10-14-2015, 10:03 PM
Sorry, I messed up the location of regback. It's under system32/config.
Using LinuxLite to repair Win 7 password
10-14-2015, 11:27 PM
Ok so I installed chntpw... I was getting the same errors as you...
I was able to get it to work...
TYPE the command into terminal - Don't copy and paste... chntpw -l SAM
I copied and pasted = failed
Manually entered = success
Its the "-" copied its the longer typed its the shorter... Why this makes a difference I don't know...
I retyped and tested the below... It did seem to work...
I'll toss in some screenshots...
Shots:
Failed
![[Image: Yyh0P6m.png]](http://i.imgur.com/Yyh0P6m.png)
Success:
![[Image: O1bKDjl.png]](http://i.imgur.com/O1bKDjl.png)
I was able to get it to work...
TYPE the command into terminal - Don't copy and paste... chntpw -l SAM
I copied and pasted = failed
Manually entered = success
Its the "-" copied its the longer typed its the shorter... Why this makes a difference I don't know...
I retyped and tested the below... It did seem to work...
Code:
chntpw -l SAMCode:
chntpw -u user SAMI'll toss in some screenshots...
Shots:
Failed
Success:
LL4.8 UEFI 64 bit ASUS E402W - AMD E2 (Quad) 1.5Ghz - 4GB - AMD Mullins Radeon R2
LL5.8 UEFI 64 bit Test UEFI Kangaroo (Mobile Desktop) - Atom X5-Z8500 1.44Ghz - 2GB - Intel HD Graphics
LL4.8 64 bit HP 6005- AMD Phenom II X2 - 8GB - AMD/ATI RS880 (HD4200)
LL3.8 32 bit Dell Inspiron Mini - Atom N270 1.6Ghz - 1GB - Intel Mobile 945GSE Express -- Shelved
BACK LL5.8 64 bit Dell Optiplex 160 (Thin) - Atom 230 1.6Ghz - 4GB-SiS 771/671 PCIE VGA - Print Server
Running Linux Lite since LL2.2
10-15-2015, 12:01 AM
This thread is fascinating. I'm learning some stuff. Good teamwork here.
Want to thank me? Click my [Thank] link.
10-15-2015, 12:07 AM
(10-15-2015, 12:01 AM)torreydale link Wrote: This thread is fascinating. I'm learning some stuff. Good teamwork here.
I too got giddy when it worked ;)
This is a great little tool, specially combined with a Live USB. I could of used it many times over the years...
LL4.8 UEFI 64 bit ASUS E402W - AMD E2 (Quad) 1.5Ghz - 4GB - AMD Mullins Radeon R2
LL5.8 UEFI 64 bit Test UEFI Kangaroo (Mobile Desktop) - Atom X5-Z8500 1.44Ghz - 2GB - Intel HD Graphics
LL4.8 64 bit HP 6005- AMD Phenom II X2 - 8GB - AMD/ATI RS880 (HD4200)
LL3.8 32 bit Dell Inspiron Mini - Atom N270 1.6Ghz - 1GB - Intel Mobile 945GSE Express -- Shelved
BACK LL5.8 64 bit Dell Optiplex 160 (Thin) - Atom 230 1.6Ghz - 4GB-SiS 771/671 PCIE VGA - Print Server
Running Linux Lite since LL2.2
10-15-2015, 08:57 AM
Thanks
Tried what you said
[/code]
colin@colin-NC110:/media/sda1/Windows/System32/config$ chntpw -l SAM
chntpw version 0.99.6 110511 , © Petter N Hagen
Hive <SAM> name (from header): <\C:\Windows\system32\config\sam>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf>
File size 262144 [40000] bytes, containing 5 pages (+ 1 headerpage)
Used for data: 203/15264 blocks/bytes, unused: 11/5056 blocks/bytes.
* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length : 0
Password history count : 0
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrator | ADMIN | dis/lock |
| 03e8 | Colin | ADMIN | |
| 01f5 | Guest | | dis/lock |
-------------------------------------------------------------------------------------------
colin@colin-NC110:/media/sda1/Windows/System32/config$ chntpw -u colin SAM
chntpw version 0.99.6 110511 , © Petter N Hagen
Hive <SAM> name (from header): <\C:\Windows\system32\config\sam>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf>
File size 262144 [40000] bytes, containing 5 pages (+ 1 headerpage)
Used for data: 203/15264 blocks/bytes, unused: 11/5056 blocks/bytes.
* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length : 0
Password history count : 0
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrator | ADMIN | dis/lock |
| 03e8 | Colin | ADMIN | |
| 01f5 | Guest | | dis/lock |
------------------- SYSKEY CHECK <-----------------------
SYSTEM SecureBoot : -1 -> Not Set (not installed, good!)
SAM Account\F : 0 -> off
SECURITY PolSecretEncryptionKey: -1 -> Not Set (OK if this is NT4)
Syskey not installed!
Cannot find value <\SAM\Domains\Account\Users\Names\colin\@>
Hives that have changed:
# Name
None!
colin@colin-NC110:/media/sda1/Windows/System32/config$
Tried what you said
[/code]
colin@colin-NC110:/media/sda1/Windows/System32/config$ chntpw -l SAM
chntpw version 0.99.6 110511 , © Petter N Hagen
Hive <SAM> name (from header): <\C:\Windows\system32\config\sam>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf>
File size 262144 [40000] bytes, containing 5 pages (+ 1 headerpage)
Used for data: 203/15264 blocks/bytes, unused: 11/5056 blocks/bytes.
* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length : 0
Password history count : 0
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrator | ADMIN | dis/lock |
| 03e8 | Colin | ADMIN | |
| 01f5 | Guest | | dis/lock |
-------------------------------------------------------------------------------------------
colin@colin-NC110:/media/sda1/Windows/System32/config$ chntpw -u colin SAM
chntpw version 0.99.6 110511 , © Petter N Hagen
Hive <SAM> name (from header): <\C:\Windows\system32\config\sam>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf>
File size 262144 [40000] bytes, containing 5 pages (+ 1 headerpage)
Used for data: 203/15264 blocks/bytes, unused: 11/5056 blocks/bytes.
* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length : 0
Password history count : 0
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrator | ADMIN | dis/lock |
| 03e8 | Colin | ADMIN | |
| 01f5 | Guest | | dis/lock |
------------------- SYSKEY CHECK <-----------------------
SYSTEM SecureBoot : -1 -> Not Set (not installed, good!)
SAM Account\F : 0 -> off
SECURITY PolSecretEncryptionKey: -1 -> Not Set (OK if this is NT4)
Syskey not installed!
Cannot find value <\SAM\Domains\Account\Users\Names\colin\@>
Hives that have changed:
# Name
None!
colin@colin-NC110:/media/sda1/Windows/System32/config$
Code:
[font=Verdana][size=78%] not sure where to go n --Concerned about this line ( [/font][/size][font=Verdana][size=x-small]Cannot find value <\SAM\Domains\Account\Users\Names\colin\@>)[/font][/size]
[font=Verdana][size=x-small]
[/font][/size]
[font=Verdana][size=x-small]The problem was created because of a Ransom attack (my own slip up )[/font][/size]
[font=Verdana][size=78%]
[/font][/size]I Learn something new Every Day !
An "example" is worth a 1000 words
10-15-2015, 10:59 AM
> The problem was created because of a Ransom attack
My guess is the attack crippled your user account. At what point are they demanding the ransom? At the Welcome screen? IAC, if I am correct the SAM hive, and perhaps others as well, is corrupted and you must either revert to a restore point, use last known good config, or restore the registry manually the way I described (and maybe not just the SAM file either, though I would start there). Best would be if you keep up to date system images offline. The alternative would be to try to rescue data and settings, if they're not backed up, and then do a fresh install. At least, that's how I would approach it. Perhaps a malware expert would have a lower level way to solve the problem.
