Dumping Password Hashed Off A Sam File (XP PRO)

Posted on 2003-03-14
Medium Priority
Last Modified: 2007-12-19
I am running XP Pro and need to recover the admin password. I have a copy of the same file and want to run a bruteforce on it. Problem is, is that it has syskey on it. How would I got about dumping the password hashes off of a sam file that I have?
Question by:Sim-X
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 8141389
Not gonna happen. If it has syskey, you probably wont be able to crack it.

try lopht cracker. with a fast computer, you should have the password in 10 or 20 years.


Author Comment

ID: 8147226
If I had acccess to an admin account on there, could I dump the password hashes into a log file? Otherwise, can I just delete the sam file to reset it or just add an account to the sam file and replace it?

Accepted Solution

sKuLLsHoT earned 300 total points
ID: 8149127
u need this?


best utility i ever found, it is stopped only when the machine u want to recover was an AD domain server.
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  


Expert Comment

ID: 8193299
there is also a program called pwdump2 written by Todd Sabin that circumvents syskey.  Get it at http://www.webspan.net/~tas/pwdump2/ 

Basically it uses DLL injection to load its own code into the process space of highly priviliged process.  Once the it can make an internal API call that accesses the syskey-encrypted passwords... not even having to decrypt them.

Administrator privilege is required!

This program is more like a highly efficient virus.

Also you got to find the process ID (PID) for lsass.exe manually before it will work.

LVL 24

Expert Comment

ID: 8509393
> I am running XP Pro and need to recover the admin password.

No you don't, you need the Install CD for XP

>  I have a copy of the same file and want to run a bruteforce on it.

now, if you were not admin, just how'd you go there?

Use Install CD like real administrators do, and quit asking how to swipe the passwords of others or your career path will be rather brief

Expert Comment

ID: 8521625
Sunbow how do you use the cd to recover the password?

i have had several systems where a user on my network has forgotten the local administrator password for their machine and something has happened where logging into their original limited account is broken, most people dont like to reinstall when a password to windows is all thats stopping them... quite a legitimate

Expert Comment

ID: 8632707
As cduke250 mentioned, pwdump2 can pull out the password, then LC4 ( http://www.atstake.com/lc/ ) or the much better John the Ripper ( http://www.openwall.com/john/ ) can still pull it out.

Also, the password reset boot disk that sKuLLsHoT mentioned can definitely work even if syskey is enabled--I've done it many times.


Expert Comment

ID: 8632752
There's also a program called samdump2.exe that works similar to pwdump2. (Just plain samdump.dll was used with pwdump, but that's different.)

I can't get a URL for it at the moment because of the proxy here at work...


Expert Comment

ID: 10372048
ok dude the way you do this is you get the Sam file and the System file and put them in a program called Sam Inside. you than export it in pwdump form. you import it in a program called LC4 and than brute force it.

this is going to take a long time


Featured Post

Enroll in August's Course of the Month

August's CompTIA IT Fundamentals course includes 19 hours of basic computer principle modules and prepares you for the certification exam. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question