How To Break Into A Windows PC (And Prevent It From Happening To You)

Whether you've forgotten your password or you have a more malicious intent, it's actually extremely easy to break into a Windows computer without knowing the password. Here's how to do it, and how to prevent others from doing the same to you.

There are a few methods to breaking into a computer, each with their own strengths and weaknesses. We'll go through three of the best methods, and nail down their shortcomings so you know which one to use—and how to exploit their weaknesses to keep your own computer secure.

The Lazy Method: Use a Linux Live CD to Get at the Files

If you don't need access to the OS itself, just a few files, you don't need to go through much trouble at all. You can grab any Linux live CD and just drag-and drop files onto a USB hard drive, as you would in any other OS.

How it Works

Just download the live .iso file for any Linux distribution (like the ever-popular Ubuntu) and burn it to CD. Stick it in the computer you want to access and boot up from that CD. Pick "Try Ubuntu" when it comes up with the first menu, and it should take you right into a desktop environment. From here, you can access most of the hard drive just by going to the Places menu in the menu bar and choosing the Windows drive. It should see any NTFS drives just fine.

Note that depending on the permissions of some files, you might need root access. If you're having trouble viewing or copying some files, open up a terminal window (by going to Applications > Accessories > Terminal) and type in gksudo nautilus, leaving the password blank when prompted. You should now have access to everything.

How to Beat it The main problem with this method (apart from only giving you access to the file system) is that you won't be able to access any encrypted files, even when using gksudo. So, if the owner of the computer has encrypted any of their files (or encrypted the entire OS), you won't get very far.

Sneaky Command-Line Fu: Reset the Password with the System Rescue CD

If you need access to the operating system itself, the Linux-based System Rescue CD is a good option for breaking in. You'll need to do a bit of command line work, but as long as you follow the instructions closely you should be fine.

How it Works

Just download the .iso file for the System Rescue Live CD and burn it to disc. Boot from the disc and hit the default option when the blue screen comes up. After everything loads and you're presented with a command-line interface, type fdisk -l to see the drives and partitions on your computer. Pick the Windows partition (usually the largest NTFS partition) and note the name, e.g. /dev/sda3.

Then, run the following command:

ntfs-3g /dev/sda3 /mnt/windows –o force

Make sure to replace /dev/sda3 with the partition you noted earlier. Next, cd to your Windows/System32/config directory with this command:

cd /mnt/windows/Windows/System32/config

We want to edit the SAM file in this folder, so type the following command to get a list of users:

chntpw –l SAM

Note the username you want to access, and then type the following command, replacing Whitson Gordon with the username in question.

chntpw –u "Whitson Gordon" SAM

At the next screen, choose the first option by typing the number 1 and hitting Enter. This will clear the user password, making it blank. When it asks you to write hive files, hit y and press Enter. It should say OK, and then you can type reboot to reboot the computer. When you boot into Windows, you'll be able to log in to that user's account without a password.

How to Beat it Once again, the downside to this method is that it's vulnerable to encryption. Since clearing the password requires editing Windows system files, you won't be able to do so if the user has encrypted their entire OS. If they've only encrypted a few files, though, you'll still be able to access all the unencrypted stuff without problem.

Brute Force: Crack the Password with Ophcrack

Where the other two methods are vulnerable to encryption, this method will give you full access to everything the user can access, including encrypted files, since this method relies on finding out the user's password instead of bypassing it.

How it Works

We've actually gone through this method before, but it doesn't hurt to have a refresher. All you need to do is download and burn the Ophcrack Live CD (use the Vista version if you're cracking a Windows 7 PC) and boot from it on your computer. It'll take a little bit of time to boot, but eventually it will bring you to a desktop environment and start attempting to crack passwords. This may take a while. You'll see the passwords pop up in the top pane of the window, though, when it finds them (or, if it doesn't find them, it'll notify you). You can then reboot and log in to Windows using those passwords.

