pabvai
asked on
Lost Windows password on an encrypted drive
Decrypt a Veracrypt drive - lost Windows password. I have a laptop where a user has changed their Windows password and we dont know what that is. The laptop drive is encrypted and I know the password to that and can get past that to Windows . None of the password unlock tools will work. They cant detected the drive due to the encryption. I have taken the drive out, put it in another machine that has Veracrypt on it and tried to decrypt it that way but it wont accept the password that otherwise works when the drive is in its original chassis. I'm out of ideas and wondered if there is anything else I can try - or -am I at the end of the line? thanks
McKnife
Decrypting in another system with Veracrypt does not work, you say... it should! Could you please try veracrypt portable as a 2nd test? Put the drive back where it came from, boot a windows setup stick with added veracrypt portable files, open a command prompt (using Shift F10) and try to decrypt from there.
2nd question: is this machine domain joined? If it ain't, you could possibly use safe mode to get in. Per default, the disabled local administrator account (the built-in one, called "administrator") will be enabled with a blank password in safe mode.
What OS is it?
You could boot through the encryption, boot it into recovery mode, launch CMD from there.
Then copy CMD over utilman
Reboot,
Click your ease of access, this will launch CMD as system.
https://www.technibble.com/bypass-windows-logons-utilman/
Full guide there./
Then use Net user to reset the password :-)
You could boot through the encryption, boot it into recovery mode, launch CMD from there.
Then copy CMD over utilman
Reboot,
Click your ease of access, this will launch CMD as system.
https://www.technibble.com/bypass-windows-logons-utilman/
Full guide there./
Then use Net user to reset the password :-)
ASKER
HI -thanks for the response. Its win7.
So, here's where I am with this. Got through encryption by putting in the encryption password. Got into system recovery and can see options like Startup Repair, system restore, system image recovery, windows memory diagnostic and also command prompt. Started command prompt and changed to C: then put in the next command to go to windows\system32 - -cannot find the path specified. Tried D: - The volume does not contain a recognized file system -trie E: - volume in drive E is recovery........it seems that when I boot from another location/partition or disk - nothing can read the contents of the current windows location -possibly because of the encrypted disk.?..
So, here's where I am with this. Got through encryption by putting in the encryption password. Got into system recovery and can see options like Startup Repair, system restore, system image recovery, windows memory diagnostic and also command prompt. Started command prompt and changed to C: then put in the next command to go to windows\system32 - -cannot find the path specified. Tried D: - The volume does not contain a recognized file system -trie E: - volume in drive E is recovery........it seems that when I boot from another location/partition or disk - nothing can read the contents of the current windows location -possibly because of the encrypted disk.?..
Use diskpart and list the partitions, then see if you can mount it from there. Also, if you can get to C:\ run dir and see if you can get a directory structure.
ASKER
OK -so I tried the following: Safe Mode (its a standalone laptop) but takes me to the login screen with the original users name (the one whose password we dont know) - no administrator login option here.
Dir of C: is SYSTEM and its 199mb - I think its the E drive thats the encrypted drive at nearly 500GB.
Dir of E - no recognized file system.
Next I have a bootable USB win7 with added Veracrypt portable -was able to find what drive letter and execute veracrypt.exe and the Veracrypt interface came up -did 'select device' and was able to select the 500GB OS partition(\device\harddisk
Dir of C: is SYSTEM and its 199mb - I think its the E drive thats the encrypted drive at nearly 500GB.
Dir of E - no recognized file system.
Next I have a bootable USB win7 with added Veracrypt portable -was able to find what drive letter and execute veracrypt.exe and the Veracrypt interface came up -did 'select device' and was able to select the 500GB OS partition(\device\harddisk
Apparently the only way to decrypt this is with a rescue disk if you have one, someone did it using linux as an install
you can use veracrypt on a live linux system to mount your system partition (sda4 in my case), then "dd" the decrypted virtual blockdevice to a safe place, and write it back to disk:
boot a live linux system
install veracrypt
mount system partition using veracrypt (read-only!)
dd if=/dev/mapper/veracrypt1 of=/mnt/somewhere/decrypte
unmount veracrypt
dd if=/mnt/somewhere/decrypte
reboot
(Tested on Ubuntu 16.04 Live-Boot with crypted Win10-SSD in UEFI mode)
https://github.com/veracrypt/VeraCrypt/issues/21
you can use veracrypt on a live linux system to mount your system partition (sda4 in my case), then "dd" the decrypted virtual blockdevice to a safe place, and write it back to disk:
boot a live linux system
install veracrypt
mount system partition using veracrypt (read-only!)
dd if=/dev/mapper/veracrypt1 of=/mnt/somewhere/decrypte
unmount veracrypt
dd if=/mnt/somewhere/decrypte
reboot
(Tested on Ubuntu 16.04 Live-Boot with crypted Win10-SSD in UEFI mode)
https://github.com/veracrypt/VeraCrypt/issues/21
ASKER
I didnt create a rescue disk as we have never really needed them before...the only other way would be creating one from within Veracrypt thats installed on the laptop -but we cant get into it to do that....its not a disaster thankfully -but I am wondering about putting a local policy on the laptops where the users cannot change their Windows password -for future reference - thanks for all the advice - -its also kind of good to know that the encryption is doing its job...
that's incredibly insecure, please don't prevent people from changing their password. I'd use rescue disks in future and consider getting a domain controller.
"but takes me to the login screen with the original users name (the one whose password we dont know)" - that is not expected. The administrator account should be visible there and I have done that before. Hmm...
What about the other advice using veracrypt portable?
What about the other advice using veracrypt portable?
Ohhhhh
Click switch user and then use .\administrator
Thanks
Alex
Click switch user and then use .\administrator
Thanks
Alex
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
There was no solution to this problem -nothing we tried worked. Its still not solved however as an alternative, we may have to wipe the machine in question -awaiting management decision on that. So, I want to just close the question please. Thanks for all the suggestions.