Why a Password Reset Disk Can Help You Reset Windows Password?

As a common PC user, you can easily create a password reset disk on Windows XP/Vista/7 with a CD/DVD  or USB flash drive. When you forgot Windows password, it can help you reset Windows password without reinstalling computer. Have you ever used a password reset disk to reset lost or forgotten Windows password? Do you know why the password reset disk can help you reset Windows password? Are you curious about it?

In fact, the working principle of the password reset disk can be very interesting. Here is a simple analysis about it.

In Windows XP, the system will automatically create a public/ private key pair and a self-signed certificate when you create a password reset disk. The public key will be used to encrypt the password of the user account, which will be stored in the registry key KEY_LOCAL_MACHINE\SECURITY\Recovery\< SID> (<SID> refers to the user’s SID). And the private key will be removed from computer and stored in the floppy disk. In Windows 7, the private key will be stored in the floppy disk or USB flash drive in the form of a userkey.psw file.
But if you try to view the HKEY_LOCAL_MACHINE \ SECURITY \ Recovery registry key, you will find it is empty. No user SID will be found. Then, where is the user password encrypted with the public key? Obviously, if there is only a private key without the copy of the user account password encrypted by the public key, you are not able to access to the user account password.

After some studies, we find that the Windows secure subsystem process – Lsass.exe will create a registry hive file (Recovery.dat) automatically during the process of creating a password reset disk and store this Recovery.dat in the directory of C:\Windows\System32 \Microsoft\Protect\Recovery. Then Lsass.exe will load this Recovery.dat in the regedit HKLM\C80ED86A- 0D28-40dc-B379-BB594E14EA1B.

However, we cannot reach the item under HKLM\C80ED86A- 0D28-40dc-B379-BB594E14EA1B in that Lsass.exe will load off the registry hive file when the password reset disc is created successfully. But we can still check the content by the following way:

Open command prompt with Administrator privileges and run the following command to start the Registry Editor as Local System (Recovery.dat can only be loaded with the Local System credentials):

Psexec -s -i -d regedit

Select the HKLM registry root key, and click File →Load Hive →navigate to C: \ Windows \ System32 \ Microsoft \ Protect \ Recovery \ Recovery.dat file.
Specify a key in any name in the following dialog box, take Test for example. Then expand the following subkey, and you will see the SID of the current logon account. On the right of the default key, a copy of the encrypted account passwords is stored there.

Do you understand now? Please remember to store your Windows password reset disk in a safe place. And if you forget to create a password reset disk in advance, you can try Windows password reset software to reset Windows password when you forgot Windows password.

Comments are closed.