http://www.ee.princeton.edu/~xzhu/win2k.html


Windows 2000 Pro Password Recovery 
The Windows is infamous for its compromised security. Frankly it is loaded with security loop-holes. With its latest Windows 2000 Professional Edition, it is not that hard either to break into the system as long as you have physical/logical access to the machine and know the right modus operandi . 



Required tools to achieve Administrator access without the Administrator password on Win2k: 

A) Physical access to the target machine. 
B) Read/write access to the system partition. A dos floppy will work for FAT drives or you will need NTFSDos Pro or equivalent for NTFS drives. 
C) One of the many floppy based programs ( NT Passwd ) that will change the Administrator password. 
D) Familiarity with the AT command. 
E) Be able to log into the target machine. It doesn't matter the level. 

Steps: 

1. Boot the machine with the read/write floppy (NTFSDos Pro or equiv.) and copy the original SAM file to the floppy. Keep it safe because this is what will put the machine back the way it was. 

2. Shut down and then boot with the Administrator password changing floppy. Do not turn off syskey, just change the password. Syskey will encrypt the new password when you boot win2k next time and it will recognize it fine. 

3. Shut down and boot into Win2k. Log in as Administrator with your new password. Bring up a command prompt and run an AT command like this one: 
AT 16:00 /interactive cmd 
In this example I'm telling the NT scheduler to bring up an interactive command prompt at 4 pm. With me logged in as Administrator creating this event, it will run with Administrator privileges. Be sure to set the time about 15 minutes from when you're doing this. Now you must accomplish steps 4 - 5 and be logged back in as yourself before this time. 

4. Shut down the machine and boot with the read/write disk. Copy the original SAM file back to the machine, overwriting the SAM file you had changed. This is why you need write access. You are putting the machine back to its original security state. You can do this because this is how MS repairs registry problems. 

5. Shut down and reboot into Win2k. Log in as your normal self. Wait for the command prompt to show up. When it does, anything run from the prompt will have administrative rights on that machine. 

I'll leave it up to the reader to complete the exercise of using the Administrator access to crack the password and or whatever other fun you wish to have.