在win2k/winxp上测试已经通过。
http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.htmlOffline NT Password & Registry Editor, Bootdisk
--------------------------------------------------------------------------------
I've put together a single floppy or CD which contains things needed to edit the passwords on most systems.
The bootdisk supports standard (dual)IDE controllers, and most SCSI-controllers with the drivers supplied in a seperate archive below. It does not need any other special hardware, it will run on 486 or higher, with at least 32MB (I think) ram or more. Unsupported hardware: MCA and EISA not supported, i2o may not work, USB keyboard may not work. Quite a few IDE and SCSI raid-controllers may not work either.
Please see the Frequently Asked Questions before emailing questions to me. Thanks!
Also take a look at Grenier's DOS port
Other ways to recover lost password etc at MCSE World
--------------------------------------------------------------------------------
How to use?
Yes, long text. Please read it all before mailing me with questions
HINT: Just press return/enter to accept default prompts in [brackets]
WARNING: MS soft mirror / striping will not work probably.
SCSI: CD includes all drivers. For floppy switch to the SCSI drivers floppy after things have stopped loading and the banner appears. Or copy the driver(s) *.o.gz files you need onto the scsi-directory on the main floppy. There should be space for 1 or 2.
Shut down machine and insert floppy or CD.
Let the machine boot from the floppy or CD. See bottom of this page or the FAQ if you have problems with this.
Some banners and loading-messages will appear, hardware information etc.
Switch to scsi-driver floppy here if needed, see above. Not needed if running the CD.
Available SCSI-drivers will be listed (if any, see above), and it will now prompt for SCSI-controller drivers, you may:
answer 'y' to probe all available drivers in the "scsi" dir on the floppy. It will stop probing once it manages to initialize one controller.
answer 'n' to skip searching for SCSI cards. Use this if you only have IDE-disks.
or at the prompt, enter the linux module name of the driver, and optionally parameters for it, to go directly for one. You will be asked again untill you answer 'n', so that more than one driver can be loaded if required.
Next comes a list of all found partitions on all disks, followed by a list of what it thinks is NTFS partitions.
At the prompt to select a partition, the first bootable NTFS partition will be the default selection. (First bootable FAT if no NTFS found) You may however select another partition (also a FAT partition) by giving its full name (like /dev/hda1 , or /dev/sda1). SCSI: sdDP -> D=disk a b c d etc, P=parition number 1 2 3 4 etc. IDE: hdDP -> D=a or b (primary IDE), c or d (secondary IDE), P=partition number.
The partition will be mounted, and the type (NTFS or FAT) will be stated.
Then you must select the full path (relative to the partition) of the registry directory. This is usually 'winnt/system32/config', which is the default selection, but it will also automatically recognize windows installed in /winnt35 or /windows.
Then select files to copy to temp area in ramdisk. For password editing the default is 'sam' (essential, it's the password database), 'system' (contains some info on syskey), and 'security' (additional syskey info in Win2k). If syskey is not active, only 'sam' is changed when editing passwords. If you instead want to edit something in the registry, select the hive you want, 'system' is proper for services, hardware settings etc.
Now it has everything it needs, so the 'chntpw' utility will be started, working on the files in /tmp. The main menu will let you:
Edit passwords.
Check and possibly turn off syskey (please read the warnings!). Basically you never need to turn it off. See syskey.txt for technical details.
Registry editing. (see regedit.txt)
Editing passwords:
All usernames in the file will be listed.
You will then be prompted for the user which you want to change the password of. (default selection is administrator, it recognizes admin-account with changed name or localized names, too) You may instead enter the users RID (user ID) in hex, ex: 0x1fb. It will continue to prompt for a username until '!' is given. Re-list the users with '.'
Some information on the user will be shown before the prompt for new password.
If the account bits or lockout counts indicates a lock or disable, you will be offered opportunity to unlock it.
Entering a single * as the password will blank the password for that user. This is reported to work better than setting a new one!
Enter the new password, max 14 chars (it will show on the screen). Or enter nothing to keep unchanged.
Then confirm the change. (actual write to disk comes when you exit the program)
Exiting and writing changes:
If the 'chntpw' utility succeeds, you will be prompted to confirm the writeback to the NT disk/filesystem. Only 'y' is accepted for it to commit the changes. (the commit is in 2 steps. First in the editor program, then in the bootfloppy scripts. Your harddisk will only be changed if the last one is confirmed)
After everything is complete, you will get the "# " shell prompt. You may then reset the computer (three-finger-salute).
What can go wrong?
Lots of things can go wrong, but most faults won't damage your system.
The most critical moment is when writing back the registry files to NTFS. Also, the file written back may be corrupt (from chntpw messing it up), preventing your NT system from booting properly. YOU HAVE BEEN WARNED! One indication of a corrupt SAM is that the Netlogon service will fail to start, which again means it's impossible to log in. Or it will simply just reboot forever.
Also, see the FAQ for help with common problems.
