Today I spent the entire day hacking W2k Server. And I don't mean hacking in the figurative "configuring some services and installing some software" kind of sense, but rather, in the completely literal. While I'm still giddy with rage and triumph, I'm going to write down some of the things that I learned.
So, if you come to this page to partake in my delightfully elitist Ivy League banter, or to read some
wonderful things that I have to say about Mr. Tom Lehrer, or just because you think that I'm very adorable, you are well advised to just skip this post and come back tomorrow. If you stay, the usual disclaimer applies: use this info only for good and not for evil, don't break into other people's systems, blah blah blah.
I know that cracking passwords on Windows is oh-so-1998, but sometimes you find yourself locked out of your own server, and you just have no choice. A quick set up: nobody could remember the localadmin password to the terminal server (or maybe the SAM registry file got corrupted, and took the password info along with it), and the server got kicked off the domain, so the domain admin account didn't work either. Here are a few useful hacks to deal with such a situation:
1. Install another instance of Windows Server on that same partition (you might as well - chances are, whatever mess got you to this point will require you to do this eventually anyway), without overwriting your original partition. Boot into the new installation, and browse to the old file system. Rename
%\System32\LOGON.SCR to
LOGON.SC1 and rename a copy of
%\System32\cmd.exe to
LOGON.SCR. Boot into the original installation and wait for the screensaver to kick in. When CMD launches in its place, use
"net user administrator 123456" to reset the admin password. This hack won't work if you box is not configured with default screensaver settings. (Daniel Petri has
more details here).
2. Creating a Linux boot disc is a very sophisticated and elegant hack. But frankly, who has that kind of patience. If you are desperate,
go to this page to read up on it. It also has the files needed to make the boot disc. However, it hasn't been updated in a while, and might lack your particular scsi drivers. (I know that the page looks somewhat ghetto, but I can vouch for its credibility, and so can somebody
over at Harvard IT).
3. I don't know if you can quite call this one a hack. It's really more like a moment of divine inspiration. If you've tried the above two methods and that login screen is still taunting you, try this: unplug all the network interfaces from the server, and log in using the domain account. If you are lucky, it will log you in using the cached profile (assuming you logged in at least once before). And, once you are in, you can reset the localadmin account, reconnect to the network, and rejoin the domain. (I am not sure why Windows is so asinine - this design defies logic).
If you are curious, all this nonsense started when I rebooted the terminal server this morning, for good measure (it was particularly sluggish this weekend). The OS never loaded, and the server kept power cycling with a corrupt registry error. (
This technet article lists the steps to correct the registry hive for an XP installation - it's the same thing for w2k, only windows\ becomes winnt\). I booted up with the w2k disc, trying to get into the recovery console to restore the registry files from the repair directory, but of course I couldn't, since the recovery console requires the localadmin password. A moment of silence, a deep breath, and I'm loading Windows 2003 onto that partition. The w2k file system remained intact, so when I finally got into 2003, I was able to restore the corrupt registry files from backup tapes, and the boot was successful. If you remember your localadmin password, you can use the admin console to get at the files in the repair directory, but they might be really old, and if you have backups, it's probably a good idea to pull those files down instead.
In retrospect, this was lots of fun. But, I wouldn't want to do it ever again.
