This works wheder its windows 2000 or windows xp or windows xp SP1 or SP2 or windows server 2003. This works even if syskey encryption is employed.

If it is FAT filesystem

Just copy de sam file like stated in de first post to an empty floppy disk and take it home. I’ll tell you what to do with it later. DON’T DELETE THE ORIGINAL SAM FILE. Just remove its attributes. The sam file is a file called SAM with no extension. YOU MUST ALSO GET a file called SYSTEM which is in de same folder as SAM. Both files have no extensions.

If it is NTFS

You have to download a program called NTFSPro. It allows you to read from ntfs drives. The themo version allows read only. The full version is read-write. You use de program to create an unbootable disk (so u will still need anoder bootable disk and an empty disk) that has de required files to access NTFS.

Use de boot disk to get into dos, den use de disks created with ntfspro to be able to access de filesystem, den copy de SAM and SYSTEM files to anoder empty disk to take home.

AT HOME: You have to get a program called SAMInside. It doesn’t matter if it is themo version. SAMInside will open de SAM file and extract all de user account information and deir passwords, includin’ administrator. SAMInside will ask for de SYSTEM file too if de computer you took de SAM file from has syskey enabled. Syskey encrypts de SAM file. SAMInside uses SYSTEM file to decrypt de SAM file. After SAMInside finishes, you still see user accounts and hashes beside them. The hashes are de encoded passwords. Use SAMInside to export de accounts and deir hashes as a pwdump file into anoder program, called LophtCrack. It is currently in version 5, it is named LC5. The previous version, LC4 is just as good. You need de full or cracked version of de program. LC5 uses a brute force method by tryin’ all possible combinations of letters numbers, and unprintable characters to find de correct password from de hashes in de pwdump file imported into it from SAMInside. This process of tryin’ all passwords might take 5 minutes if de password is easy, up to a year if de password is lon’ and hard (really really hard). LC5 howver, unlike LC4, is almost 100 times faster. Both can be configured to try dictionary and common words before usin’ all possible combinations of everythin’. Once de correct password is found, it will display de passwords in clear beside each account, includin’ administrator.

I use this method so many times. I’ve compromised de whole school computer infrastructure. LC4 usually took between 1 second and 10 minutes to find de passwords because dey were common words found in any en’lish dictionary. I haven’t used LC5 yet.

Programs needed:
SAMInside (doesn’t matter which version or if themo)
LC4 or LC5 (lophtcrack)( must be full version)
NTFSPro (doesn’t matter if themo)
Any bootdisk maker