Change or Reset Any Windows XP Password

Categories: Impress Your Friends, Grey Hat, Passwords and Keys, Windows
Last month, I wrote about automatically cracking the Windows XP password with
Ophcrack. In the article, I revealed the simplicity of downloading the Live-on-CD *.iso
Linux distribution file and running it at the computer startup.
But sometimes, it is not even necessary to obtain access to a locked Windows machine by
that means. There are even easier ways to access an account in Windows XP. These
methods do not even require any downloads or storage media (like CDs or floppy disks)
to perform them. The only caveat is that these methods will never reveal the password.
They will only reset and change the password to any combination that pleases you.

Hidden Users
Microsoft Windows operating systems - all built on or based off of the NT kernel - host
several users other than the ones we see everyday like Mom, Dad, Sister, and
Brother. You rarely ever notice SYSTEM, NETWORK SERVICE, or LOCAL
SERVICE. But these unseen automated users work with us everyday to ensure that
everything runs smoothly. Since every program cannot be run with a user executing it,
the Windows kernel creates artificial users to run these processes.
Proof
Want proof? Press Ctrl + Alt + Del (or Start Menu, Run, and taskmgr.exe). Then
click the Processes tab. Make sure Show processes from all users is checked at the
bottom. If your current user is in the administrators group policy, you can see these
hidden entities.

Want more proof? Go to the Start Menu. Click Run.

Type in control userpasswords2 and see what happens. Youll probably discover the
ASPNET user. Most of these hidden entities fall under the administrator group policy,
which pretty much gives them full reign on your system. Their privileges are the Linux
equivalent to the root user. By exploiting these hidden users, you can force them to
change or reset (clear) the password of any other users or administrators.
Ill be focusing on two different methods involving the hidden users Administrator and
SYSTEM.
Plan A: Administrator User
The admin method is pretty straightforward. On many Windows XP systems,
especially on the Home editions preconfigured by third-party OEM manufactures like
Dell and Compaq, the installation creates a user called Administrator with, of course,
administrator group policy privileges. It creates this user so consumers can fix what
theyve messed up if locked out of their accounts. This user can only be accessed in safe
more. Conveniently, it is not password protected at all!
1. Just restart the computer. In between the appearance of the BIOS POST screen
and the Windows XP boot screen, alternate pressing Ctrl and F8.
2. The Windows boot menu should appear. Select any safe mode.
3. On the login screen, you should see Administrator. If you dont, press Ctrl + Alt
+ Del twice and manually enter the Administrator in without at password.
4. Once successfully logged in, go to the Control Panel and make necessary
modifications to the user profiles.
If you are stuck at any of these steps or if it flat-out does not work, youll have to switch
to Plan B not the morning after pill.
Plan B: SYSTEM User
There are many variations of this method. Basically, you gain control of the SYSTEM
user, which is the highest user on the power hierarchy. The two main ones involve either
the windows internal scheduling system or the screensaver. There are a couple of

requirements for this method. First, you will need any type of user access, be it Limited
User or Guest. Second, either the scheduling system has to be enabled or the screen saver
has to be configured. Lastly, Windows cannot be patched. Im pretty sure Microsoft
would have plugged the hole since this discovery was a breakthrough in the tech world
last year.
AT Command

The AT command schedules the operating system to run programs automatically. For
example, if you want the operating system to make a backup of a crucial file or if you
want the operating system to update the dynamic DNS provider with the current IP
address, AT is at your command. It is the windows equivalent to the *nix cron
command. The loophole is who runs the program when it is time to execute it. The
SYSTEM user runs the command instead of the original user. So, if you schedule the
OS to run cmd in the next minute, youll get the console DOS prompt for the
SYSTEM user.
1. Go to Start Menu then Run
2. Type in cmd.exe
3. In the command prompt type at 4:25pm /interactive cmd.exe replacing the time
with the next minute.
4. When the new command prompt appears, type net user username password
replacing username with your target user and password with the password
combination that you want to set.

Screen Saver Variation

When it is time for Windows to display the screen saver, the SYSTEM runs the
screensaver file (which is pretty much an *.exe file renamed *.src). If you replace the
default screensaver file with the cmd.exe file, again, you will obtain access to the
SYSTEM console.
1. Go to Start Menu then Run
2. Type in cmd.exe
3. Type cd\

4. Type cd\windows\system32
5. mkdir temphack
6. copy logon.scr temphack\logon.scr
7. copy cmd.exe temphack\cmd.exe
8. del logon.scr
9. rename cmd.exe logon.scr
10. exit
The next time the screen saver is supposed to run, the command prompt will display.
Then you can type net user username password replacing username with your target
user and password with the password combination that you want to set.
Plan C (or the Nth Plan)
If you still are unable to crack the password. Its time to bust out a CD and burn
Ophcrack. Read my previous article on the specifics. But if your file system is an EFS
(encrypted file system), youre pretty much out of luck. The file system is encrypted with
the Windows password. If you reset the password, you loose access to the files. Sorry,
but thats the way the cookie crumbles!