1. Download Windows Password Recovery Tool
2. Windows Vista Password Recovery Usb

Memory Drive Storage Organizer Case - 16/2 USB/SATA/SSD Hard Drive slots. Great for regular and professional users! Secure Anti-Static Foam - 16 small + 2 large slots. Unlike any other software, Windows Password Recovery program is the only tool that can unlock any kind of Windows user accounts such as Microsoft, local, administrator, server controller profiles which all other utilities fails to provide.

This tool requires physical access of course, and there are many things you can do once you have physical access, but this peaked my curiosity.

• World's 1st Windows Password Recovery Software to Reset Windows Administrator & User Password. Free Download Free Download Step 1: Download and install Windows Password Recovery Tool for Mac to your Mac computer, open the software and select your USB flash drive to burn the ISO image.
• Extra Tips: Windows Password Key. As the World’s leading Windows password recovery tool, Windows Password Key does well in removing or resetting password of Windows computer login account. Moreover, the user guide is similar with Windows 10 USB installation.
• Windows 8.1 includes a built-in tool to create a USB recovery drive. Windows will let you know how big the recovery partition is, and you'll need a USB flash drive at least that big. Windows will let you know how big the recovery partition is, and you'll need a USB flash drive at least that big.
• Note: this should work on all versions of Windows, but if you are running Windows 8 or 8.1 and also using a Microsoft Account to login to your computer, you’ll need to reset your Microsoft Account password using a web browser on their web site.

The tool in question: https://www.kickstarter.com/projects/jontylovell/password-reset-key?ref=discovery

Obviously the magic to this piece of hardware is what's contained on it, and if that is true, any usb key could be used to accomplish the same job. I know there are software like Katana and the like that can do similar things.

My question is, does anyone know what this could be running to make this happen? Is it rubber ducky-like (http://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe) or something else?

I'm a security professional and penetration tester by trade, but no administrative windows expert and most of my work is done remotely, so I put this out to the on-site guys and the windows experts.

I'm not looking to knock off the product, in fact, I think quite the opposite, its a cool piece of kit and may purchase one for kicks. Just curious if anyone knows whats going on behind the curtain.

efickereficker

6 Answers

Resetting a windows password is not equivalent to recovering a windows password.

Resetting a password

The password can be reset by booting to another operating system and editing the registry hive. This is trivial, and there are many tools which can do it, such as Trinity Recovery Kit. I suspect this USB stick just boots to a version of Linux and runs a few scripts.

In summary: Just write blank password entries into the SAM (which is basically just stored in the registry protected by an ACL so only SYSTEM can access it).

However resetting a windows password denies access to EFS encrypted files and DPAPI encrypted data, since the keys for these are encrypted using a KEK derived from the password. When the user changes their password, they are re-encrypted with the new KEK. Access to EFS and DPAPI resources is lost even if the administrator resets the password.

Recovering a password

A recovered password allows continued access to EFS and DPAPI protected resources. In addition, it may give access to additional resources (e.g. it may be a domain logon).

To recover the password you need a tool like John the Ripper, Lopht or HashCat. Which could also run off a USB stick. Extract the hashes from the SAM, feed them to a cracking program. Then reboot and log in with recovered passwords.

BenBen

The kickstarter page actually gives away the method:

Using the key you can boot the PC into a special admin mode that allows you to view all of the user accounts and reset any password. Quickly regain control of the PC and get back to work.

Basically you reboot the PC with a custom OS located on the USB flash drive itself; from that OS, the relevant files on the disk are modified. The USB device is nothing special: it is just a normal USB flash drive; the 'added value' of this device is purely aesthetic. Downloadable boot images which can do the same thing from a 'normal' USB flash drive can be obtained from various places, e.g. this one.

This password reset method will fail if any of the following holds:

• The boot-on-USB option was deactivated in the BIOS, and a BIOS password was set to prevent reactivation (of course, some BIOS accept 'default passwords', and a BIOS password can be cleared by removing the CMOS battery, which is doable with physical access and a screwdriver).

• The operating system uses disk encryption and requires a password upon boot -- not just as a verification, but because the encryption key is derived from the password (TrueCrypt can do that).

Also, as @Ben explains, a password reset is not recovery: that which was encrypted with a key derived from the old password remains inaccessible.

Thomas PorninThomas Pornin

There have been Windows password reset CDs for some years that let you do this. You can put a slightly modified image on a bootable USB stick. I presume this key simply packages existing software in a pre-packaged key.

The reset CDs do NOT work if the disk is encrypted. All security professionals know that a non-encrypted disk is not safe against an attacker with physical access.

Two popular boot CDs work in completely different ways:

Offline NT Password & Registry Editor - This is actually a bootable Linux system, which can read the Windows file system, and reset a password hash. It works most of the time, but the support for the Security Accounts Manager (SAM) - where Windows stores password hashes - is not perfect. So sometimes it just doesn't work, and risks corrupting the SAM. This is free.

Kon Boot - This boots the Windows system that is password protected, but hot patches it to disable asking you for a password - you just get logged in as administrator automatically. In my experience it is more reliable than the other tool. It is not free, but is quite cheap.

There may be other approaches, in particular based on Windows PE but I'm not familiar with them.

paj28paj28

Password Reset Key seems to contain a modified Windows PE OS. I think it is something similar to PCUnlocker Live CD/USB drive. It's not a completely new thing. There are many freeware such as Rufus, ISO2Disc which allows you install a Windows OS on a USB drive.

I bet the use 'Ultimate Boot CD running BartPE' there was a live cd on the net some time ago this did let you do all these operations.I am sure it will not decrypt the password hash on the fly..It will rather exchange that hash with an own generated... pasword reset like...And will have the same effect.http://obrazki.tnttorrent.info/tnt24.info_German_Police_-_Special_Windows_Boot_CD_ENG_GER_.2218__253984.gif?imageSimilar to this one. this windows live cd was also only some hundred mb. and you could start it also while pc was locked, it made a new start button pop out and gave you access to everything through this.

In windows you can replace 'utilman.exe' with 'cmd.exe' using a windows installer media.

Boot into repair mode and open up a command prompt, CD into C:, go to system32, backup the exe's and replace utilman with cmd.

Restart your computer, click the 'ease of access' button down in the left corner, suddenly, a wild CMD prompt appears with admin rights.

Now you can just change the PW of any user.

protected by Community♦Oct 21 '14 at 9:38

Thank you for your interest in this question. Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).
Would you like to answer one of these unanswered questions instead?

Not the answer you're looking for? Browse other questions tagged passwordswindowsusb-drive or ask your own question.

This tool requires physical access of course, and there are many things you can do once you have physical access, but this peaked my curiosity.

The tool in question: https://www.kickstarter.com/projects/jontylovell/password-reset-key?ref=discovery

Obviously the magic to this piece of hardware is what's contained on it, and if that is true, any usb key could be used to accomplish the same job. I know there are software like Katana and the like that can do similar things.

My question is, does anyone know what this could be running to make this happen? Is it rubber ducky-like (http://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe) or something else?

I'm a security professional and penetration tester by trade, but no administrative windows expert and most of my work is done remotely, so I put this out to the on-site guys and the windows experts.

I'm not looking to knock off the product, in fact, I think quite the opposite, its a cool piece of kit and may purchase one for kicks. Just curious if anyone knows whats going on behind the curtain.

efickereficker

6 Answers

Resetting a windows password is not equivalent to recovering a windows password.

Resetting a password

The password can be reset by booting to another operating system and editing the registry hive. This is trivial, and there are many tools which can do it, such as Trinity Recovery Kit. I suspect this USB stick just boots to a version of Linux and runs a few scripts.

In summary: Just write blank password entries into the SAM (which is basically just stored in the registry protected by an ACL so only SYSTEM can access it).

However resetting a windows password denies access to EFS encrypted files and DPAPI encrypted data, since the keys for these are encrypted using a KEK derived from the password. When the user changes their password, they are re-encrypted with the new KEK. Access to EFS and DPAPI resources is lost even if the administrator resets the password.

