Forgot the Administrator Password – Alternate Method – The LOGON.SCR trick
Forgot the Administrator password – Alternate Method – The LOGON.SCR trick
This is another trick that will easily work in Windows NT 4.0 and some versions of Windows 2000. The principal is that you need to install a second instance of your OS to your HD, then manipulate the default screen saver (the one that’s used if you don’t move your mouse while the CTRL-ALT-DEL box appears) for the original OS.
Update: You can also discuss these topics on the dedicated Petri.co.il Forgot Admin Password Forum.
Windows Server 2003 Domain Admin password
This tip will NOT work for Windows Server 2003. This is because of changes in the service account with which the process runs. In Windows 2000 it was run in the Local SYSTEM account (LSA) privileges, while in Windows Server 2003 it is run with the LOCAL SERVICE account, thus resulting in far less privileges than it used to have in W2K and NT 4.0. The reason 2 new account have been introduced in 2003 is that SYSTEM Account has way too many power over the system and the system could be compromised by exploiting almost any system service. The Microsoft’s solution was to introduce 2 less powerful accounts (LOCAL SERVICE and NETWORK SERVICE) and make some services run in the context of those accounts instead of LSA.
To successfully reset the Domain Admin password on Windows Server 2003 Active Directory please read the Forgot the Administrator’s Password? – Reset Domain Admin Password in Windows Server 2003 AD page.
Windows 2000 Domain Admin password
To successfully reset the Domain Admin password on Windows 2000 Active Directory please read the Forgot the Administrator’s Password? – Reset Domain Admin Password in Windows 2000 AD page. For Office document password password removal, you can also check our tutorials on cracking Excel passwords and how to recover Word passwords.
The LOGON.SCR trick
To successfully reset the local administrator’s password on Windows NT and some versions of Windows 2000 follow these steps:
- Install an alternate copy of Windows NT or Windows 2000.
You must install this instance of NT/2000 on a different folder than WINNT, otherwise you’ll end up with the same bad situation. Use ALTWINNT for example.
It is best that you install the alternate instance of the OS into a different partition than the one you have your original installation. You’ll delete this folder anyway, and it’s best that you just format that partition after you’re done. Formatting the partition will be much easier than deleting individual files and folders.
Also, if you lost your password on NT – install a new instance of NT, not Windows 2000, as doing so will ruin your old NT installation (because of the difference between the NTFS versions). Same goes for W2K, XP and Windows Server 2003. Always install the same OS.
Note: On Windows NT 4.0 machines that were installed out-of-the-box you do not have to install a fresh copy if you still have access as a regular user to the system. E.g. if you can log-on as a regular, non-administrator user, you can still manipulate the file’s permissions. This is simply because NT’s default permissions are set for Everyone – Full Control. This is not true on W2K/XP/2003 machines.
Another note: Reader Mike wrote:
In the article you mention installing the OS on top of the existing OS to do the logon screensaver manipulation.
I wanted to mention that this can also be accomplished by removing the hard drive, placing it as a slave on another computer (XP and W2K play nicely) and then accessing the file system. Of course you need a second computer, but for some folks it may be an easier solution.
That’s correct, and it will work for you unless you converted the disk to a dynamic disk, on the original OS. In that case you will no longer be able to boot the old OS, even if you do manage to access the files from the other computer.
- Boot the alternate install.
- Use Control Panel/System/Startup (for NT) or Control Panel/System/Advanced/Startup and Recovery for W2K to change the default boot instance back to your original install.
Lamer note: If you don’t do that you’ll end up booting into the alternate installation next time you turn on your computer. You don’t want that, do you?
- Open Explorer. Browse to your original Windows NT/2000 folder, navigate to the %systemroot%\System32 sub-folder.
Lamer note: %systemroot% is a system variable used to point to the folder where NT/2000 is installed, usually \WINNT in NT/2000, or \WINDOWS in XP/2003.
