XP's Built-in Back Door and It's Security Flaw
I put this on some forums, and thought I'd put it here too.
This is the way to get in through the back door M$ put into XP:
Note: Italicized entries are my added comments. Other changes are spelling, grammar and format sorts of ‘corrections’. Oops, the italicised stuff didn't copy italicised. Oh, well . . .
I Forgot My Administrator Password!
by Vic Ferri
Can't Log On to Windows XP? If that’s your only problem, then you probably have nothing to worry about. As long as you have your Windows XP Installation CD, you can get back into your system using a simple but effective method made possible by a little known access hole in Windows XP.
This method is easy enough for newbies to follow – it doesn’t require using the Recovery Console or any complicated commands. And it’s free - I mention that because you can pay two hundred dollars for an emergency download of Winternals ERD with Locksmith which is a utility for unlocking lost Windows passwords. See here: _http://www.winternals.com/products/repairandrecovery/locksmith.asp
ERD is an excellent multi purpose product, but you should know it is not a necessary one if you have a healthy system and your sole problem is the inability to logon to Windows due to a forgotten password. Not necessary because you can easily change or wipe out your Administrator password for free during a Windows XP Repair. Here’s how with a step-by-step description of the initial Repair process included for newbie’s.
Note: See here for an extensive and detailed walkthrough of this Repair process:
_http://www.informationweek.com/windows/showArticle.jhtml?articleID=189400897
The article includes pictures of all the screens, and screens 7 and 13 correspond to steps 6 and 10 below, respectively. Keep that in mind.
1. Place your Windows XP Installation CD in your CDROM and start your computer (it’s assumed here that your XP Installation CD is bootable – as it should be - and that you have your BIOS set to boot from CD).
2. Keep your eye on the screen messages for booting to your CD. Typically, it will be “Press any key to boot from CD”. So, press a key.
3. Once you get in, the first screen will indicate that Setup is inspecting your system and loading files.
4. When you get to the Welcome to Setup screen, press ENTER to Setup Windows now.
5. The Licensing Agreement comes next - Press F8 to accept it.
6. The next screen is the Setup screen which gives you the option to do a Repair. It should read something like “If one of the following Windows XP installations is damaged, Setup can try to repair it”. Use the up and down arrow keys to select your XP installation (if you only have one, it should already be selected) and press R to begin the Repair process.
7. Let the Repair run. Setup will now check your disks and then start copying files which can take several minutes.
8. Shortly after the Copying Files stage, you will be required to reboot. This will happen automatically – you will see a progress bar stating “Your computer will reboot in 15 seconds”.
Note: Let the progress bar run – do not press ENTER to reboot.
9. During the reboot, do not make the mistake of “pressing any key” to boot from the CD again! Setup will resume automatically with the standard billboard screens and you will notice Installing Windows is highlighted.
Note: the author forgot to mention the two intervening screens; ‘Regional and Language Options’ and the ‘Product Key’ screen, where you (Duh) enter your product key. So have it handy. Then:
10. Keep your eye on the lower left hand side of the screen and when you see the Installing Devices progress bar, press SHIFT + F10. This is the security hole! A command console will now open up giving you the potential for wide access to your system.
11. At the prompt, type NUSRMGR.CPL and press Enter. Voila! You have just gained graphical access to your User Accounts in the Control Panel.
Note: You can also access other Control Panel items by typing the corresponding .cpl command. I haven’t tried other Command Prompt or Repair Console commands, but I assume some, if not all will work. Instead of changing the password to an administrator account, you can log into one (see 12 below) and create another administrator account, which can then be deleted for cleanup before exiting the system.
12. Now simply pick the account you need to change and remove or change your password as you prefer. If you want to log on without having to enter your new password, you can type control userpasswords2 at the prompt and choose to log on without being asked for a password. After you’ve made your changes close the windows, exit the command box and continue on with the Repair.
What other arcane commands such as control userpasswords2 might there be?
13. Once the Repair is done, you will be able to log on with your new password (or without a password if you chose not to use one or if you chose not to be asked for a password). Your programs and personalized settings should remain intact.
