POST screen and the Windows XP boot screen, alternate pressing Ctrl and F8.
- The Windows boot menu should appear. Select any “safe mode.”
- On the login screen, you should see “Administrator.” If you don’t, press Ctrl + Alt + Del twice and manually enter the “Administrator” in without at password.
- Once successfully logged in, go to the “Control Panel” and make necessary modifications to the user profiles.
If you are stuck at any of these steps or if it flat-out does not work, you’ll have to switch to “Plan B” … not the morning after pill.
Plan B: “SYSTEM” User
There are many variations of this method. Basically, you gain control of the “SYSTEM” user, which is the highest user on the power hierarchy. The two main ones involve either the windows internal scheduling system or the screensaver. There are a couple of requirements for this method. First, you will need any type of user access, be it Limited User or Guest. Second, either the scheduling system has to be enabled or the screen saver has to be configured. Lastly, Windows cannot be patched. I’m pretty sure Microsoft would have plugged the hole since this discovery was a breakthrough in the tech world last year.
The “AT” command schedules the operating system to run programs automatically. For example, if you want the operating system to make a backup of a crucial file or if you want the operating system to update the dynamic DNS provider with the current IP address, “AT” is at your command. It is the windows equivalent to the *nix cron command. The loophole is who runs the program when it is time to execute it. The “SYSTEM” user runs the command instead of the original user. So, if you schedule the OS to run “cmd” in the next minute, you’ll get the console DOS prompt for the “SYSTEM” user.
- Go to “Start Menu” then “Run”
- Type in “cmd.exe”
- In the command prompt type “at 4:25pm /interactive cmd.exe” replacing the time with the next minute.
- When the new command prompt appears, type “net user username password” replacing “username” with your target user and “password” with the password combination that you want to set.
Screen Saver Variation
When it is time for Windows to display the screen saver, the SYSTEM runs the screensaver file (which is pretty much an *.exe file renamed *.src). If you replace the default screensaver file with the cmd.exe file, again, you will obtain access to the “SYSTEM” console.
- Go to “Start Menu” then “Run”
- Type in “cmd.exe”
- Type “cd\”
- Type “cd\windows\system32”
- mkdir temphack
- copy logon.scr temphack\logon.scr
- copy cmd.exe temphack\cmd.exe
- del logon.scr
- rename cmd.exe logon.scr
The next time the screen saver is supposed to run, the command prompt will display. Then you can type “net user username password” replacing “username” with your target user and “password” with the password combination that you want to set.
Plan C (or the Nth Plan)
If you still are unable to crack the password. It’s time to bust out a CD and burn Ophcrack. Read my previous article on the specifics. But if your file system is an EFS (encrypted file system), you’re pretty much out of luck. The file system is encrypted with the Windows password. If you reset the password, you loose access to the files. Sorry, but that’s the way the cookie crumbles!
Good Luck! If you have any problems, check my references.
- Windows XP Privilege Escalation Exploit
- How to gain access to system account the most powerful account in Windows
- How to Break Into a Password Protected Windows XP
- How to Hack a Window XP Admins Password