Introduction: Windows Password Recovery Bootable USB

Have you ever found yourself locked out of your own machine? You just changed your password, and sometime in the night it managed to slip out of your mind and evaporate up in dreamspace?

Perhaps you have relatives or friends that ask you to work on your PC but you do not have access to their passwords, or do not wish to compromise the integrity of the password by asking them for it or blanking it?

Enter the bootable USB stick. The purpose of this guide is to help you build and customize your own bootable USB stick that will allow you to bypass the authentication credentials of windows machines and in some cases Linux and Mac machines as well.

It will not display the credentials, or change them, so it is possible to perform the necessary maintenance tasks without ever having to compromise the credential’s integrity.

Disclaimer
This guide covers the creation and use of a tool that can be very useful to systems administrators, those who work on PCs, and “super users” who forget their passwords or find themselves locked out of their own machines. Like all tools, it can be misused. This guide is provided for educational purposes, and it is both unethical and in some cases very much illegal to use this on any property that is not your own, or without consent of the owner. Please be responsible, and do not misuse the information provided here in good faith to be helpful.

NOTE: some of the tools being used here, namely a utility known as “konboot,” may appear to some antivirus solutions as malicious software. This is a common occurrence with security tools, and often these are false positives. That said, the authors are not affiliated with the makers of konboot and accept no liability for the contents of the program. We will say that we have been using the utility for a few years now and have never experienced any problems or abnormalities related to it.

Step 1: Required Resources Check List

- A USB drive at least 256Mb in size
- A computer  or virtual machine with a non-password protected bios running Windows
- Administrator privileges on the Windows machine
-A disk manipulation/partitioning/formatting tool (native to windows)
- A zip file decompressor (native to windows)
- An internet connection
- A text editor

Step 2: Phase I : Formatting the USB Drive

Before we can do anything, we need to make sure our USB drive is emptied of data, formatted to the correct file system type, and marked as active so we can boot from it. We will be using diskpart, a command line utility that comes with windows.
WARNING: if you have anything of value on the USB drive you wish to keep, it will be erased, so temporarily remove it from the device and place it somewhere else.

-Insert the USB drive into your machine

-Open the windows “run prompt” by pressing and holding the windows key and then simultaneously pressing the “R” key

-Type diskpart into the prompt that appears and press enter

-On systems newer than XP, select run as administrator when the UAC prompt appears

A command prompt should then appear – for the next few steps we will be using the command line utility diskpart to format the USB drive.

Step 3: Phase I : Formatting the USB Drive [cont'd]


NOTE: If at any point the following instructions don’t work for you, it could be because the version of diskpart that came with your windows OS is older or newer than the one used for this tutorial. Try using the “?” to see the options that closest match the ones used in this tutorial.

-Type list disk
We are looking for the disk number of your USB drive. The easiest way to tell this is to determine the size of your flash drive and compare it to the attached drives. Depending on how many drives you have attached it could be disk 1 or a higher number like 7.

-Type select disk #
where # is the disk number assigned to your USB drive based on what we determined with the above list command.
This will actually select your USB drive so that the subsequent commands that we run will be affecting your drive

-Type clean
This will in effect clear your drive of any data.

-Type create partition primary
This creates a partition we can later format with a file system

-Type list partition
The partition we created should now be listed [most likely as partition 1]

-Type select partition #
This will select the partition number we determined with the above “list” command. All subsequent commands will be performed on this partition.

-Type active
This command will actually mark the partition as “active” which means “bootable” in this context

-Type format fs=fat32 quick
This will format the partition with a files system. It is important that we select FAT16 or FAT32, because these filesystems are not tied to a particular user as is the case with newer windows filesystems such as ntfs.

--Type exit
This will close the command line diskpart utility

RESULT: You’ve now successfully wiped and partitioned a bootable usb drive! From this point forward we will be adding the boot loader and image files.

Step 4: Phase II : Installing the Grub4dos Boot Loader

The first thing we’ll want to do is create a working directory to keep all of our project in the same place. This is where you will put all files and downloads related to the project. You can do this anywhere you like, but we chose to do it on the root of the C drive.

-Open an explorer window

-Select a location, and right mouse click > create new folder

-Name the folder something meaningful – we chose to name ours “grub4dos”

-You should now have a working directory located in our case at C:\grub4dos
Now we need to download the grub4dos boot loader, and the grubinst program. It is available on sourceforge.net and the link that we used was the following: http://sourceforge.net/projects/grub4dos/files/

-Download the latest revision of grub4dos and the latest revision of grubinst from the provided link on sourceforce.
NOTE: you will want to download the zip file NOT labeled src – this is the source if you wanted to examine it or compile the utilities from scratch – we are going to use the pre-compiled binaries for our purposes.

-Once you’ve downloaded the compressed files, extract them to our created directory [Windows has built in support for handling zip files, so you can simply open the zip file and copy the contents over to our directory]

-In the grubinst folder we extracted, we will now run the grubinst_gui.exe as administrator [right mouse click the executable > run as administrator].
NOTE: It is important to run it as administrator or it will not recognize any of the drives we have attached to our computer if we do not do this.

A model dialogue should now appear! This is the grubinst program. There are 3 logical divisions: the Device Name section, the Options section, and the Restore section. We will only be working with the first two

Step 5: Phase II : Installing the Grub4dos Boot Loader [cont'd]

-In the Device Name section, select the radio button corresponding to Disk, and choose your disk from the associated drop down. Your disk will most likely appear as hd(#) where # is the same number as your disk was before in diskpart.
WARNING: if you removed the disk between steps and added any other devices before reinserting it, there is a possibility that its disk number has changed. The best way to be sure of the disk number is to note the disk numbers, remove your device, close the program, reinsert the device, and re-launch the program.

-In the options section, check the first checkbox, entitled “Don’t save old MBR to the second sector”

-Press the “install” button

-Press any key when prompted  to close the installation dialog

-Close the grubinst program by pressing the close button [x]
At this point, the grub4dos underlying components are installed, and we simply have to copy a few files over to our USB drive to get the boot loader to work

-Navigate to the section in our working directory where you extracted the grub4dos files [In our case it was C:\grub4dos\grub4dos-0.4.4 ] and copy the files titled “grldr” and “menu” to the root of the USB drive.

RESULT: we have successfully installed a clean grub4dos boot loader to our USB drive and it is now fully bootable into a grub menu! In the next section we will make the appropriate menu entries and add our actual boot images to the drive!

Step 6: Phase III : Configuring Grub4dos and Konboot

For the next phase, we will be adding the boot images required: konboot and memdisk, and we will be making entries to the menu.lst file with a text editor.

First though, konboot comes in two flavors: a free version that supports 32bit OSes, and a paid version that gets updated and supports 32/64bit OSes. Download the file from here: http://www.piotrbania.com/all/kon-boot/

-We are going to take the konboot.img file and place this on the root of our USB drive.
NOTE: There should now be 3 files on the USB drive: grldr, menu.lst, konboot.img

Download the latest syslinux zip file from kernel.org: http://www.kernel.org/pub/linux/utils/boot/syslinux/

-open the downloaded zip file, navigate to the memdisk folder, and copy the file labeled just "memdisk" to the root of the USB drive

Now we’ll need to edit the menu.lst file to properly load and call our image.

-In a text editor, open the menu.lst file located on the root of your USB drive

-Edit the menu.lst file to read as follows:

# This is a sample menu.lst file. You should make some changes to it.

# The old install method of booting via the stage-files has been removed.

# Please install GRLDR boot strap code to MBR with the bootlace.com

# utility under DOS/Win9x or Linux.

color black/cyan yellow/cyan

timeout 30

default /default

title ---===Kon-Boot [for 32/64bit OSes]Phase I===---

kernel /memdisk

initrd /konboot.img

title ---===Kon-Boot Phase II: Boot from HDD===---

map (hd0) (hd1)

map (hd1) (hd0)

map --hook

chainloader (hd0)+1

boot

title commandline

commandline

title reboot

reboot

title halt

halt


-In the first “title” section, edit the line that begins with” initrd” and change the image name to read the title of your image name. the line should read something like “initrd konboot.img”

-Save the file

RESULT: You now have a fully bootable USB drive with entries for konboot and some basic functions such as reboot, halt [shutdown], and commandline to edit the grub4dos entries while in the bootloader.

Step 7: Phase IV : Adjusting BIOS Settings

BIOS vary widely from system to system, but their main purpose remains the same, and there are commonalities between them.

Every bios you will encounter has a boot order, and sometimes this can be overridden dynamically at run time. Usually this is accomplished through the F12 key. Sometimes it can be a different function key or possibly the ESC or DEL keys.

In the event that the boot order cannot be overridden at run time, it will be necessary to edit the bios settings temporarily to place the USB controller ahead of the hard drive for boot.

As your computer boots there should be a splash screen, and in some corner of a screen, there is usually a message that will flash telling you which key is used to enter “setup” or something similar.

Once in setup look for a section labeled “boot priority” or “boot order” and follow the onscreen instructions for changing it such that the usb controller is a higher priority than the hard drive.

Unfortunately as mentioned, there is no defined industry standard for this, so procedures will vary. If you continue to have trouble with this, try an internet search using your computer and/or motherboard type and "USB boot" as search terms.

RESULT: After editing the bios or finding the temporary boot order, you should now be able to boot into the grub4dos boot loader menu we’ve just created

Step 8: Phase V : Performing Entry

This phase is the simplest phase! We are going to boot into konboot and allow it to work its magic!

-Turn off your machine

-Insert the flash drive into the machine

-Turn the machine on

-Depending on whether you had the ability to dynamically select the boot device, you might have to press f12 or similar. Select the USB device, or Simply wait for grub4dos to boot to the menu

-Once at the grub4dos menu, select the first konboot entry, denoted as “Phase I”

-Konboot will load and go through its process, and automatically reboot, once back into the grub4dos menu, simply select “Phase II” which just boots to the primary hard drive.
NOTE: If you dynamically chose the boot device the first time, you may simply let Windows boot on its own the second time.

-When presented with the Windows logon screen, simply select the user desired, and enter any password you wish [including blank], and press enter.

-You should successfully be logged on as that user

RESULT: You’ve successfully logged into the computer you needed access to, and can now perform maintenance tasks or reset your password as suits your needs.

Step 9: Extension Opportunities

Extension Opportunities

What we’ve done here is only the gateway to the possibilities you can create, and the good news is that the hard part is already done! Grub4dos allows for an extensible collection of booting possibilities! Assuming that you have adequate space available, by simply copying files to the flash drive we’ve prepared you can add additional tools to your collection, such as a portable bootable office suite, a mini windows suite, portable antivirus, file recovery tools, hardware diagnostic tools, and a symphony of other possibilities. There are a lot of great user communities around this type of activity that can help you advance! To see a few of them, check out the additional resource section of this instructable below.

Feeling particularly cavalier? If you have a large flash drive and you want to implement this while still storing files on it, you can create a second partition. Using a partition editor like gparted, you can create two partitions on the device, and place all of your boot files in the second partition. Marking the second partition active, you can then boot from it, but it will not appear in windows! So the first partition with your files will be visible, but the second partition will remain hidden. You may also throw the hidden flag onto the second partition to hide it from BSD UNIXes (such as Mac OSes) and some System V *NIXes as well (such as Ubuntu).

Additional Resources

Booting from USB and User Communities:

Pen Drive Linux: http://www.pendrivelinux.com

Reboot Pro [formerly boot-land]: http://www.reboot.pro

Hack5 forum’s USB Multipass section:  http://forums.hak5.org/index.php?s=319ea0ec5aaa1365bea7564bad6026b9&showforum=52