I tested the above on Windows XP Pro with and without SP1 and also used this method in a real situation where someone could not remember their password and it worked like a charm to fix the problem. This security hole allows access to more than just user accounts.
You can also access the Registry and Policy Editor, for example. And its GUI access with mouse control. Of course, a Product Key will be needed to continue with the Repair before you can access the security hole and make the changes, but for anyone intent on gaining access to your system, this would be no problem, with a program called Magic Jellybean Finder.
And in case you are wondering, NO, you cannot cancel install after making the changes and expect to logon with your new password.
Canceling will just result in Setup resuming at bootup and your changes will be lost.
Ok, now that your logon problem is fixed, you should make a point to prevent it from ever happening again by creating a Password Reset Disk. This is a floppy disk you can use in the event you ever forget your log on password. It allows you to set a new password.
Here's how to create one if your computer is NOT on a domain:
· Go to the Control Panel and open up User Accounts.
· Choose your account (under Pick An Account to Change) and under Related
Tasks, click "Prevent a forgotten password".
· This will initiate a wizard.
· Click Next, and then insert a blank formatted floppy disk into your A: drive.
· Click Next, and enter your logon password in the password box.
· Click Next to begin the creation of your Password Disk.
· Once completed, label and save the disk to a safe place.
How to Log on to your PC Using Your Password Reset Disk:
· Start your computer and at the logon screen;
· Click your user name and leave the password box blank or just type in anything.
· This will bring up a Logon Failure box and you will then see the option to use your Password Reset Disk to create a new password.
· Click it, to initiate the Password Reset wizard. Insert your Password Reset Disk into your floppy drive and follow the Wizard which will let you choose a new password to use for your account.
Note: If your computer is part of a domain, the procedure for creating a Password Reset Disk is different.
See here for step by step instructions: _http://support.microsoft.com/default.aspx?scid=KB;en-us;306214&
That’s it !
Now for the Security flaw part. This is from the “Windows Secrets” newsletter.
XP passwords rendered useless
By Brian Livingston
Windows XP, which has been marketed by Microsoft as "the most secure version ever," has been found to have a flaw so bone-headed that it renders passwords ineffective as a means of keeping people out of your PC.
Reader Tony DeMartino alerted me to the problem, which all administrators of Windows XP machines should immediately take to heart:
· Anyone with a Windows 2000 CD can boot up a Windows XP box and start the Windows 2000 Recovery Console, a troubleshooting program.
· Windows XP then allows the visitor to operate as Administrator without a password, even if the Administrator account has a strong password.
· The visitor can also operate in any of the other user accounts that may be present on the XP machine, even if those accounts have passwords.
· Unbelievably, the visitor can copy files from the hard disk to a floppy disk or other removable media - something even an Administrator is normally prevented from doing when using the Recovery Console.
This problem is unrelated to a feature of XP that allows an Administrator to set up automatic logon when the Recovery Console is used. Even without the Registry entry that enables this, XP is vulnerable. (For info on that feature, see _support.microsoft.com/?scid=kb;en-us;312149.)
Windows 2000, of course, doesn't allow Recovery Console users to access a hard drive without a password, if one previously existed.
I notified four Microsoft executives of the XP flaw weeks ago, but haven't yet received an official response. There's no Knowledge Base article about it, and there may not even be a good solution to the problem.
When I've spoken with Microsoft security pros about similar problems in the past, they've referred me to a company policy that says, "If a bad guy has unrestricted physical access to your computer, it's not your computer anymore."
That's all well and good - but the fact remains that Windows 2000 doesn't allow anyone with an old CD to get password-free access, and Windows XP does.
My recommendation: If you use XP machines in open spaces, put the PCs behind a locked door or put a lock on the PCs themselves. The bad guys know about this flaw, and it's just one more thing for the good guys to protect against.
Note: Be aware, and don’t do anything I wouldn’t do €:-ﻄ
Reply With Quote
November 5, 2008 at 9:38 AM
Hai guys! I have tried that backdoor and it's working. Only have to follow the instructions correctly.
Thank You,
Regards'
Chiranthaka Sampath Jayakody