Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 376
  • Last Modified:

SAM FILE on recovery disk

I have the password from the latest nt recovery disk
I run the recovery disk on a test machine, it works fine!
I tried to use the administrator logon and password, on the
machine that the recovery disk came from, but still won't let me logon?
My question is, Is there some way the sysadim  disabled the administrator account!? And is there any other way of gaining access?
He has us locked out of our own system, We can't dismiss him till we have full control, Please Help! Hurry!
  • 8
  • 3
  • 3
  • +4
1 Solution
Reinstall the NT that will give you chance enter new password and removed the old password.

If partition is FAT

- Rename the files SAM.* to something other like OLDSAM.*.
    They are usually found under c:\winnt\system32\config directory.
                Ex. sam to oldsam
                    sam.log to oldsam.log
                    sam.sav to oldsam.sav
 2- Reboot the PC. Now the Administrator Password is blank.
    The previous Admin taskbar and settings may be lost but
    who cares. The User profiles should still be the same.
    I would check in User Manager that the User still is a
    member of the proper groups, ex. Power Users/Users.

If partition is NTFS you can use *NTFSDOS to mount drive from a Dos bootable diskette.

 NTFDOS available at   
He probably renamed his account.

Boot from the NT setup Floppies, choose "Repair" option (Hit R when prompted) en insert Emergency Repair Disc. This will replace the SAM with the one on the ERD, but also the rest of the registry. So hope he didn't change the config of your server after the last ERD-update.

Kind regards,
Simon (MCP)

PS: if you can afford to loose config, but not data, and the data is not on a stripe-set, just install a new machine with NT server, hook up the data drive, boot NT and take ownership in NT Explorer... It's that easy. Doesn't work with stripe sets, though, as they are defined in the registry...
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

I think Derosa's comment would work too, but depent how much time do you have.  If you have enought time to wait for the package, that will be great.
bones030898Author Commented:
If i reinstall nt will i lose all the profiles or wiil they still be there
I need to keep all the data intact , profiles an config

bones030898Author Commented:
the system is ntfs
cant have the server down to long,  have about 2300 customers
depending on it.
The way I understand it you cant rename the user account
administrator, I've tried on test machine cant disable or deleate
account administrator would be willing to give 100 more points
for the right solution
I thought about reinstalling nt but affraid of losing data
like user profiles and installed sevices
also theh95 i will give the credit to you if i can have a little reassurance that i wont be left high dry whit a blank machine
Please help some more,  this is really a mess with our sysadmin!
he refuses to give any access to the machine
If the repair disk was made with rdisk you do get the security or sam database, as seen in Ms kb document. Your repair disk would have to have been made using the /s option in order to get the sam and security hives. This may not help you much but will educate you for the future.

RDISK /S and RDISK /S- Options in Windows NT
3.50 3.51 4.00 WINDOWS kbtool
The information in this article applies to:

Microsoft Windows NT Workstation version 3.5 and 3.51
Microsoft Windows NT Server version 3.5 and 3.51
Microsoft Windows NT Workstation version 4.0
Microsoft Windows NT Server version 4.0

The RDISK utility included with Windows NT version 3.5 or later has two command line options:




When you use the RDISK /S option, the program skips the initial Create Repair Disk? dialog box and goes directly into saving the configuration.
When you use the RDISK /S- option, the program also skips the Create Repair Disk? dialog box, saves configuration, and then the program quits.


Both of these options also overwrite the saved SAM._ and SECURITY._ registry hives created during initial Windows NT Installation. The default administrator account and password used during Setup is all that is contained in these small files.

If you choose either of the above optional switches – Rdisk copies the entire current SAM and SECURITY database files containing ALL users and groups into the repair directory. On a domain controller containing many hundreds or even thousands of users these files can become very large which will Inhibit the ability to copy them to the emergency repair diskette (ERD).

Microsoft does not recommend using either of these switches on Windows NT Machines that have a large number of users and groups defined in user manager.

As a precaution – you should make a backup copy of the %systemroot%\repair directory to ensure you will still be able to make an emergency repair diskette after running RDISK while using one of the above switches.

Repair Disk Utility Does Not Update SAM and Security Hives
Last reviewed: March 25, 1997
Article ID: Q126464
The information in this article applies to:
Microsoft Windows NT Workstation version 3.5
Microsoft Windows NT Server version 3.5
Microsoft Windows NT Workstation version 3.51
Microsoft Windows NT Server version 3.51
Microsoft Windows NT Workstation version 4.0
Microsoft Windows NT Server version 4.0

When you restore the SAM and Security hives from an updated Emergency Repair Disk, the versions that were saved when you installed Windows NT are restored.

Repair Disk Utility (RDISK.EXE) does not save the Windows NT Registry SAM and Security hives.

To avoid losing information in the future, use one of the following methods:

Use Windows NT Backup (NTBACKUP.EXE) and select the option to backup the Registry.
NOTE: Using NTBackup is the only supported method for creating a backup of your system registry.


Back up the Sam.* and Security.* files in the %Systemroot%\System32\Config directory.

Use Regback.exe from the correct version of the Windows NT Resource Kit for the version of NT being used.

