# recover lost admin password



## MikeB (Apr 6, 1999)

The Ultimate NT Hack, Part I- for when you loose your admin password. 
There is a way to recover the Administrator account, but it's tricky and requires physical access to the server. First, you must have the following: 
·	A regular user account that can log on locally to your NT machine. (If you already have an alternate installation of NT on the system to be recovered, skip ahead to the command prompt instruction in Part II.) 
·	The NT CD and s etup disks. Use the winnt /ox command to create the setup disks from the CD. 
·	Enough room to install a temporary copy of NT (Workstation will suffice, even on a Primary Domain Controller). 
·	The latest Service Pack ( http://support.microsoft.com/support/downloads/PNP281.asp ). 
The Ultimate NT Hack, Part II 
First, boot up from the setup floppies you created and install a copy of NT in the \TEMPNT directory on any drive. Add the latest Service Pack. Make sure the Scheduler service is running and boot the alternate installation. At a command prompt, type AT HH:MM /INTERACTIVE CMD /K where HH:MM is 10 minutes from the current time, in 24-hour format. This opens a user- interactive command prompt that will allow you to log on. Setting it for 10 minutes should give you enough time to do the recovery operation. 
The Ultimate NT Hack, Part III 
Edit the HKEY_LOCAL_MACHINE\System\CurrentControlSet\ 
Services\Schedule key in the Registry. Double-click on Schedule and select the subkey under Schedule. Double-click on the Schedule value name in the right-hand pane and copy the REG_BINARY string to the Clipboard. Select HKEY_LOCAL_MACHINE and Load Hive from the Registry menu. When prompted for a hive file, go to your original installation's SYSTEM32\CONFIG folder and select the System hive. When you're prompted for a Key Name to mount the hive under, type ORIGSYS. When ORIGSYS appears under HKEY_LOCAL_MACHINE, open the Select key. Write down the value for the Current entry (usually 0). 
The Ultimate NT Hack, Part IV 
Browse to ORIGSYS\ControlSet00n\Services\Schedule and make sure the value for Start is 0x2. Add a new subkey named 001 under Schedule and add to it the type REG_SZ with the value CMD /K; add the type REG_BINARY with the Current value you recorded from the previous step. Select ORIGSYS and Unload Hive from the Registry menu. Under Control Panel/System/Startup/Shutdown, select the Startup option that boots your original NT installation. The order in which the items are listed in the drop-down menu is the same as it appeared in BOOT.INI, so the original boot will probably be the first entry. Shut down and restart, booting your original installation. 
The Ultimate NT Hack, Part V 
Finally, log on as your user account and wait for the scheduled event (as detailed in Part II) to take place. When the command prompt opens, it will be under the context of the Schedule user (the user who set the schedule), as either the System account or an administrative account. If this machine is not a Primary Domain Controller, type MUSRMGR.EXE. If it is, type USRMGR.EXE. (If you get an error, click Yes and type your domain name.) Set the Administrator password and log off. Log back on as Administrator. You can delete your temporary NT installation.


----------



## Ari (Aug 27, 1999)

Nice info, but I'm not really sure it is appropriate for a "public access" BBS.

Take my particular case. With the info you just gave me I can now go to work at any time after hours and hack my way into our network. I'm sure that I'm not the only one out there that can get physical access to the server but doesn't have "Administrative" priviladges.

This is just my own personal opinion, but, I really feel this post should not be here. Things like this could easily open the board to legal hassles.



------------------
To err is human, to really foul things up you need a computer.


----------



## TechGuy (Feb 12, 1999)

We've come to the conclusion (at least for the moment) that since this tip can, indeed, be very useful for legal purposes, it will remain. However, I will stress that it is the responsibility of each user - not this site - to use such information in a legal and responsible manor. I sincerely thank Ari, though, for responding in the best interest of the board.


----------



## MikeB (Apr 6, 1999)

I found the info on another site. Believe me I am not bright enough to come up with that kind of stuff on my own. 

When I found it I thought wow, that could really come in handy Especially when I show up at a site where the administrator was run out of town and the network needs some help. 

I can post the other site if you like. It never occurred to me that it might insight someone to abuse it. 

Thanks for your tip ari. Physical security of all servers is now even more important.


----------



## Ari (Aug 27, 1999)

MikeB, I wasn't trying to imply anything by my post. I really don't believe that ANY of the regulars on this board would use the info for anything other than what it is intended for.

I was more worried about a "passer-by" reading it, using it for some nefarious purpose and it getting tracked down that this site was where he/she learned how to do it.

Maybe it is/was all the references to "The Ultimate NT Hack" that sent a warning message to my mind. Besides, I doubt that there are all that many people out there that have total access to the building and servers (like I do) that don't have Admin access to the servers themselves anyways.

------------------
To err is human, to really foul things up you need a computer.


----------