- Save a copy of LOGON.SCR, the default logon screen saver, anywhere you like. Just remember where you’ve placed it. You can also just rename the file to something you’ll remember later, I user LOGON.SC1.
Lamer note: To rename a file use the REN command in the Command Prompt window, or just select the file in Windows Explorer and press F2.
- Delete the original LOGON.SCR from the %systemroot%\system32 sub-folder. It is not necessary to delete the file if you renamed it, you can leave it there.
Note: You might not be able to delete the LOGON.SCR file because of permission settings. Regular users can only read and execute the file, not delete it. If that is the case (and it is in W2K, XP and Windows Server 2003) then you need to take ownership of the file and give the EVERYONE group FULL CONTROL permissions.
Lamer note: In order to take ownership of a file right-click it, select Properties, select the Security tab, click Advanced, and then click on the Owner tab. Select one of the users found in the list, click ok all the way out.
In order to change the LOGON.SCR permissions follow the previous instructions, in the Security tab click Add and browse to the Everyone group. Add it and make sure you give it Full Control. Click Ok all the way out.
- Make a copy CMD.EXE in the %systemroot%\System32 sub-folder. CMD.EXE is located in %systemroot%\system32.
Lamer note: In order to copy a file via GUI, select the file, right-click and chose Copy, then go to the destination folder, right click the folder name and select Paste. You can also use the keyboard by typing CTRL-C to Copy, CTRL-V to Paste.
- Rename the copy of CMD.EXE to LOGON.SCR.
Lamer note: See step #5.
- Shutdown and restart your computer. Boot into the original install.
- Wait for the logon screen saver to initiate – around 15 minutes. Oh, and no, do NOT move your mouse while you wait, duh…
After the screensaver is initiated, instead of running the normal LOGON.SRC actual screensaver, it will run the renamed CMD.EXE file (which is now called LOGON.SCR), and will actually open a CMD prompt in the context of the local system account.
In step #7 you could have used EXPLORER.EXE instead of CMD.EXE, and in that case a My Computer window will pop up.
Note: As noted earlier on this page, there is a way to make the wait time shorter, but you’ll need to dig into the Registry for that.
- Open the CMD.EXE prompt (it should already be opened if you’ve used CMD.EXE in step #7) and type:
net user administrator 123456
This will reset the local administrator (or domain admin if you are doing this trick on a DC) password to 123456.
Lamer note: You can, of course, use ANY password you want…
- Delete the LOGON.SCR from %systemroot%\System32.
- Rename the saved default screen saver from step 5 back to LOGON.SCR.
- If you wish to remove the alternate install:
- Delete its’ folder.
- ATTRIB -R -S -H c:\BOOT.INI
- Edit c:\BOOT.INI and remove the alternate install’s entries.
If you’ve used a different partition to install the alternate install then now you can simply delete or format that partition if you don’t need it anymore, plus edit c:\BOOT.INI and remove the alternate installation entries.
This trick has been tested a zillion times. Don’t bother to tell me it doesn’t work, it does (for Windows NT and some versions of Windows 2000), and that’s a fact.
You can also discuss these topics on the dedicated Petri.co.il Forgot Admin Password Forum.
More in Security
Microsoft Defender Vulnerability Management Now Supports Firmware Assessments
Nov 29, 2022 | Rabia Noureen
Microsoft Entra Workload Identities Service is Now Generally Available
Nov 29, 2022 | Rabia Noureen
Microsoft Authenticator to Enable Number Matching Security Feature by Default in February 2023
Nov 21, 2022 | Rabia Noureen
Microsoft Defender for Endpoint Adds Network Protection on iOS and Android
Nov 11, 2022 | Rabia Noureen
What is a Software-Defined Perimeter?￼
Nov 11, 2022 | Sukesh Mudrakola
Microsoft Defender for Business Adds Server Protections for SMBs
Nov 10, 2022 | Rabia Noureen
Most popular on petri