Thursday, 28 October 2010

How to Break Into a Windows PC (And Prevent it from Happening to You)

How to Break Into a Windows PC (And Prevent it from Happening to You)

How to Break Into a Windows PC (And Prevent it from Happening to You)Whether you've forgotten your password or you have a more malicious intent, it's actually extremely easy to break into a Windows computer without knowing the password. Here's how to do it, and how to prevent others from doing the same to you.

There are a few methods to breaking into a computer, each with their own strengths and weaknesses. We'll go through three of the best and most common methods, and nail down their shortcomings so you know which one to use—and how to exploit their weaknesses to keep your own computer secure.

The Lazy Method: Use a Linux Live CD to Get at the Files

If you don't need access to the OS itself, just a few files, you don't need to go through much trouble at all. You can grab any Linux live CD and just drag-and drop files onto a USB hard drive, as you would in any other OS.

How it Works

How to Break Into a Windows PC (And Prevent it from Happening to You)

Just download the live .iso file for any Linux distribution (like the ever-popular Ubuntu) and burn it to CD. Stick it in the computer you want to access and boot up from that CD. Pick "Try Ubuntu" when it comes up with the first menu, and it should take you right into a desktop environment. From here, you can access most of the hard drive just by going to the Places menu in the menu bar and choosing the Windows drive. It should see any NTFS drives just fine.

Note that depending on the permissions of some files, you might need root access. If you're having trouble viewing or copying some files, open up a terminal window (by going to Applications > Accessories > Terminal) and type in gksudo nautilus, leaving the password blank when prompted. You should now have access to everything.

How to Beat it

This method can give you access to the file system, but its main weakness is that the malicious user still can't access any encrypted files, even when using gksudo. So, if the owner of the computer (or you) has encrypted their files (or encrypted the entire OS), you won't get very far.

Sneaky Command-Line Fu: Reset the Password with the System Rescue CD

If you need access to the operating system itself, the Linux-based System Rescue CD is a good option for breaking in. You'll need to do a bit of command line work, but as long as you follow the instructions closely you should be fine.

How it Works

How to Break Into a Windows PC (And Prevent it from Happening to You)

Just download the .iso file for the System Rescue Live CD and burn it to disc. Boot from the disc and hit the default option when the blue screen comes up. After everything loads and you're presented with a command-line interface, type fdisk -l to see the drives and partitions on your computer. Pick the Windows partition (usually the largest NTFS partition) and note the name, e.g. /dev/sda3.

Then, run the following command:

ntfs-3g /dev/sda3 /mnt/windows –o force

Make sure to replace /dev/sda3 with the partition you noted earlier. Next, cd to your Windows/System32/config directory with this command:

cd /mnt/windows/Windows/System32/config

We want to edit the SAM file in this folder, so type the following command to get a list of users:

chntpw –l SAM

Note the username you want to access, and then type the following command, replacing Whitson Gordon with the username in question.

chntpw –u "Whitson Gordon" SAM

At the next screen, choose the first option by typing the number 1 and hitting Enter. This will clear the user password, making it blank. When it asks you to write hive files, hit y and press Enter. It should say OK, and then you can type reboot to reboot the computer. When you boot into Windows, you'll be able to log in to that user's account without a password.

How to Beat it

Once again, the weakness of this method is that it still can't beat encryption. Changing the password will disallow you access to those encrypted files, which, if the user has encrypted their entire OS, makes this method pretty useless. If they've only encrypted a few files, though, you'll still be able to access all the unencrypted stuff without a problem.

Brute Force: Crack the Password with Ophcrack

Where the other two methods are vulnerable to encryption, this method will give you full access to everything the user can access, including encrypted files, since this method relies on finding out the user's password instead of bypassing it.

How it Works

How to Break Into a Windows PC (And Prevent it from Happening to You)

We've actually gone through this method before, but it doesn't hurt to have a refresher. All you need to do is download and burn the Ophcrack Live CD (use the Vista version if you're cracking a Windows 7 PC) and boot from it on your computer. It'll take a little bit of time to boot, but eventually it will bring you to a desktop environment and start attempting to crack passwords. This may take a while. You'll see the passwords pop up in the top pane of the window, though, when it finds them (or, if it doesn't find them, it'll notify you). You can then reboot and log in to Windows using those passwords.

How to Beat it

While this method works on encrypted OSes, it can't crack every password out there. To increase your chance of having an uncrackable password, use something complicated and greater than 14 characters. The stronger your password, the less likely Ophcrack will be able to figure it out.

There are a lot of methods to break into a Windows computer (in fact, we've featured some of them before), but these are a few of the best and most widely useful. Apart from encryption, very little can stop the first two methods, and on those occasions you have Ophcrack to possibly fall back on. Got your own favorite method for getting into your computer without a password? Share it with us in the comments.

