Posted by: kurtsh | November 27, 2006

TOOL: Recovering lost local administrator/user account passwords

Have you ever lost the local administrator password on a workstation or server?  Or maybe just a particular local user account that you really need on a machine?

There’s a service out there that is FREE that will return the actual password of a local account on your workstation/server on the basis of a hash dump from the local Security Account Management (SAM) database.

Note that this is for LOCAL accounts as in accounts that are created on the local machine that exist no where else and are not recognized by any other system.  This does not apply to domain accounts or Active Directory network-based accounts.  (For those that don’t understand why this doesn’t work for network-based accounts, may I recommend you read the book "Windows Security" by Microsoft Press for the 101 course on password storage?)

The service is free, relatively simple, and works on any machine that has not used Syskey to further protect the machine’s local accounts database.

  1. Create a bootable floppy or a bootable CDROM using a downloadable file from the site.
  2. Boot up the system with the media and let it dump the SAM hash into a file stored on the floppy.  If you’re using the CDROM method, some text will appear on the screen and you’ll have to copy about 200 characters worth of text into a text box on web site to submit the content.  (Translation:  The floppy is a better solution)
  3. Upload the file or the text to the site, give them your email, and wait 24 hours.  The password should appear in your inbox.  If you want, you can give them $20 and they’ll do it in minutes.

How To Protect Your Workstation from this:
So, wait… how do I stop people from being able to do this?  Well, there’s some really simple ways:

  1. Don’t let anyone have physical access to your machine.  Frankly, if someone can get at your machine, they can remove the hard drive.  They can boot up from another form of media.  They can do anything they want.  So don’t let that happen.
  2. If you have a laptop, and can’t do that and you aren’t using Windows Vista, well, the alternative is to use Syskey which will doubly protect the database that secures the accounts on your machine with 128-bit key on top of the existing encryption.  More information on how to do this is available here:

Note to EFS users:
First of all, don’t panic.  The fact that the local administrator password is obtainable through simple means does not mean that EFS encrypted files on an NTFS drive is crackable. 

    What it does mean is that if your machine is on a Active Directory domain, be sure to be using domain accounts as the keyed accounts that are used against EFS encrypted files and directories.  For recovery, it’s also pretty damned important that your company establish a Public Key Infrastructure (PKI), meaning at least one Certificate Service registered to the Active Directory of the network.  Without a PKI in place, managing "recovery accounts" (accounts used to access encypted data in the event a person’s account is deleted) is a real chore if not an impossibility.
    It also means that if you don’t have an Active Directory-enabled network, and your machine is "isolated", EFS encryption isn’t gonna help you a whole lot because the local administrator account is the "recovery account" and should be able to access any EFS encrypted data on the system regardless of what local account was used.  (Again, network/domain accounts do not apply to this issue and local administrator accounts can NOT be used to recover EFS files that were encrypted using domain account users)
    If you have to use a local account for whatever reason, be sure to apply Syskey to your workstation by reading about it here:



%d bloggers like this: