How to recover old password?

[chon_]

Well, here's the thing: someone created a user account on XP Pro named TEST1, for some reason she forgot the account's password, so I rebooted in safe mode and login as administrator and deleted the password for this account. Now she wants the password back exactly as it was before (turns out it was her brother's laptop), needless to say none of us knows the password. Is there some file or registry key that stores this passwords?

Edited June 8, 2006 by chon_

[Camarade_Tux]

Indeed there's a reg key. Do you have any registry backup or do you use System Restore ?

(not to restore the whole thing but it may be possible to find a single key)

[chon_]

no, we don't have a registry backup, but I was just thinking about system restore, will resetting the system to a previous state do the job? I think the easier way is to know the exact registry key, but I'll try anything

[sk8er_boi]

Noo, You can't recover that password back at any case. Only u can reset that password with some programs but you have actually deleted it.

[Camarade_Tux]

I have to find a computer with SystemRestore to really help you. (removed with nlite)

In every restore point, there's a specific file for the registry. It is probably possible to open it in a text editor but I'm not sure. MS's notepad will not do the trick since the file is quite big, try with notepad2 or notepad++.

Then, I'll try to find the reg key.

Do you have any time limit for this ?

[chon_]

she wants it for today, although I think it won't be possible, where are the systemrestore registry files stored?

[Camarade_Tux]

C:\SYSTEM VOLUME INFORMATIONS\???\RPnnn\MountPoint*****

??? is the name of a folder I can't remember but it is the only one in System Volume...

RPnnn : nnn is the number of the Restore Point.

MountPoint***** : can't remember the exact name.

And now, the power of regshot.

/brb

[Camarade_Tux]

You may try the default value stored at : HKEY_USERS\{CLSID_of_the_account}\UserAccounts.PassportManager\CLSID.

I'm not sure though.

One thing is that XP can set rights on registry keys and it makes everything harder, not impossible, just longer in fact.

[net_user]

um...have your friend ask her brother what the password is?

and set it....

[janus zeal]

im quite sure its removed when you delete the password on the account.

[allen2]

You simply need to use LC5 (L0phtCrack) on the sam file from the system restore. If the password is easy it should find it after only few hours.

[XP_2600]

allen2 is right in case you want to get just the password, but if its ok to replace the current sam with older sam it will be more easy, here it is the steps:

go to %systemroot%\System Volume Information\_restore{xxxxx-xxxxxx-xxxxx-xxxxx-xxxx}

and then search for your sam file it will be there named to somethingSAM anyway name it back to SAM (without extentions and copy it to %systemroot%\system32\config.

YOU MAY NEED TO CHANGE THE PERMISSIONS OF system volume information before you can access it, also be sure you have show hidden files choose and hide protected system files unchecked.

[pmshah]

For future reference use Passware. It can retrieve absolutely any password on the system except .zip & .rar files. These take practically forever to find.