Download and burn the latest Ubuntu distribution to CD, this can be found here www.ubuntu.com.
The Bypass Method
Use the CD as a boot disk and load up Ubuntu without installing it onto the hard disk, it can run from the CD. Once loaded fire up the Terminal and run
In the window that opens, go to 'Settings > Repositories' in the popup make sure its all ticked except 'Source code'. Then close the popup and any warnings and hit 'Reload' a button on the main toolbar. Once that is complete close the window and head back to the terminal.
sudo apt-get install chntpw
Using this application you can reset of any user IF syskey is not installed. First mount the windows disk, go to places and click on the disk that holds your windows installation. Then its back to the terminal for more command line action.
First navigate to the directory where windows stores the passwords.
the 'something' being the name of your HDD where Windows is installed. Run the application to see where you stand.
Here is an example of what you might see
andy@andy-ubuntu:/media/Win7/Windows/System32/config$ chntpw SAM
chntpw version 0.99.5 070923 (decade), (c) Petter N Hagen
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c
Page at 0x19000 is not 'hbin', assuming file contains garbage at end
File size 262144  bytes, containing 8 pages (+ 1 headerpage)
Used for data: 296/55856 blocks/bytes, unused: 11/42192 blocks/bytes.
* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length : 0
Password history count : 0
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrator | ADMIN | dis/lock |
| 03e9 | Andy | ADMIN | |
| 01f5 | Guest | | *BLANK* |
| 03ed | HomeGroupUser$ | | |
| 03eb | xbox | | |
---------------------> SYSKEY CHECK <----------------------- SYSTEM
SAM Account\F : 0 -> off
SECURITY PolSecretEncryptionKey: -1 -> Not Set (OK if this is NT4)
Syskey not installed!
RID : 0500 [01f4]
comment : Built-in account for administering the computer/domain
User is member of 1 groups:
00000220 = Administrators (which has 2 members)
Account bits: 0x0211 =
[X] Disabled | [ ] Homedir req. | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
[X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) |
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |
Failed login count: 0, while max tries is: 0
Total login count: 1
- - - - User Edit Menu:
1 - Clear (blank) user password
2 - Edit (set new) user password (careful with this on XP or Vista)
3 - Promote user (make user an administrator)
4 - Unlock and enable user account [probably locked now]
q - Quit editing user, back to user select
Select: [q] >
So from this you can see the different users and the state of their accounts. To access the Administrator account first we have to 'Unlock' it with option 3 and then reset the password with option 1. Its apparently not a good idea to type a new password, just do that once you logged into Windows.
So all is good, go back to Windows log in as the 'Administrator' and reset the other users passwords.
However if the line above "Syskey not installed" in fact reads something like "Syskey is installed" you have to try a different approach.
The Crack Method
Fire up the Terminal
sudo apt-get install ophcrack && sudo ophcrack
this will install and run the application, you will also need to load firefox, it comes pre-installed and there should be an icon on the bar at the top. Head to ophcrack.sourceforge.net and download the the first XP table, they get bigger as you go down, so just start on with the first. Save this file to the windows disk and then install the table from Ophcrack by clicking the 'Tables' button.
Load the Encrypted SAM file by clicking the 'Load' button and navigating to the .../Windows/System32/config... folder and clicking choose.
Again you will see a list of users, you only want to focus on the Admin so remove the others by clikcing on them and pressing delete. (This only removes they from the Cracking process, it wont delete the actual user)
Add the tables you need, if hashes are in the NT column use VISTA tables if the LM hash column has values use the XP tables.
Select the appropriate table and hit 'Crack' and then sit back and cross your fingers.