Windows XP Logon password cracking (9 methods)

Source: Internet
Author: User
Tags net command

when using Windows XP, do not forget to create a boot disk that restores the account and password in Windows XP at the same time as setting the password for the first time. It helps you avoid formatting the hard disk.
select "User Account" from the "control panel" and select the control interface for your account, we can see that there is a "block a forgotten password" in the task list on the left. Click it to open the "forgot password wizard". The Wizard will prompt you to insert a formatted blank disk, during the operation, you will be asked to enter the password used by the account, and you will soon be able to create a password to reset the disk.
after logging on to Windows XP without the "Welcome screen" Logon method, when we forget the account password, press CTRL + ALT + DEL to display the Windows security window. Click Change Password in the options to display the Change Password window. In this window, back up the current user's password, click the "backup" button in the lower left corner, activate the "forgot password wizard", and follow the prompts to create a password reset disk.
If an incorrect password is entered in the Windows XP Logon window, the "Logon Failed" window will pop up. If you cannot remember what your password is, you can click the reset button to start the password reset wizard. You can use this password to reset the disk and change the password and start the system. Reset the password and log on to Windows XP.
the creation of "Password Reset disk" poses a certain risk, because anyone can use this "Password Reset disk" to log on to Windows XP, you can enter the user account in the name of the user to operate everything that the real user can do. Therefore, you must save the "Password Reset disk" in a proper place to prevent loss or loss of information.

Method 1 -- use "Administrator" (This method is applicable when the administrator user name is not "Administrator)
We know that during Windows XP installation, the default logon is "Administrator", and a new account is required to be created to log on to Windows XP, in addition, only the user account created on the logon interface of Windows XP does not display "Administrator", but the "Administrator" account still exists and the password is blank.
After learning about this, if you forget your logon password, press CTRL + ALT on the logon page, and then press del to display the classic logon screen, enter "Administrator" in the user name, enter the password blank, and then modify the "zhangbp" password.

Method 2 -- delete the Sam file (note that this method is only applicable to Win2000)
The Security Account Manager (SAM) mechanism is used for security management of user accounts in Windows NT/2000/XP, the Security Account Manager manages Accounts by using Security Identifiers. Security Identifiers are created at the same time when an account is created. Once an account is deleted, the Security Identifiers are also deleted. The security identifier is unique. Even if the user name is the same, the Security Identifier obtained at each creation is completely different. Therefore, once an account is re-created by the user name, it will be assigned different Security Identifiers without retaining the original permissions. The security account manager displays the % SystemRoot % system32configsam file. The Sam file is a user account database of Windows NT/2000/XP. All user login name, password, and other information will be saved in this file.
Once we know this, our solution also produces: Delete the Sam file, start the system, it will re-build a clean and innocent Sam, there is no password in it.
However, such a simple method is not applicable to XP, and Microsoft may impose restrictions on such a bug ...... So now in the XP system, even if you delete Sam, you still cannot delete the password. Instead, it will lead to an error in system startup initialization, leading to an endless loop instead of a system !!

method 3 -- find the password from the Sam file (prerequisite ...... The basic DOS command is used.)
before the system is started, insert the boot disk and run the "C: winntsystem3config" command to copy the Sam file to the floppy disk. Read the data from another machine. The required tool here is LC4. Run LC4, open and create a new task, and then click "Import> import from Sam file" to open the Sam file to be cracked, in this case, LC4 automatically analyzes the file and displays the username in the file. Then, click "session> begin audit" to crack the password. If the password is not complex, the result will be obtained in a short time.
however, if the password is complex, it takes a long time. In this case, we need to use the following method.

