XP PasswordFreeze

Author Message
TomRiddle

  • Total Posts : 620
  • Scores: 12
  • Reward points : 0
  • Joined: 2/7/2008
  • Location: Australia
  • Status: offline
XP PasswordFreeze Monday, June 14, 2010 2:07 AM (permalink)
0
'XP PasswordFreeze


'backup local account's password on an XP workstation
'Manually reset same account's password and switch users or runas
'restore password on same local account


'Notes:-
'You need to access the registry using "NT AUTHORITY\SYSTEM" credentials
'Use the below snippet as a separate script to launch a CMD prompt
'Run this script from this special CMD prompt. 


'BUG-the name matching script is basic and could match the wrong user,
'i.e. you enter user1 and user12 could be matched instead.
'fixing this is more difficult than what it is worth, you will need to include_
'the user's fullname and description to search string or backup and restore all accounts.


'this is only demo code, if you want to do it manually instead:-
'1. run regedit using system account credentials. 
'2. export the following key [HKEY_LOCAL_MACHINE\SECURITY\SAM\Domains\Account\Users\] to reg file
'3. import same file when finished.
'4. there are better ways to backup this part of registry than doing this.


'This script requires that you are local admin of the workstation to start with.
'This script does not crack or reveal any passwords.
'The person that runs this script takes full responsibility for any issues that arise from the use there of.
'The author stipulates that the use of this code is educational use only and also only to use on test bed.


'save this snippet to a separate script. (5 lines, remove rem ticks ')
'it will launch CMD prompt from which you can run "XP PasswordFreeze" under System account
'CMD prompt will take 1 minute to launch. (uses task scheduler)
'If it fails to launch you may have to manually set a scheduled task

   'Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
   'Set objScheduledJob = objWMIService.Get("Win32_ScheduledJob")
   'Set objSWbemDateTime = CreateObject("WbemScripting.SWbemDateTime")
   'objSWbemDateTime.SetVarDate(DateAdd("n", 1, Now()))
   'errReturn = objScheduledJob.Create("CMD", objSWbemDateTime.Value, False, 0, 0, True, intJobID)


'start
   strAdmin=inputbox("Enter local account password on this PC"&vbcrlf&"that you would like to password freeze", "XP PasswordFreeze", "user1")

   strSavedPasswordHash=getAdminPassword(strAdmin)
   if strSavedPasswordHash="Account not found" then
      msgbox "Account not found"
   else
      msgbox "Password hash from "&strAdmin&" has been saved"&vbcrlf&"Manually reset password and switch users or runas"&vbcrlf&vbcrlf&"Click ok to restore password to original"
      msgbox setAdminPassword(strAdmin,strSavedPasswordHash)
   end if


'---------------------------------------------------


function getAdminPassword(strAdmin)

   Const HKEY_LOCAL_MACHINE = &H80000002

   Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}"&_
      "!\\.\root\default:StdRegProv")

   strKeyPath = "SECURITY\SAM\Domains\Account\Users"
   oReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys

   For Each subkey In arrSubKeys
      if subKey <> "Names" then
         if CheckSAMV(subKey,strAdmin) = true then
            getAdminPassword = ReadSAM(subKey, "F")
            getAdminPassword = getAdminPassword &":"& ReadSAM(subKey, "V")
            exit function
         end if
      end if
   Next

   getAdminPassword = "Account not found"

end function


'---------------------------------------------------


Function CheckSAMV(UserIDKey, strAdmin)
'Registry read SAM return true when Admin account passed is found

   for x=1 to len(strAdmin)
      strMatch=strMatch&mid(strAdmin, x,1)&" "
   next

   strMatch = "  "&strMatch

   Const HKEY_LOCAL_MACHINE=&H80000002

   Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}"&_
      "!\\.\root\default:StdRegProv")

   strKeyPath="SECURITY\SAM\Domains\Account\Users\"&UserIDKey
   strValueName="V"

   oReg.GetBinaryValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue
   For ibin=lBound(strValue) to uBound(strValue)
      hexResult = hex(strValue(ibin))

      if len(hexResult)=1 then
         hexResult="0" & hexResult
      end if
         
      ASCIKey=ASCIKey & hex2ascii(hexResult)         
      hexKey=hexKey & " " & hexResult
   Next

   if instr(ASCIKey, strMatch) then
      CheckSAMV=true
      on error goto 0
      exit function
   end if

   CheckSAMV=false   

end function


'---------------------------------------------------


Function ReadSAM(UserIDKey, ForV)
'Registry read SAM Password key

   Const HKEY_LOCAL_MACHINE=&H80000002

   Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}"&_
      "!\\.\root\default:StdRegProv")

   strKeyPath="SECURITY\SAM\Domains\Account\Users\"&UserIDKey
   strValueName=ForV

   oReg.GetBinaryValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue
   For ibin=lBound(strValue) to uBound(strValue)
      hexResult = hex(strValue(ibin))

      if len(hexResult)=1 then
         hexResult="0" & hexResult
      end if

      hexKey=hexKey & " " & hexResult
   Next

   ReadSAM=trim(hexKey)
   
end function


'---------------------------------------------------


function setAdminPassword(strAdmin, SAMFV)

   aSAMFV=split(SAMFV, ":")
   SAMF=aSAMFV(0) : SAMV=aSAMFV(1)

   Const HKEY_LOCAL_MACHINE = &H80000002

   Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}"&_
      "!\\.\root\default:StdRegProv")

   strKeyPath = "SECURITY\SAM\Domains\Account\Users"
   oReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys

   For Each subkey In arrSubKeys
      if subKey <> "Names" then
         if CheckSAMV(subKey,strAdmin) = true then
            SetAdminPassword = WriteSAM(subKey,SAMF,"F")
            SetAdminPassword = SetAdminPassword & WriteSAM(subKey,SAMV,"V")
            exit function
         end if
      end if
   Next

   SetAdminPassword = "Failed to find account " & strAdmin & " on system" 

end function


'---------------------------------------------------


function writeSAM(UserIDKey,SAMFV,ForV)

   on error resume next

   Const HKEY_LOCAL_MACHINE=&H80000002

   Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}"&_
      "!\\.\root\default:StdRegProv")

   strKeyPath="SECURITY\SAM\Domains\Account\Users\"&UserIDKey
   strValueName=ForV

   SAMFV=replace(SAMFV, " ", "")

   For ibin=1 to len(SAMFV) step 2
      Binary=Binary & "&H" & mid(SAMFV,ibin,2) &","
   next

   binary=left(binary, len(binary)-1)
   'wscript.echo binary
   arrayBinary=split(Binary,",")

   oReg.SetBinaryValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,arrayBinary

   if err=0 then
      writeSAM = ForV&" Key Restored "
   else
      writeSAM = "Error writing to "&ForV&" Key "   
   end if

   on error goto 0

end function


'---------------------------------------------------


Function hex2ascii(hextext)

   if hextext="00" then hex2ascii=" " : exit function

   For y = 1 To Len(hextext) step 2
      char = chr(cint("&h" & Mid(hextext, y, 2)))
      Value = Value & char
   Next

   hex2ascii = Value

End Function


'---------------------------------------------------
-join([int[]][char[]]'Ut|jwXmjqq%Wzqjx'|%{[char]($_-5)})
 
#1

    Online Bookmarks Sharing: Share/Bookmark

    Jump to:

    Current active users

    There are 0 members and 1 guests.

    Icon Legend and Permission

    • New Messages
    • No New Messages
    • Hot Topic w/ New Messages
    • Hot Topic w/o New Messages
    • Locked w/ New Messages
    • Locked w/o New Messages
    • Read Message
    • Post New Thread
    • Reply to message
    • Post New Poll
    • Submit Vote
    • Post reward post
    • Delete my own posts
    • Delete my own threads
    • Rate post

    2000-2012 ASPPlayground.NET Forum Version 3.9