Since MarkM already explained why we shouldn't replace and restore user passwords, I'll try to address how the system prevents us from making those changes.
In Unix, the password hashes were originally stored in /etc/passwd
and could be read by anyone. Realizing that this allowed any user to potentially steal passwords, newer unix systems store the password hashes in /etc/shadow
which is only readable by root
.
Windows followed a similar path. In a domain environment, the password hashes of domain users are stored in the SAM registry hive on each domain controller. You're probably already familiar with hives like HKLM and HKCU.
Starting with Windows 2000, the SAM hive is encrypted with a 128-bit password encryption key, which is itself encrypted using the SYSKEY. It should be apparent that since the operating system must read the contents of the hive in order to authenticate users at logon, the encryption key must be saved on the computer somewhere. For more in-depth coverage of the obfuscation techniques that are used, check out SysKey and the SAM.
Windows tries very hard to prevent administrative users from being able to read/write the hashes directly, and normally only lsass.exe
running as the SYSTEM
user is able to read the hashes.
However, I'm sure you've encountered tools that bypass these protections. For example, fgdump
is capable of exporting password hashes from a live system by injecting code into lsass.exe
, although that can potentially crash the entire system. And there are a wide variety of bootable tools that can overwrite password hashes when Windows isn't running.
Although it is theoretically possible to replace user passwords, you'll first need to circumvent a wide variety of protections built into the Windows operating system. Any of these methods have the potential to destabilize your system, and should never be used in a production environment.
Best Answer
In Windows XP, right click on the
My Computer
icon and chooseProperties
. In the dialog box that opens, choose theAdvanced
tab. There will now be aUser Profiles
button. Click that and you should be able to choose your user's profile from a list. Click theCopy To
button. On the dialog that opens, there's an option to give other people access to log on to a profile. You have to copy it back and forth a couple times and you need to own two user accounts, but you can use this to tweak a user's profile without knowing their password.First, copy the other user's profile to the folder your alternate user account would use, taking care to give that account access to log on the profile. Log on with that account and do whatever you want to the profile. Then, log back on with your original account and delete the user's original profile. Now copy the profile changed by your alt account back to it's original location, taking care to give the original user access to the profile again.
If this is for a new computer setup, where the original user has never logged in, you can do this copying your nicely configured profile over the default profile.
It's worth noting that this answer is only any good because you tagged the question
windows-xp
. The process no longer works on Windows 7, as there are some registry settings that are not handled very well by the copy profile process. Rather than updating the Copy Profile process, Microsoft chose to simply disable the Copy button. You can find hacks to re-enable it, but none of the fix the reason the button was disabled and so they should be avoided.