Method 4: overwrite other Sam files (provided that you can get the Sam file and password of another computer ...... I personally think it is the most feasible method)
1 -- As mentioned above, the Sam file stores the login name and password, so we only need to replace the Sam file with the login name and password. However, the "Origin" Hard Disk Partition format of the SAM file used for this replacement should be the same as that of your system (check whether it is FAT32 or NTFS, and confirm it yourself ). It is best that the "Origin" system does not have a password and security settings have not been moved (in fact, most PCs do this). Of course, it is safer to overwrite all the files in [win ntsystem 32 config] of XP to [C: win ntsystem 32 config] Directory (assuming your XP is installed in the default partition C :),
2 -- if you cannot get help from others (I mean "in case"), you can install an XP system on another partition. The hard disk partition format should be the same as the original one, and be sure not to install it in the same partition as the original XP! Before you start, you must back up the MBR in the boot zone. There are many methods to back up the MBR. You can use tool software, such as anti-virus software kv3000. After installation, log in with the Administrator. Now you have absolute write permissions on the original xp. You can test the original Sam and use 10phtcrack to get the original password. You can also overwrite all files in Windows ntsystem 32config of the newly installed XP to the C: Win ntsystem 32config directory (set up the original XP and install it here ), then use kv3000 to restore the previously furious Master Boot MBR. Now you can log on to XP as administrator.
[I am in trouble with solution 2, but I am still in trouble with solution 1: it is better to ask for help...]
[In addition, it is said that the Sam in the Windows epair directory is of the original version and can be used to overwrite the Sam in system32 so that the current password can be deleted, the password is restored when the system is installed. If this password is blank, isn't it ...... ]


Method 5-use Win 2000 to install the CD boot and repair the system (prerequisite ...... Obviously, right? That is, you need to have a Windows 2000 installation CD)
Use the Windows 2000 installation CD to start the computer, select Windows 2000 on the wndows2000 installation selection page (press the r key), and then use the fault console to fix the problem (press the C key ), the system scans existing windows/XP versions. Generally, there is only one operating system, so only one logon option (L: C: Windows) is listed ). Press L on the keyboard and press Enter. At this time, Window XP does not require the administrator password, instead, you can log on to the fault recovery console directly. (If you are using a Windows XP installation disc, you must enter the administrator password. Administrators are the built-in administraor accounts in the system. All Windows users know that the fault recovery console can perform any system-level operations, such as copying, moving, and deleting files, start, stop, or even format, repartition, and other destructive operations.
Test disc: integrated with the Windows 2000 proessional Simplified Chinese version of Sp3.
Tested system: Windows XP proessional, Windows XP with SPI patch (both FAT32 and NTFS file systems are the same)
[Note that, due to various reasons, some windows 2000 installation discs on the market cannot display the console logon options, so this vulnerability cannot be exploited. At the same time, due to the limitation of the faulty Console mode, this vulnerability cannot be exploited from the network. In other words, this vulnerability is limited to a single machine.]

Method 6 -- use the net command (there are two prerequisites: the partition of Windows XP must use the FAT 32 file system, and the user name does not contain Chinese characters .)
We know that the "Net user" command is provided in Windows XP. This command can be used to add or modify user account information. The syntax format is:
Net user [username [password *] [Options] [/domain]
Net user [username {password *}/Add [Options] [/domain]
Net user [username [/delete] [/domain]
The specific meaning of each parameter has been described in detail in the help of Windows XP, and I will not elaborate much here. Now, we will take the "zhangbq" password of the local user as an example to illustrate how to forget the logon password:
1. restart the computer, press F8 immediately after the startup screen appears, and select "safe mode with command line ".
2. At the end of the running process, the system lists the selection menus of system Super User "Administrator" and local user "zhangbq". Click "Administrator" to enter the command line mode.
3. type the command "Net user zhangbq 123456/Add" and change the password of "zhangbq" to "123456 ". To add a new user (for example, the user name is abcdef and the password is 123456), enter "Net user abcdef 123456/Add ", after adding the account, run the "net localgroup administrators abcdef/Add" command to promote the user to the system management group "Administrators" and grant it super permissions.
4. restart the computer and select "run in normal mode" to log on to the "zhangbq" user with the changed password "123456. In addition, after logging on to zhangbq, log on to the [console] → [User Account] → select the user who forgot the password, then select [remove Password] and then select the original user on the logon screen to wait (because the user has been removed) without a password to delete the new user, on the [console] → [User Account] → select [alanhkg888], and then select [remove account]
[However, it was suggested that after the experiment, the user created under the safe mode command cannot enter the normal mode (this conclusion is not confirmed yet)]

Method 7-password cracking software (provided that you have a standard system installation CD-not the D-disk that "integrates" multiple systems)
1 -- use Windows key 5.0 in passware kit 5.0 to restore the password of the system administrator and generate three files: txtsetup. OEM, winkey. sys and winkey. INF. The three files are 50 kb in total. Place the three files in any floppy disk, and then start the computer using the XP installation CD. Press F6 to enable the system to adopt a third-party driver.Program. At this point, it is the best time for us to switch in. If we put this disk, it will automatically jump to the Windows key interface. He will forcibly change the administrator password to 12345, so what will happen? Too many! After you restart, you will be asked to change your password again.
2 -- use office nt password & Registry Editor. With this software, you can create a Linux boot disk, which can access the NTFS file system, so it can support Windows 2000/XP. You can use ntpasswd, a tool running in Linux on this floppy disk, to solve the problem and read the registry and rewrite the account. The usage is simple. You only need to follow the prompts after the startup to do it step by step. We recommend that you use the quick mode to list users for you to change the user password. By default, users in the admin group are selected, and users whose Administrator name is replaced are automatically found, which is very convenient.
3--erd. commander2003 is a Windows administrator and end user. In the face of systems that may crash at any time, each person may have their own tools to save data and repair the system. ERD commander is the most powerful component in the winternals administrators Pak tool. One of the notable features is to change the password, in Windows NT/2000/XP/2003, the password of any user can be changed by ERD without knowing the original password.

Method 8 -- modify
Screen Saver (provided that you have set screen saver)
Use ntfsdos, a tool that can write NTFS partitions from Dos. Use the software to create a DOS boot disk, and then go to C: Win ntsystem 32 to set the Screen Saver logon. change the name of SCR, and copy to C: Win ntsystem 32 (CMD can be used in Win2000. and rename the file to logon. SCR. In this way, 15 minutes after the machine is started, the screen protection that should have appeared is now changed to the command line mode and has the Administrator permission. Then, you can change the password or add a new Administrator account. Do not forget to change the name of the screen saver.

Method 9 -- use the startup script (prerequisite ...... The basic DOS command is used)
Windows xp startup script (startup scripts) is a batch file run by a computer before the logon screen appears. Its function is similar to the Automatic Execution of batch file autoexec. BAT in Windows 9× and DOS. With this feature, you can write a batch file to reset the user password and add it to the startup script. The procedure is as follows (assuming the system directory is C: Windows ).
1. Use the Windows 98 boot disk to start the computer. Create a file named A. BAT in DOS. The content only needs a "Net user" command: "Net user RWD 12345678 ". This command sets the RWD password to "12345678" (for usage of the net command, refer to Windows Help ). Save the file a. BAT to "C: windowssystem32grouppolicymachinescriptsstartup.
2. Compile a startup/shutdown script configuration file scripts. ini. The file name is fixed and cannot be changed. The content is as follows:
0 rows line = A. bat
0 parameters =
3. Save the file scripts. ini to "C: winntsystem32grouppolicymachinescripts. Scripts. ini stores the Setting data of the startup/shutdown script of the computer. The file content usually contains two data segments: [startup] and [shutdown]. [Startup] The data segment is the startup script configuration, and the [shutdown] data segment is the shutdown script configuration. Each script entry is divided into two parts: the Script Name and the script parameter. The script name is saved under the xforwarline keyword and the parameter is saved under the xparameters keyword. Here, X indicates the script sequence number starting from 0, to differentiate multiple script entries and mark the running sequence of each script entry.
4. Remove the Windows 98 boot disk, restart the computer, and wait for the startup script to run. After the script is started, the RWD password is restored to "12345678 ".
5. After Successful Logon, delete the two files created in the preceding steps.
[In fact, you can use another computer to write a. BAT and scripts. ini in "Notepad", and then use a floppy disk to copy them to your computer through DOS]
The above script uses the FAT32 file system. If you use the NTFS file system, you can mount this hard disk to another NTFS file system (such as Windows 2000 or Windows XP) in the disk mode). This method restores the administrator password. Password Recovery is equally effective for local computer users and domain users in windows.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.