Breaking into Windows Using System Rescue CD

Credit to Lifehacker for today's and yesterday's post about breaking in to Windows.


Yesterday's way can be used only if you only want to access the files. If you need access to the operating system itself, the Linux-based System Rescue CD is a good option for breaking in. You'll need to do a bit of command line work, but as long as you follow the instructions closely you should be fine.

Just download the .iso file for the System Rescue Live CD and burn it to disc. Boot from the disc and hit the default option when the blue screen comes up. After everything loads and you're presented with a command-line interface, type fdisk -l to see the drives and partitions on your computer. Pick the Windows partition (usually the largest NTFS partition) and note the name, e.g. /dev/sda3.

Then, run the following command:

ntfs-3g /dev/sda3 /mnt/windows –o force

Make sure to replace /dev/sda3 with the partition you noted earlier. Next, cd to your Windows/System32/config directory with this command:

cd /mnt/windows/Windows/System32/config

We want to edit the SAM file in this folder, so type the following command to get a list of users:

chntpw –l SAM

Note the username you want to access, and then type the following command, replacing Whitson Gordon with the username in question.

chntpw –u "Whitson Gordon" SAM

At the next screen, choose the first option by typing the number 1 and hitting Enter. This will clear the user password, making it blank. When it asks you to write hive files, hit y and press Enter. It should say OK, and then you can type reboot to reboot the computer. When you boot into Windows, you'll be able to log in to that user's account without a password.

Once again, the weakness of this method is that it still can't beat encryption. Changing the password will disallow you access to those encrypted files, which, if the user has encrypted their entire OS, makes this method pretty useless. If they've only encrypted a few files, though, you'll still be able to access all the unencrypted stuff without a problem.