My guess is the attack crippled your user account. At what point are they demanding the ransom? At the Welcome screen? IAC, if I am correct the SAM hive, and perhaps others as well, is corrupted and you must either revert to a restore point, use last known good config, or restore the registry manually the way I described (and maybe not just the SAM file either, though I would start there). Best would be if you keep up to date system images offline. The alternative would be to try to rescue data and settings, if they're not backed up, and then do a fresh install. At least, that's how I would approach it. Perhaps a malware expert would have a lower level way to solve the problem.
10-15-2015, 12:45 PM
(10-15-2015, 10:59 AM)paul1149 link Wrote: > The problem was created because of a Ransom attack
My guess is the attack crippled your user account. At what point are they demanding the ransom? At the Welcome screen? IAC, if I am correct the SAM hive, and perhaps others as well, is corrupted and you must either revert to a restore point, use last known good config, or restore the registry manually the way I described (and maybe not just the SAM file either, though I would start there). Best would be if you keep up to date system images offline. The alternative would be to try to rescue data and settings, if they're not backed up, and then do a fresh install. At least, that's how I would approach it. Perhaps a malware expert would have a lower level way to solve the problem.
Seen one once, where it used the web cam took a pic and then locked for ransom (think it was saying from FBI)..
I may still have notes, but it wasn't fun...
Had to create a usb with files, boot to the usb run said files.. scan, scan and scan some more...
I'll see what I can dig up, but some info..
http://www.trendmicro.com/vinfo/us/secur...Ransomware
https://www.f-secure.com/en/web/labs_glo...ransomware
These are samples... Try to nail down which your infected by to properly remove...
Some scanners, some require manual deletion of registry keys...
Back up your stuff first..
May want to try some online scanners through LL on the Windows partition...
LL4.8 UEFI 64 bit ASUS E402W - AMD E2 (Quad) 1.5Ghz - 4GB - AMD Mullins Radeon R2
LL5.8 UEFI 64 bit Test UEFI Kangaroo (Mobile Desktop) - Atom X5-Z8500 1.44Ghz - 2GB - Intel HD Graphics
LL4.8 64 bit HP 6005- AMD Phenom II X2 - 8GB - AMD/ATI RS880 (HD4200)
LL3.8 32 bit Dell Inspiron Mini - Atom N270 1.6Ghz - 1GB - Intel Mobile 945GSE Express -- Shelved
BACK LL5.8 64 bit Dell Optiplex 160 (Thin) - Atom 230 1.6Ghz - 4GB-SiS 771/671 PCIE VGA - Print Server
Running Linux Lite since LL2.2
10-15-2015, 03:05 PM
The problem now appears to be that you entered: that line looks like it should read , capitallization is important.
Code:
chntpw -u colin SAMCode:
chntpw -u Colin SAMQuote:| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrator | ADMIN | dis/lock |
| 03e8 | Colin | ADMIN | |
| 01f5 | Guest | | dis/lock |
“I have not failed. I’ve just found 10,000 ways that won’t work.” - Thomas Edison
10-15-2015, 04:19 PM
@avj, nice one.. Have noted this in case any of my Win using friends ever get stuck ;)
Upgrades WIP 2.6 to 2.8 - (6 X 2.6 to 2.8 completed on: 20/02/16 All O.K )
Linux Lite 3.0 Humming on a ASRock N3070 Mobo ~ btrfs RAID 10 Install on 4 Disks :)
Computers Early days:
ZX Spectrum(1982) , HP-150 MS-DOS(1983) , Amstrad CPC464(1984) , BBC Micro B+64(1985) , My First PC HP-Vectra(1987)
« Next Oldest | Next Newest »
Users browsing this thread: 1 Guest(s)