Recovering a password

A recovered password allows continued access to EFS and DPAPI protected resources. In addition, it may give access to additional resources (e.g. it may be a domain logon).

To recover the password you need a tool like John the Ripper, Lopht or HashCat. Which could also run off a USB stick. Extract the hashes from the SAM, feed them to a cracking program. Then reboot and log in with recovered passwords.

BenBen

The kickstarter page actually gives away the method:

Using the key you can boot the PC into a special admin mode that allows you to view all of the user accounts and reset any password. Quickly regain control of the PC and get back to work.

Basically you reboot the PC with a custom OS located on the USB flash drive itself; from that OS, the relevant files on the disk are modified. The USB device is nothing special: it is just a normal USB flash drive; the 'added value' of this device is purely aesthetic. Downloadable boot images which can do the same thing from a 'normal' USB flash drive can be obtained from various places, e.g. this one.

This password reset method will fail if any of the following holds:

• The boot-on-USB option was deactivated in the BIOS, and a BIOS password was set to prevent reactivation (of course, some BIOS accept 'default passwords', and a BIOS password can be cleared by removing the CMOS battery, which is doable with physical access and a screwdriver).

• The operating system uses disk encryption and requires a password upon boot -- not just as a verification, but because the encryption key is derived from the password (TrueCrypt can do that).

Download Windows Password Recovery Tool

Also, as @Ben explains, a password reset is not recovery: that which was encrypted with a key derived from the old password remains inaccessible.

Thomas PorninThomas Pornin

There have been Windows password reset CDs for some years that let you do this. You can put a slightly modified image on a bootable USB stick. I presume this key simply packages existing software in a pre-packaged key.

The reset CDs do NOT work if the disk is encrypted. All security professionals know that a non-encrypted disk is not safe against an attacker with physical access.

Two popular boot CDs work in completely different ways:

Offline NT Password & Registry Editor - This is actually a bootable Linux system, which can read the Windows file system, and reset a password hash. It works most of the time, but the support for the Security Accounts Manager (SAM) - where Windows stores password hashes - is not perfect. So sometimes it just doesn't work, and risks corrupting the SAM. This is free.

Kon Boot - This boots the Windows system that is password protected, but hot patches it to disable asking you for a password - you just get logged in as administrator automatically. In my experience it is more reliable than the other tool. It is not free, but is quite cheap.

There may be other approaches, in particular based on Windows PE but I'm not familiar with them.

paj28paj28

Password Reset Key seems to contain a modified Windows PE OS. I think it is something similar to PCUnlocker Live CD/USB drive. It's not a completely new thing. There are many freeware such as Rufus, ISO2Disc which allows you install a Windows OS on a USB drive.

I bet the use 'Ultimate Boot CD running BartPE' there was a live cd on the net some time ago this did let you do all these operations.I am sure it will not decrypt the password hash on the fly..It will rather exchange that hash with an own generated... pasword reset like...And will have the same effect.http://obrazki.tnttorrent.info/tnt24.info_German_Police_-_Special_Windows_Boot_CD_ENG_GER_.2218__253984.gif?imageSimilar to this one. this windows live cd was also only some hundred mb. and you could start it also while pc was locked, it made a new start button pop out and gave you access to everything through this.

In windows you can replace 'utilman.exe' with 'cmd.exe' using a windows installer media.

Boot into repair mode and open up a command prompt, CD into C:, go to system32, backup the exe's and replace utilman with cmd.

Restart your computer, click the 'ease of access' button down in the left corner, suddenly, a wild CMD prompt appears with admin rights.

Now you can just change the PW of any user.

protected by Community♦Oct 21 '14 at 9:38

Thank you for your interest in this question. Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).
Would you like to answer one of these unanswered questions instead?

Windows Vista Password Recovery Usb

Not the answer you're looking for? Browse other questions tagged passwordswindowsusb-drive or ask your own question.