Sorry about that, I missed that post

For resetting the Admin account try the following; Since it edits the registery backup the registry before you attempt, I'm not taking any credit if it messes up:

Download This File:
http://www.governmentsecurity.org/download...d/admin_reg.zip

You must go to: (START - RUN type REGEDIT press OK then...)
[HKEY_LOCAL_MACHINE\SAM\SAM]

And RightClick there, choose TILLATELSER (Rights/Access/Permissions)
In the NEW window that appear..

Press the ADD button..
Write in your USERNAME and mark the two boxes called "All Permissions" and "Read"

Then press OK
Now you can ADD the "AdminSamOn.reg" or the "AdminSamOff.reg" key...
If you add the ON key..then the ADMIN account will get the password "admin"
if you add the OFF key..then the ADMIN account will have no password at all..

To change user, press CTRL +ALT + DELETE once and choose the USER tab
(or START - RUN write TASKMRG.EXE and choose the USER tab)
There you can choose what user you want to log on as..
PS: log on to the ADMIN account after you have set the NEW password!

This Reghack was made by: Alex Data

it says the file is not available.

We'll get on it. Thanks.

It worked Gsecur, thanks

Manu

Could anybody repost the zip if they have it ? Please.


-Daxziz

I do this with a bootable CD-rom.
Just unpack these files and burn the ISO on a CD.

Then do as the following tut :

HINT: Just press return/enter to accept default prompts in [brackets]
WARNING: MS soft mirror / striping will not work probably.
SCSI: CD includes all drivers. For floppy switch to the SCSI drivers floppy after things have stopped loading and the banner appears. Or copy the driver(s) *.o.gz files you need onto the scsi-directory on the main floppy. There should be space for 1 or 2.
Shut down machine and insert floppy or CD.
Let the machine boot from the floppy or CD.
Some banners and loading-messages will appear, hardware information etc.
Available SCSI-drivers will be listed and it will now prompt for SCSI-controller drivers, you may: answer 'y' to probe all available drivers in the "scsi" dir on the floppy. It will stop probing once it manages to initialize one controller.
answer 'n' to skip searching for SCSI cards. Use this if you only have IDE-disks.
or at the prompt, enter the linux module name of the driver, and optionally parameters for it, to go directly for one. You will be asked again untill you answer 'n', so that more than one driver can be loaded if required.
Next comes a list of all found partitions on all disks, followed by a list of what it thinks is NTFS partitions.
At the prompt to select a partition, the first bootable NTFS partition will be the default selection. (First bootable FAT if no NTFS found) You may however select another partition (also a FAT partition) by giving its full name (like /dev/hda1 , or /dev/sda1). SCSI: sdDP -> D=disk a b c d etc, P=parition number 1 2 3 4 etc. IDE: hdDP -> D=a or b (primary IDE), c or d (secondary IDE), P=partition number.
The partition will be mounted, and the type (NTFS or FAT) will be stated.
Then you must select the full path (relative to the partition) of the registry directory. This is usually 'winnt/system32/config', which is the default selection, but it will also automatically recognize windows installed in /winnt35 or /windows.
Then select files to copy to temp area in ramdisk. For password editing the default is 'sam' (essential, it's the password database), 'system' (contains some info on syskey), and 'security' (additional syskey info in Win2k). If syskey is not active, only 'sam' is changed when editing passwords. If you instead want to edit something in the registry, select the hive you want, 'system' is proper for services, hardware settings etc.
Now it has everything it needs, so the 'chntpw' utility will be started, working on the files in /tmp. The main menu will let you:
Edit passwords.
Check and possibly turn off syskey (please read the warnings!). Basically you never need to turn it off. See syskey.txt for technical details.
Registry editing. (see regedit.txt)
Editing passwords:
All usernames in the file will be listed.
You will then be prompted for the user which you want to change the password of. (default selection is administrator, it recognizes admin-account with changed name or localized names, too) You may instead enter the users RID (user ID) in hex, ex: 0x1fb. It will continue to prompt for a username until '!' is given. Re-list the users with '.'
Some information on the user will be shown before the prompt for new password.
If the account bits or lockout counts indicates a lock or disable, you will be offered opportunity to unlock it.
Entering a single * as the password will blank the password for that user. This is reported to work better than setting a new one!
Enter the new password, max 14 chars (it will show on the screen). Or enter nothing to keep unchanged.
Then confirm the change. (actual write to disk comes when you exit the program)
Exiting and writing changes:
If the 'chntpw' utility succeeds, you will be prompted to confirm the writeback to the NT disk/filesystem. Only 'y' is accepted for it to commit the changes. (the commit is in 2 steps. First in the editor program, then in the bootfloppy scripts. Your harddisk will only be changed if the last one is confirmed)
After everything is complete, you will get the "# " shell prompt. You may then reset the computer (three-finger-salute).

