• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 341
  • Last Modified:

Recover email from a locked xp machine

I have a customer with a PC that he has been locked out of due to a hacker that talked him into running his remote assistance tool.  He has a Windows XP machine with emails on it using an old version of Firefox Thunderbird.

This is all I know and I can't login to the machine.  

It's a desktop computer and I do have a way to at least access the drive from another machine but do not know which folders to access or whether I will run into password issues. What's the best way to recover the email in this case?
  • 2
  • 2
  • 2
  • +6
1 Solution
Patrick BogersDatacenter platform engineer LindowsCommented:
If you can connect to the drive navigate to


Here you grab the PST files and you are good to go.
If you run into password issues just make yourself 'owner' for that folder but i dont expect this to happen.
Ron MalmsteadInformation Services ManagerCommented:
..You could hook up his hard drive as an secondary drive in another computer, browse to the folder where the e-mail is contained..(ie. /../outlook.pst)  ..copy to a USB thumb drive.

If you get any "access denied." messages..  right-click > properties, security tab.. Owner tab, change the owner to you., click apply.  Now open the folder or file.
Emmanuel AdebayoGlobal Windows Infrastructure Engineer - ConsultantCommented:

It is good that you can url into the server, I believe the user is using Outlook, the location of the email is usually at the link below assuming the user has not changed this like me.

drive:\Documents and Settings\<user>\Local Settings\Application Data\Microsoft\Outlook

Copy all the pst, ost or pab files in this location.

Also you might want to copy all the user data and folders from the computer and reinstall the OS, to ensure that the you have clean installation.

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Nick RhodeIT DirectorCommented:
If this is just a local system and not a domain user I would use Offline NT Password Editor


Burn the software to a cd and boot to it.  You can use it to reset the admin or user password and elevate the accounts.  It works for windows xp, vista, 7.  Reset the password and get in there.

This is an ethical hacktool and should only be used for legitimate reasons and good intentions.
I would get a 3rd party USB converter for the locked disk or connect it to a port on a known working machine.

Depending upon what the hacker did,there maybe a poison pill app(format or encrypt) that may run if you boot the machine with a password reset.
Gary CaseRetiredCommented:
I don't recall where Thunderbird's default store folder is -- but it may have been changed anyway, so it's best to search for it.

Since you can access the drive, just search for .sbd and/or .msf files => when you find them, you'll know where the store folder is.

Then just copy the entire store folder ... then just install Thunderbird on a new machine and "point" to that store folder and you'll have all the e-mail recovered.

Note:  If you can't access the files on the drive, you simply need to "Take Ownership" of the drive.    How you do this depends on what OS you're running to do the recovery.   Just ask if you need help.
Don ThomsonCommented:
Thunderbird Mail fold is at
 %USERPROFILE%\Application Data\Thunderbird\Profiles\XXXXXXXX.default\Mail\

If you get to a valid login screen then I don't think the OS is fully compromised.

I would remove the drive from the PC and install it on a second machine as the secondary drive.

First thing is run a virus scan on the entire drive before you do anything else
Second - Make a backup of the drive
Third Put it back in the original machine
If it's XP Home there is not really an administrator user only in PRO
If it's XP Pro then do as NRhode suggested and use the Password reset cd
and blow away the administrative password

IF its XP Home try booting into Safe mode and see if the Administrator user comes up
IF it doesn't then just use the Password reset program to remove the User's password
Marc ZCommented:
Follow @DTHConsulting's recommendations, however I would grab the entire "Profiles" folder, which will ensure you have all the necessary items for a full recovering of mail. I wouldn't just grab the Mail folders.  Your first 3 Experts think you are looking for Outlook emails, and they are giving you wrong information for your problem.

Here is a link to the Thunderbird support pages regarding the Profiles, and the locations, and recovering data from them.

If you don't have physical access to this computer where you can remove the disk, and install either on USB or as second drive in clean computer, you might have more issues like @pgm554 pointed out.  If you are only concerned with the emails, we've given you enough info here to get them.  

If you think you want to try to clean up this machine, my personal recommendation would be to take a full image of the hard drive (back up your data), and fully format and reinstall windows.  It would be faster and better than trying to clean this thing.
Gary CaseRetiredCommented:
"... Your first 3 Experts think you are looking for Outlook emails ..." ==>  I had noticed that as well.   Not sure I'd apply the term "Experts" to those comments :-)
Actually a fast and easy way might just be to get a USB drive ,download a Knoppix live CD and boot the Knoppix OS and copy the files off to the USB drive.

Ron MalmsteadInformation Services ManagerCommented:
Hey Gary .. I didn't say it was outlook.  I used an example "ie"
frugalmuleAuthor Commented:
Thanks for all the input.  I accept the answer provided and would like to expand on this dialog.

Password reset boot disk for xp, vista, win7 http://pogostick.net/~pnh/ntpasswd/bootdisk.html
Password reset boot disk needed for Win 8

I noticed there is also a USB boot image there as well.  How can use that from a USB drive that already has data on it?

Thunderbird mail location:  %USERPROFILE%\Application Data\Thunderbird\Profiles\XXXXXXXX.default\Mail\ not yet tried.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
  • 2
  • +6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now