Send an email to Whitson Gordon, the author of this post, at

  • Follow us to see the most popular stories among your friends -- or sign up for our daily newsletter below.

track'); track

Your version of Internet Explorer is not supported. Please upgrade to the most recent version in order to view comments.

One thing I do a LOT is use ERD commander boot cd to reset file permissions of USERS directory files when recovering data off a drive and what not. Is there a similar command on linux live cd?

Btw, I find the ERD commander 'reset permissions' feature works VERY well. Recommended. Reply

I do really recommend that people download and burn Linux CD's. A few of the computers in my house had started to give me trouble and the guy we sent it to us wanted to charge us for recovery + re installing the OS. With Linux I'm always able to find the files I want, and transfer them to my external USB drive. For the type of computing I do, I would never buy any of those recovery CD crap. Reply
Prairie Moon promoted this comment

Pop quiz: How can i find out a BIOS password? I mean, how to crack it.. Anyone? Reply
kellanpan promoted this comment

Or boot into a windows 7 install disc, open a command line window and browse to c:\windows\system32 and rename sethc.exe to something else, next make a copy of cmd.exe and call it sethc.exe.

The next time you boo the computer hit shift 5 times and a command line window with system level privileges will come up and you can change anyone's password.

The only way to prevent this is whole drive encryption using pre-boot authentication. Reply

Prairie Moon approved this comment

Boot into SafeMode, and click the Administrator account. 90% of users don't even know it exists, therefore don't change add a password to it. Reply

On the disk, in the wire, in the air, in the clouds : all data should be ciphered.

Crypto-anarchy. We're getting there.
[] Reply

Prairie Moon promoted this comment

Why not use 'net user' via the Administrator account in Safe mode? If you have access to an administrator account in Windows XP or higher you can use the command: 'net user "USERNAME" *' where you can set a new password without knowing the old one :). Reply
Prairie Moon approved this comment

What if you have a password protected hd? i mean a password before the OS even boots. Reply
kellanpan approved this comment

I just set fire to my computer after I log off. It's pretty costly but I've NEVER had my files messed with. Reply
Prairie Moon promoted this comment

The Konboot ISO boots straight into the operating system bypassing the password screen. How does this work and how can you defend against it? (encrypting?) Reply
damis648 promoted this comment

Wow, you guys missed the easiest protection... BIOS password and only allow boot off your HDD.

However nothing is secure if a person has physical access, may as well just pick and the machine and just run off with it. Reply

Allright, can't believe this hasn't been posted yet.

That's why you can't beat my strategy. When you turn off your computer, unscrew the hard drive and take it with you! Reply

Prairie Moon promoted this comment

And this is why I have Bitlocker on all of my hard drives. Reply
Posco Grubb promoted this comment

Ironically our lab could have used this information about 4 days ago. Some jerk changed all the passwords on our desktops and we had to call IT to fix all of them. Reply

Three words: Physical Access Control. Like the three cases show, physical access is total access. Even if your data is encrypted. Anybody can just grab everything and work on it later, elsewhere. Reply
Posco Grubb promoted this comment

And why the heck are you publishing this anyway? You spent a lot of time showing people how to break in, but didn't give much adivice on how to protect ourselves (apart from encrypting the OS). Before you say I'm just complaining, I run my Windows 7 with bitlocker - good luck breaking it. Reply
HeartBurnKid: Agent of R.O.A.C.H. promoted this comment

An easy way to beef up your password is to just double it with an extra character in between.

So if your password is:

Make it:

now you have upgraded to 17 character password which will make brute force a lot tougher. Reply

This speaks the truth. I have just accepted that people will get my data if they want it enough. Fortunately, a lot of its either pirated or useless so who cares... Reply

Posco Grubb promoted this comment

Goodness, you guys are taking evil week seriously :) Reply

The ultimate solution: TrueCrypt. Reply

meh. pretty weak. most your readers aren't going to encrypt their drives. shoulda at least mentioned bios password, system password, hard drive password, changing boot order. ya know, the easier stuff... Reply

Use the enabled Firewire bus. It is like directly accessing memory. []

Disable firewire in the BIOS to prevent it. Reply

If someone has broken into my Windows system, it means they are in my home.

I think my last concern is that they are trying to steal my top-secret video game saves. My first concern is putting several slugs of 40 cal ammo into their chest. Reply

DontFeedTheTrolls promoted this comment

All these assume the device is booting from a local disk. What if I'm booting over a network? Reply

Being of dubious moral rectitude myself (only during Halloween and my ex-girlfriend's birthday parties), I approve of evil week.

I would like to request that evil week also encompass the week that Valentines falls on (because no good ever comes of love). Reply

In order to view comments on you need to enable JavaScript.
If you are using Firefox and NoScript addon, please mark as trusted.