full tut @ : http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html

In looking through the source code of chnetpw i found something interesting....

/* Promote user into administrators group (group ID 0x220)
* And remove from all others...
* hdesc - hive
* rid - users rid
* no returns yet
* THIS IS VERY HACKISH YET
*/

void promote_user(int rid)
{
char s[200];
char g[200];
int nk = 0;
struct keyval *m = NULL, *c = NULL;
struct keyval admember = { 4, 0x220 };
unsigned int *grps, *gcnts;
int count = 0;
int i, size, grp;

if (!rid || (H_SAM < 0)) return;


/* Get member list for user. Go for the first full SID, it's usually local computer I hope */
snprintf(s,180,"\\SAM\\Domains\\Builtin\\Aliases\\Members\\S-1-5-21-\\%08X",rid);
/* Now, the TYPE field is the number of groups the user is member of */
/* Don't we just love the inconsistent use of fields!! */
nk = trav_path(hive[H_SAM], 0, s, 0);
if (!nk) {
printf("Cannot find path <%s>\n",s);
return;
}
nk += 4;
count = get_val_type(hive[H_SAM],nk,"@");
if (count == -1) {
printf("Cannot find value <%s\\@>\n",s);
return;
}
printf("User is member of %d groups.\n",count);

/* This is the data size */
size = get_val_len(hive[H_SAM],nk,"@");

/* It should be 4 bytes for each group */
printf("Data size %d bytes.\n",size);
if (size != count * 4) {
printf("DEBUG: Size is not 4 * count! May not matter anyway. Continuing..\n");
}

m = get_val2buf(hive[H_SAM], NULL, nk, "@", 0);
if (!m) {
printf("Could not get value data! Giving up.\n");
return;
}

printf("User was member of groups: ");
grps = (unsigned int *)&m->data;
for (i = 0; i < count; i++) {
grp = grps[i];
printf("%08x ",grp);
switch (grp) {
case 0x220: printf("=Administrators, "); break;
case 0x221: printf("=Users, "); break;
case 0x222: printf("=Guests, "); break;
default: printf(", "); break;
}
snprintf(g,180,"\\SAM\\Domains\\Builtin\\Aliases\\%08X\\C",grp);
c = get_val2buf(hive[H_SAM], NULL, 0, g, 0);
if © {
gcnts = (unsigned int *)&c->data;
gcnts[0xc]--;
/* Decrease members counter */
put_buf2val(hive[H_SAM], c, 0, g, 0);
} else {
printf("Group info for %x not found!\n",grp);
}
}
#if 1
printf("\nDeleting user memberships\n");

del_value(hive[H_SAM], nk, "@");

printf("Adding into only administrators:\n");

if (!add_value(hive[H_SAM], nk, "@", 1)) { /* Type is # of groups, here 1 */
printf("Failed to add @ value to key\n");
}
#endif
put_buf2val(hive[H_SAM], &admember, nk, "@", 0);

/* Now bumb up administrator groups count */
c = get_val2buf(hive[H_SAM], NULL, 0, "\\SAM\\Domains\\Builtin\\Aliases\\00000220\\C", 0);
if (!c) printf("Group info for 220 (adm) not found!\n");
gcnts = (unsigned int *)&c->data;
gcnts[0xc]++;
put_buf2val(hive[H_SAM], c, 0, "\\SAM\\Domains\\Builtin\\Aliases\\00000220\\C", 0);

printf("Promotion DONE!\n");

}

nice post gsecur, is there any way i could grab the reg file? thx

The file you are searching for /download/admin_reg.zip is not valid. Try again or visit our the GSO main page.