Reverse Engineering/Cracking Windows XP Passwords

This page is about cracking (recovering) passwords on Windows XP machines, which is a computationally difficult process. If you just need to set a new password (but without need to recover the old one), then this guide is not for you. For that, you can use, for example, the free-software tool Offline NT Password & Registry Editor or other similar programs.

Background
The Windows XP passwords are hashed using LM hash and NTLM hash (passwords of 14 or less characters) or NTLM only (passwords of 15 or more characters). The hashes are stored in. The SAM file is encrypted using  and is locked when Windows is running. This file is a registry hive which is mounted to  when windows is running. The SYSTEM account is the only account which can read this part of the registry. To get the passwords, you need to shutdown Windows, decrypt the SAM file, and then crack the hashes. If everything goes well, you'll have the passwords in 15 minutes.

The hashes can be also obtained from running system using software like pwdump. However, it requires to be run under an account with administrator privileges.

Three ways to recover Windows Password
Usually, we can recover Windows admin password in two traditional ways. The first is to change Screen password with another admin account; the second is to recover the previous password with the windows password reset disk that had been created before you forgot the password. Take Windows XP for example,


 * At the Windows XP login prompt when the password is entered incorrectly click the reset button in the login failed window.


 * Insert the password reset diskette into the computer and click Next.


 * If the correct diskette Windows XP will open a window prompting for the new password you wish to use.

However, we often ignore the importance of security until we have been locked out of computer. Fortunately, there is still the last way that can unlock your computer without reinstalling - erase Windows password with Windows password reset CD, which can recover admin password for Windows 7/XP/Vista/NT/2000/2003.... Take Windows Password unlocker for example, followings are the steps to create the reset CD


 * Download Windows Password Unlocker from Password Unlocker Official site


 * Decompress the Windows password unlocker and note that there is an .ISO image file. Burn the image file onto an blank CD with the burner freely supported by Password Unlocker.


 * Insert the newly created CD into the locked computer and re-boot it from the CD drive.


 * After launched the CD, a window pop up with all your account names(if you have several accounts) select one of the accounts that you have forgotten its password to reset it.

Detailed Instructions for LoginRecovery.com Service

 * Go to http://loginrecovery.com/ and from the home page click the option to download either the floppy disk image or CD image. If you use the floppy disk image, insert a blank floppy disk into your computer, run the program and a bootable floppy will be created.  If you use the CD version, you will need to manually burn the ISO image to a CD, using software which specifically burns ISO images


 * Insert the floppy disk or CD into the target computer from which you wish to extract the passwords. Then boot the computer.  You may need to alter the BIOS settings to ensure the floppy drive or CD is booted from.


 * If you used the floppy drive some messages will briefly appear on the screen and then the computer will shutdown. On the floppy disk will be a newly created file called "upload.txt" which will contain the encrypted passwords.  If you used the CD version, the encrypted passwords will be shown on the screen; write them down into a text file.


 * If you wish to wait up to 48 hours or pay to get your passwords, then you can upload the file onto the LoginRecovery site. Otherwise, continue reading.


 * The file will consist of several 2-line entries, one for each account. Copy the 2 lines for the account you want and paste it into this utility to decode it into the "pwdump" format.


 * Use any of the tools in the following section to decode the pwdump hash.