How to Beat it While this method works on encrypted OSes, it can't crack every password out there. To increase your chance of having an uncrackable password, use something complicated and greater than 14 characters. The stronger your password, the less likely Ophcrack will be able to figure it out.

There are a lot of methods to break into a Windows computer (in fact, we've featured some of them before), but these are a few of the best and most widely useful. Apart from encryption, very little can stop the first two methods, and on those occasions you have Ophcrack to possibly fall back on. Got your own favourite method for getting into your computer without a password? Share it with us in the comments.


Comments

    no mention of using Active Password Changer on Hirens Boot CD? Works for me every time I have a customer who can't remember their password

    its probably worth noting that "chntpw" is available in the ubuntu repositories and is accessible from the live cd used in first example

    Or if it has XP and is a pre install then it is likely to have the default logon as Administrator and no password.

    Handy if the user added a password to there name and is unaware.

    One word (or is it two?): Kon-boot

    Another example why use should just encrypt your system drive with TrueCrypt and be done with it.

    Wouldn't password protecting the bios foil all of these methods since they all rely on booting from alternate media?

      If you password protect the BIOS, you'd have to make it impossible to remove the hard drive too. Otherwise it could just be swapped out to another computer.

      Getting through a passworded bios is easy. all you have to do is set the clear defaults jumper on the computer.

      I had to do that at work when i couldn't get the root password for a server and the bios was passworded.

      When someone has physical access to a computer, its nearly impossible to keep them out, except for hardware encryption with a good password.

      Except for the fact that you can clear the BIOS password by simply taking out the CMOS battery.

        Doh. Forgot this was an old thread..

        Last edited 30/10/13 11:22 pm

    Here's a few links on articles I have written about easy ways to access a windows computer if you have forgotten your password:

    http://www.techmanhelp.com/blog/how_tos/have_you_forgot_your_windows_xp_password

    and http://www.makeuseof.com/tag/5-tips-to-help-you-reset-a-forgotten-windows-xp-password/

    Related, battery/jumper reset of the BIOS would circumvent any passowords anyway.

    i know that when my friends laptops in the past have failed ive just simply unplugged the harddrive and put it an external casing and plugged it in to another laptop and had access to all the files

    I remember the good old days of bypassing the Win 98 passwords... just press esc at the login screen!

    Another tool that works quite well is the ole Winternals Administrator Pack. Make an "Emergency Repair Disk" boot to that, simply use the "Locksmith" to change ANY local windows password and your in. (And possibly with access to encrypted files? or would you even be able to see the OS files to change the password if the whole drive was encrypted?)

    I prefer the Spotmau Powersuite LiveCD - it has a windows password-blanking feature XD

    when I ran "ntf-3g /dev/sda3 /mnt/dindows -o force"
    system came back with error ' NTFS signature is missing. Failed to mount '/dev/sda3': invalid argument. etc

    The output of 'fdsik -l' command says "/dev/sda" has system of "W95 Ext'd(LBA)" instead of NTFS.
    I tried to mounted to '/dev/sda5' which has its system as NTFS and the mounting is successful but it was the system drive my Windows 7 64bit installed to.

    how do I mount a W95 file system drive in this case?
    many thanks!

    Correction, it should be >>>>The output of ‘fdsik -l’ command says “/dev/sda3” has system of “W95 Ext’d(LBA)” instead of NTFS.

    Hi There,
    I have resolved my problem by booting up from System Rescued but not chose default option, instead of, I went to system tools/NTResetPassword or something like that. and I found the at the end the system drive was /dev/sda2 as it was bootable.

    Yet to resolve wether my machine was hacked or corrupted password file.
    Thanks to everybody for your help and the great information from this site!

    The RemoteUnlock application is a handy way of unlocking a logged in and locked Windows PC. I've used it at work to get into a user's PC who went to lunch (but previously gave permission to install some software).

    It's a big security loophole...

Join the discussion!