For linux-knowledged people, you may do things manually if the scripts fail, you have shells on tty1-tty4 (ALT F1 - ALT F4).
--------------------------------------------------------------------------------
Bootdisk history
030126:
Fixed some bugs in chntpw/ntreg, causing a crash when loading some hives. This was caused trying to handle garbage at end of file, which seems to be quite common. Thanks to Jim Andersen for supplying a hive to test it on.
BLANKING PASSWORD, * at the password prompt, IS NOW RECOMMENDED instead of changing the password. Reports say that blanking will work better in most cases.
No other changes bootfloppy or drivers.
030118:
A few more drivers: i2o (only on CD!), some compaq raidstuff, Fusion MPT. No idea if it really works.
Floppy/CD was in previous 2-3 versions accidentaly buildt with strict checking of module versions. This made it difficult to load 3rd part driver. Should be easier now.
Also, driver load now tries to force load (insmod -f) thus overriding even more version checking. So, you probably manage to load a driver, but if it doesn't match some needed functions/API, it may crash.
No changes to password and regedit logic. chntpw at same version as last release.
030112:
Bootdisk & CD includes chntpw with full registry write support.
Otherwise not much changes.
021213:
CD ISO image now available. See below.
Now buildt for 486 or higher (previous required P3 or more).
Added support to open account lockouts & disable.
021208: (removed, 021213 is almost same)
Better NTFS driver which hopefully will write stuff back better. But there is still only write-over support.
More and hopefully better drivers.
Support for blanking passwords.
Support for looking up user with RID.
There is no support for MCA and EISA-bus stuff, and maybe not i2o.
011022:
Will now only write back files that have actually changed, hopefully reducing problems with NTFS on win2k. sam is usually small, and most often the only file changed.
If writing to NTFS, a run of something called ntfsfix is now an option (but recommended), it will force windows to do chkdsk on next boot, to further reduce problems. If one of the files still gets corrupted, see top of this page for info on how to salvage.
Better drivers? (A Compaq driver did not build and is not included. sorry for this, if someone has one that works with 2.4.12, I'll put it up)
Fixed input bug when entering names of 16 characters, it caused an overflow into the password prompt, making it impossible to change the password
010819 release removed!
010819:
Fixed scsi driver module loader. No probe is now default answer. Manual loading: You give the basename (ex: aic7xxx) and it will hopefully handle it if the file is named .o or .o.gz (ex: aic7xxx.o.gz) Prompt for module loading will be repeated until you say 'n'
Path selection: default was always \winnt\system32\config, but on Windows XP (and on upgraded systems from win98) it's seems to be \windows\...., so it will now check for winnt, winnt35 and windows and suggest the found one as default.
More and better drivers. Hope I remembered to get everything in.
(earlier history removed)
9705xx
First public release.
--------------------------------------------------------------------------------
Download
Note: Some links may be offsite.
bd030126.zip (1.4MB) - Bootdisk image, date 030126
sc030126.zip (~750KB) - SCSI-drivers (030126) (only use newest drivers with newest bootdisk, this one works with bd030126)
rawwrite2.zip (10K) - DOS Program to write floppy images.
cd030126.zip (2MB) - Bootable CD image with same version and drivers as floppies above.
Previous versions (this uses the old NTFS driver, can try this if the new one won't work):
bd011022.zip (1.4MB - Bootdisk image, date 011022)
sc011022.zip (~700KB) - SCSI-drivers (011022) (only use newest drivers with newest bootdisk, this one works with bd011022)
Mirror(s), in case you have problems getting the files from here.
I cannot guarantee that they are updated or that they havent changed anything!
ListSoft's mirror
NOTE THAT THE BOOTDISK CONTAINS CRYPTHOGRAPHIC CODE, and that it may be ILLEGAL to RE-EXPORT it from your country.
How to use the floppy
The unzipped image (bdxxxxxx.bin) is a block-to-block representation of the actual floppy, and the file cannot simply be copied to the floppy. Special tools must be used to write it block by block. For Dos, win95/98 & NT, use rawrite2.exe or some other imagewriter:
rawrite2 -f bd??????.bin -d A:
Replace ?????? with version number.
Or from unix:
dd if=bd??????.bin of=/dev/fd0 bs=18k
How to use the CD
Unzipped, there should be an ISO image file (cd??????.iso). This can be burned to CD using whatever burner program you like, most support writing ISO-images. Often double-clikcing on it in explorer will pop up the program offering to write the image to CD. Once written the CD should only contain some files like "initrd.gz", "vmlinuz" and some others. If it contains the image file "cd??????.iso" you didn't burn the image but instead added the file to a CD. I cannot help with this, please consult you CD-software manual or friends.
The CD will boot with most BIOSes, see your manual on how to set it to boot from CD. Some will auto-boot when a CD is in the drive, some others will show a boot-menu when you press ESC or F10/F12 when it probes the disks, some may need to have the boot order adjusted in setup.
Todo:
Bootdisk-scripts & main program still a bit to verbose even when not in verbose mode.
Expansion of hive.