Microsoft has confirmed this to be a problem in Windows NT Workstation and Server versions 3.51 and 4.0. We are researching this problem and will post new information here in the Microsoft Knowledge Base as it becomes available.


bones030898Author Commented:
Thank you wayneb, an yes it was made with rdisk, but not from the command prompt? will it still have all the data for profiles
because when I run it on the test machine it lost all the usernames an passwords except administrator, but all the profiles folders was still there?
In order to have it save the user names and security hives you must use rdisk /s  the /s is for sam and security hives that will not be backed up with the /s switch.  You are in a hard place, I do not want to advice you wrong and have you do the wrong thing, I am not familar fully with repairing windows nt and having the profiles and user configs saved during the repair process.  Do you have a backup domain controller that you could promote to primary while demoting the primary to backup, then if you were to have to reinstall you could save the user names and passwords.  Do you have a tape backup or some other kind of backup you could restore after Nt was repaired or reinstalled?
Some how there must be away to pick the lock on nt and gain access to the system.  There is a utility called Getadmin that when run from an nt workstation will grant you domain admin status on the network and allow you fix your problem. But if the hotfix was installed on the server it will not work then.  You can find getadmin by doing a search on the web for getadmin.

Here is where getadmin is, or one site with it on it.
If you could gain admin rights on the system you could do something with the password, change it or something.
bones030898Author Commented:
yea it has the hotfix for getadmin
it does have a tape backup but it has a lock onit to so i dont actally know what has been backed up
but if i get admin then i could maybe restore and have it fixed
that what the owner wants is to change all the admin pw's
and again thank you:)

BTW, you CAN rename the original Admin account.

Have you tried my solution yet ???

Please let us know ASAP where that gets you, so we can take it from there.

kind regards
I suggest you get a lawyer!  I think what your admin has done is illegal and could be prosecuted on criminal and/or civil grounds!  He may be very willing to help you out if faced with being arrested.
Try l0phtcrack from
You just run this on a local copy of the SAM - either a repair disk or by booting with NTFSDOS,

You can find anyone's username/password this way and, unfortunately, sometimes the only way to fix the problem of a disgruntled SysAdmin.

If you can't be down long, boot with the NTFSDOS boot disk, copy the SAM Database to another location, then bring the server back up. This way you run the L0phtcrack tool on a copy of the SAM, exxtracting the needed password while the server is still online.

Good luck to you.

- Mike
bones030898Author Commented:
Ok one last time if i run the erd with the known pw
(that i extracted with l0phtcrack it only gave me administrator pw)
will all the other users still be there? and be able to logon
with out having  to setup all the profiles again
if i can, mbreuker answer would be accepted!
sorry for dragging this on so long
I guess I wasn't totally clear. I suppose my suggestion was that the ERD was out of date, therefore, although you extracted the Admin password, you couldn't log in with it on the existing system. At least that was my assumption.

The idea is that without doing anything to the operational system, as that might only make matters worse, boot using NTFSDOS on the existing system to get a copy of the SAM, then extract the CURRENT Admin password, or even better, the password for the username of the idiot Administrator (i.e. most Administrators set their own user accounts with Admin rights) as opposed to the Admin password you got from the potentially outdated ERD, and log in as Administrator or idiot to the current server with the newly aquired password.

As long as you don't do anything to the NT server, if you log in as Administrator, you should see all of the user accounts as they were before you were locked out with all profiles, etc. intact. If the Administrator was more malicious than just changing the Administrator password - i.e. he deleted or changed user accounts around, etc. - then you need will need to take additional steps.

For instance:
If he changed user passwords or deleted user accounts then you will need to restore from the ERD or recreate the user accounts (and reset NTFS permissions since the new user account will have a new SID).
If he deleted or otherwise harmed critical files, you may need to restore from your last "trusted" backup
If he screwed with NTFS permissions or changed application settings, again - you may need to do a combination of the above.

Of course legal action, as suggested by bchew,  is always a good recourse. If the administrator has caused harm to your company, he CAN be held legally liable and fear of this may force cooperation. The problem is he knows the system better than you know the system so even if you "break in" you may have more problems than you bargained for. I am an experienced administrator and have taken over servers from other admins in the past and, unfortunately, in all but one case, I reloaded NT from scratch and now, even in the one case I didn't reload, I am now (2 years later) finding an unresolvable problem that makes me wish I had. Cooperation from the admin is the only way to avoid additional hassle.

bones030898Author Commented:
thank u mbreuker
thats what i needed to know
submit answer and u got it 300 points
bones030898Author Commented:
PS  the erd will change the admin pw back to the known one right
In response to your last question - Yes the ERD SHOULD restore the SAM, therefore the Admin account and password, but as I said, rather than change the current system by restoring a potentially outdated registery and possibly harming the system, try cracking the current password using the methods I have provided and DO try to login using the actual username of your administrator as a backup just in case the Admin account is renamed or something silly like that. Second option is to restore from ERD disk and lastly to re-install NT.

P.S. Until you get everything back under your control - physically disconnect any modem or phone lines from the box if there are any. You never know. . .
bones030898Author Commented:
Adjusted points to 300
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 8
  • 3
  • 3
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now