Recover Lost Password in Windows Server 2008

I debated whether I was going to even write this article as I didn’t want people to get the wrong idea.  I decided that since some of the information was already available online and that the information is very useful (when used for good) that I would post this.  I just ask that you use the information for good as well and not for nefarious reasons.  I am not responsible for how this information may be used.

My situation was pretty straight forward.  I haven’t logged into my domain controller (running Windows Server 2008) in about a month but tried last night.  I was extremely surprised when the password didn’t work.  I tried every variation I could think of and nothing worked.  I still think that the password was somehow changed or corrupted but I suppose my memory could be failing as well.

In any event, after hours of trying passwords and other avenues, I was not able to get in to the server.  I was rapidly approaching the last resort of having to rebuild the machine.  I was dreading this because the server was running two other virtual servers that I would also have to rebuild from scratch.  Yes, I know I should have had images for all of this (which I am building now) but I didn’t, so let us move on.

I searched and searched and I just couldn’t find much of anything that would actually work.  Until this morning, that is.  Before I get into the details I want to credit the article that provided me with the solution to my problem.

The solution is a two stage process.  The first stage is preparation and requires the use of PING (Partimage is not ghost) which is a linux environment that can run off of a disc.  You need to download the PING image and burn it to a disc before continuing.

Now that you have the disc ready, here are the steps to follow:

1. Put the disc in your server and boot off of it.  The process to do this differs by server but I am sure you can figure it out (or have done it before).
2. The PING linux environment will load.
3. When the environment is fully loaded, you will receive a “>>” prompt.
4. At the “>>” prompt, type “x” and press the ENTER key.  “x“  will take you to a command shell rather than launching the PING user interface.
5. At the “PING login:” prompt, type in “root” and press the ENTER key.
6. At this ping you should be logged into the PING operating system.  Now we need to run a few shell commands.
7. Run the following command:  fdisk -l : grep NTFS
8. This command will list all the NTFS partitions.  As best as you can, note the name of the one that contains the Windows directory.
9. Run the following command:  mkdir -p /mnt/windows
10. This command creates a directory called “/mnt/windows” that will be used for mounting the windows partition
11. Run the following command:  mount -t ntfs-3g /dev/sda3 /mnt/windows
12. This command actually performs the mount.  “/dev/sda3″ is the name of the device (from step 7) that holds the windows partition.  This was “sda3″ for me but may vary for you.
13. Run the following command:  cd /mnt/windows/Windows/System32
14. This command changes the current directory to the System32 directory in the Windows partition.  Now that the partition has been mounted, you can consider “/mnt/Windows” as the root drive of your server so “/mnt/windows/Windows/System32″ is the equivalent to “C:\Windows\System32″.
15. Run the following command:  mv Magnify.exe Magnify.bak
16. This command renames the “Magnify.exe” file, which is in the System32 folder.
17. Run the following command:  cp cmd.exe Magnify.exe
18. This command, the final one, makes a copy of “cmd.exe” and names it “Magnify.exe”.
19. Remove the disc and reboot

The steps above all make up the first stage, which is really the primary stage.  You see, we can’t really (easily) recover the password.  All the steps above bring you to a point where you will actually be able to bypass authentication all together with something akin to a backdoor.  Now you see why I started by saying that it should only be used for good.

For the second stage, we need to wait until Windows has booted and you are at the login screen.  On this screen you will notice a small icon in the lower left corner of the screen.  This is known as the “Ease of Access” feature, which provides accessibility options.  Click on this icon to bring up the dialog box.  You will notice several different accessibility options, one of them being “Make items on the screen larger (Magnifier)”.  This launches a tool called Magnify.exe which is used to make items on the screen larger.

Yes, I said “Magnify.exe”.  If you remember from the first stage of this solution, we replaced this tool with cmd.exe (which runs a command prompt).  On the “Ease of Access” dialog, select “Make items on the screen larger (Magnifier)” and press the OK button.  As you might expect now, instead of the Magnify tool being launched you are presented with a command prompt.  We have just fully bypasses the Windows Sever 2008 authentication.  You can run almost anything you can think from this command prompt as it is running under the NT AUTHORITY/SYSTEM account.  I ran “explorer.exe” which brought up the task bar.  I then went through the normal options to reset the password on the Administrator account and was able to immediately log in with the new password.

One more time I must stress that this information is only being presented to assist those who find themselves in a situation similar to mine.  Please do not use this information in an attempt to access a system that you should not have access too.