Recover Lost Password in Windows Server 2008

I debated whether I was going to even write this article as I didn’t want people to get the wrong idea.  I decided that since some of the information was already available online and that the information is very useful (when used for good) that I would post this.  I just ask that you use the information for good as well and not for nefarious reasons.  I am not responsible for how this information may be used.

My situation was pretty straight forward.  I haven’t logged into my domain controller (running Windows Server 2008) in about a month but tried last night.  I was extremely surprised when the password didn’t work.  I tried every variation I could think of and nothing worked.  I still think that the password was somehow changed or corrupted but I suppose my memory could be failing as well.

In any event, after hours of trying passwords and other avenues, I was not able to get in to the server.  I was rapidly approaching the last resort of having to rebuild the machine.  I was dreading this because the server was running two other virtual servers that I would also have to rebuild from scratch.  Yes, I know I should have had images for all of this (which I am building now) but I didn’t, so let us move on.

I searched and searched and I just couldn’t find much of anything that would actually work.  Until this morning, that is.  Before I get into the details I want to credit the article that provided me with the solution to my problem.

The solution is a two stage process.  The first stage is preparation and requires the use of PING (Partimage is not ghost) which is a linux environment that can run off of a disc.  You need to download the PING image and burn it to a disc before continuing.

Now that you have the disc ready, here are the steps to follow:

  1. Put the disc in your server and boot off of it.  The process to do this differs by server but I am sure you can figure it out (or have done it before).
  2. The PING linux environment will load.
  3. When the environment is fully loaded, you will receive a “>>” prompt.
  4. At the “>>” prompt, type “x” and press the ENTER key.  “x“  will take you to a command shell rather than launching the PING user interface.
  5. At the “PING login:” prompt, type in “root” and press the ENTER key.
  6. At this ping you should be logged into the PING operating system.  Now we need to run a few shell commands.
  7. Run the following command:  fdisk -l : grep NTFS
  8. This command will list all the NTFS partitions.  As best as you can, note the name of the one that contains the Windows directory.
  9. Run the following command:  mkdir -p /mnt/windows
  10. This command creates a directory called “/mnt/windows” that will be used for mounting the windows partition
  11. Run the following command:  mount -t ntfs-3g /dev/sda3 /mnt/windows
  12. This command actually performs the mount.  “/dev/sda3″ is the name of the device (from step 7) that holds the windows partition.  This was “sda3″ for me but may vary for you.
  13. Run the following command:  cd /mnt/windows/Windows/System32
  14. This command changes the current directory to the System32 directory in the Windows partition.  Now that the partition has been mounted, you can consider “/mnt/Windows” as the root drive of your server so “/mnt/windows/Windows/System32″ is the equivalent to “C:\Windows\System32″.
  15. Run the following command:  mv Magnify.exe Magnify.bak
  16. This command renames the “Magnify.exe” file, which is in the System32 folder.
  17. Run the following command:  cp cmd.exe Magnify.exe
  18. This command, the final one, makes a copy of “cmd.exe” and names it “Magnify.exe”.
  19. Remove the disc and reboot

The steps above all make up the first stage, which is really the primary stage.  You see, we can’t really (easily) recover the password.  All the steps above bring you to a point where you will actually be able to bypass authentication all together with something akin to a backdoor.  Now you see why I started by saying that it should only be used for good.

For the second stage, we need to wait until Windows has booted and you are at the login screen.  On this screen you will notice a small icon in the lower left corner of the screen.  This is known as the “Ease of Access” feature, which provides accessibility options.  Click on this icon to bring up the dialog box.  You will notice several different accessibility options, one of them being “Make items on the screen larger (Magnifier)”.  This launches a tool called Magnify.exe which is used to make items on the screen larger.

Yes, I said “Magnify.exe”.  If you remember from the first stage of this solution, we replaced this tool with cmd.exe (which runs a command prompt).  On the “Ease of Access” dialog, select “Make items on the screen larger (Magnifier)” and press the OK button.  As you might expect now, instead of the Magnify tool being launched you are presented with a command prompt.  We have just fully bypasses the Windows Sever 2008 authentication.  You can run almost anything you can think from this command prompt as it is running under the NT AUTHORITY/SYSTEM account.  I ran “explorer.exe” which brought up the task bar.  I then went through the normal options to reset the password on the Administrator account and was able to immediately log in with the new password.

One more time I must stress that this information is only being presented to assist those who find themselves in a situation similar to mine.  Please do not use this information in an attempt to access a system that you should not have access too.

 

Posted in Security by Todd, January 23, 2010 6:57 pm

Tags: , ,

7 Responses to “Recover Lost Password in Windows Server 2008”

  1. DMines says:
    March 22, 2010 at 12:54 pm

    Fantastic, I didn’t always see exactly what the method above said that I would, but I muddled through and have saved myself from having to rebuild a client’s server.
    Thanks so much!

  2. Todd says:
    March 22, 2010 at 6:13 pm

    I am very glad the post helped you out. I had a similar issue and that method saved me plenty of work. I definately did not want to rebuild my server.

  3. John says:
    April 2, 2010 at 10:53 am

    Thanks for posting this. I had a server that, like yours, the password got changed by someone and we didn’t yet have an image and hadn’t created any “backdoor” users. We were expecting to have to rebuild it.

    My boss was THRILLED when I told him that I had reset the password.

    Thanks again!

  4. Todd says:
    April 2, 2010 at 12:14 pm

    I am gald to help and happy to see the information used as it was intented. When I ran into the issue I dreaded the amount of working I was going to have to do. It seems like you were in for a similar load. Not to mention that having the boss happy with you is ALWAYS a good thing.

  5. Raman Katwal says:
    April 5, 2010 at 10:09 am

    You are great!!!! Thats what I was looking for long back. It worked for my domain controller.

    Thanks Alot

  6. J Keating says:
    June 25, 2010 at 8:43 am

    Good Solution – Save me some time, thanks!

  7. John says:
    September 2, 2010 at 9:52 pm

    I left the April 2, 2010 comment.

    I just wanted to say thanks once more. I had a customer forget her password to a Vista machine and the only access was a guest account which is the same as no access. Your Server 2008 procedure kind of worked, it got me started anyway.

    When I ran explorer with my new magnify command prompt, I could not open ANYTHING, including control panel. What I did was use the magnify command prompt to run the net user command and enable the hidden administrator account, then login in as the administrator and reset the password.

    The point is, without your trick, that option would have been out and I would have had to rebuild a machine that hadn’t been backed up by the user.

    Once more your knowledge has been used for good, not evil!

    One other quick note, on step seven I shortened the command to simply fdisk -l and my drive was sda1 this time around.

    Thanks!!

Leave a Reply

WordPress Themes