Impenetrable

How do you get into a Windows box when:

  • all user accounts are locked out,
  • the Administrator password is unknown,
  • the box has no working CD drive, and
  • you’re too cheap to buy any extra hardware to boot from?


The answer, of course, is to spend all weekend learning how network booting works. I had the pleasure (yes, pleasure, for I am weird like that) of this experience. I Googled much, and tried many things that didn’t pan out. I read many guides to PXE booting, TFTP, and such things.

I found the Offline NT Password and Registry Editor, which provides a handy boot disk. After getting it to boot with PXELINUX, I found that it would refuse to mount a “dirty” NTFS partition as writable. Even though it forced Windows to run a disk check, it still didn’t clean up the drive, so there was no way for it to get in and change the Administrator password.

I remembered reading about NTFS-3g, the recently released NTFS filesystem driver for Linux, and how it was far more stable than older attempts to deal with NTFS volumes. It’s included in Knoppix now, so I firmly resolved to figure out how to boot Knoppix over the network.

By this time I had a fully working network boot setup (which involves a combination of DHCP server, a TFTP server, and the PXELINUX bootloader). Knoppix also requires an NFS server thrown into the mix – although the NT password boot disk is entirely contained in RAM, Knoppix is normally not, so there needs to be a network location where it can find its goodies. Luckily, I found an excellent guide over at BabyTux, which is why I won’t write a full one here. After a little tweaking of the Knoppix boot options, I was watching Knoppix’s familiar colorful boot sequence.

On to the matter at hand – resetting the Administrator password to allow access to the machine. With Knoppix’s support for NTFS-3g, I was able to mount the NTFS partition as writable (although it complained that it was dirty). I downloaded the source code for the NT password utility, but it wouldn’t build – for one, Knoppix doesn’t ship with OpenSSL headers, and there are also some deprecated techniques in the code that were causing GCC 4 to give up. I don’t know much about C, but I did find a diff that someone had posted for this problem. I built the utility on another box, dropped it in Knoppix’s NFS share, and ran it. It worked.

So, the utility successfully changed the Administrator password and unmounted the volume. The fact that the partition was mounted dirty didn’t seem to bother Windows – it booted, chkdsk’d, and rebooted. A quick F8 during boot and I was able to log in as Administrator. And the rest is history.