[Dshield] Windows Startup Password?

Eric Rosander erosander at matrixns.com
Fri May 10 17:17:42 GMT 2002


Check out SysInternals http://www.sysinternals.com  They have a lot of
NTFS recovery tools that may at least let you get the data off of those
drives.  The NTFSDOS tool has saved my but more than once, and looks
like it may do what you are trying with the Linux disk below.  Also
checkout NTLocksmith.

On Fri, 2002-05-10 at 08:30, Wayne Beckham wrote:
> I'm trying to use the NTPassword disk and tool - I'm hoping that it's going to help me resurrect a server that's been syskey locked by a disgruntled former employee.  
> 
> Could I bother you with a question?
> 
> The server is an HP Netserver LC2.  When I boot with the Linux disk, everything appears to be running normally until I get to finding the hard drives.  The disk correctly identifies them as Adaptec SCSI (aic:7880: Ultra Single Channel A, SCSI Id=7, 16/255 SCBs), but then when it calls part.rc to select the partition, give this response:
> 
> Partitions found on the disks:
>      Device Boot     Start     End     Blocks     Id     System
> cdrom: open failed
> 
> Probable NT Partitions:
> Home=/
> PS1=#
> PS2=>
> TERM=linux
> BOOT_IMAGE=vmlinuz
> PATH=/bin
> vga=1
> ignoreeof=10
> initrd=initrd.gz
> IFS=
> What partition contains your NT installation?
> []:_
> 
> And I don't know what to do next.  How do I answer the question it's asking?
> 
> Wayne Beckham
> 
> >>> JLPowers at cmhmetro.net 05/09/02 09:50 AM >>>
> 
> Sound like it was SYSKEY'd at some time.
> 
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;q143475
> 
> "Windows NT will prompt for the System Key password when the system is
> in the initial startup sequence, but before the system is available for
> users to logon. The System Key password is not stored anywhere on the
> system. An MD5 digest of the password is used as the master key to
> protect the password encryption key."
> 
> > -----Original Message-----
> > From: Wayne Beckham [mailto:wbeckham at co.riverside.ca.us]
> > Sent: Thursday, May 09, 2002 11:22 AM
> > To: list at dshield.org
> > Subject: [Dshield] Windows Startup Password?
> > 
> > 
> > Has anyone run across this and, if so, have any suggestions?
> > 
> > After an employee was terinated a particular server was 
> > found to sprout a "windows startup password."  This is before 
> > reaching the UserId/Password and after Win2K loads.  The 
> > operation appears similar to Blackboard Software's "WinLock" program.
> > 
> > None of the Network services load and the machine is not 
> > accessible from the network.
> > 
> > The machine is an older box, but has critical data for a 
> > particular department.  Normally, I'd grab the drives and 
> > recover them in another PC, but this is a REALLY old machine 
> > and we don't have spare servers laying around.
> > 
> > Any assistance at all would be greatly appreciated.
> > 
> > - Wayne
> > 
> > Wayne Beckham
> > LAN Administrator
> > Riverside County
> > 
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see: 
> > http://www.dshield.org/mailman/listinfo/list
> > 
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list





More information about the list mailing list