Hey guys, I need you help on this one as I'm running out of options…
I am working on a case where I need to restore an imaged server in a VM so that investigators and forensic accountants can dig through some accounting software and retrieve relevant informations. The server is Windows 2008 Standard x64 and it was imaged in E01 format.
Using Mount Image Pro, VFC and WmWare, is was able to create a VM from the image file. I had to tweak it a bit to work around some 0x7B BSOD, but I was finally able to get it to boot.
The next hurdle was logging into the server, as I did not have any credential information. So I used Ophcrack with the Rainbow Tables to crack the Administrator password, which worked. So I have the admin username, it's password, but Windows still won't let me log in. I get "The username or password is incorrect" error messages. I made sure to use the MACHINENAME\USERNAME syntax at the login screen, but it still won't work. BTW, I double checked the machine name in the registry and I have the correct one. I then tried booting in safe mode and try logging in, but still does not work.
Next, I tried using Passware Windows Reset Key to reset the Administrator password. The process of resetting the password completed without error, but when trying to log in, it still does not let me (with original or blank password). I've sent an email to Passware regarding this issue this morning and I'm waiting for a reply.
I opened the registry file on the server to make sure that the Administrator account was enabled, requires a password, was not expired, etc. and everything was fine.
Finally, I thought this might be an issue related to running the system from a VM with an image mounted in read-only mode. So, I restored my image to a physical system. It booted fine, but I was still unable to log in…
Does anyone have any idea what could I be doing wrong here? I've done a couple of VMs from image files over the years and never encountered this type of bug. Is there some security mechanism in Windows 2008 could could explain this kind of lock-out?
Any help would be appreciated.
Thanks
Are you sure you cracked the domain admin password? Most of the tools I have seen reset the local admin account.
I cracked the local admin password.
I cracked the local admin password.
OK, just confused as to what account you were using since in your original post you wrote "I made sure to use the DOMAINNAME/USERNAME syntax at the login screen".
OK, sorry about that.
What I meant by DOMAINNAME, in that case, was the machine name. So basically, I was entering SERVER\Administrator as the user name.
I was just looking at the Passware site and read the following
Q What version of Windows Key should I use to reset a local Administrator password on a Windows Server?
To reset local account passwords for Windows NT4/2000/2003/2008 Servers, please use Windows Key Professional or Windows Key Enterprise.
Q What version of Windows Key should I use to reset a domain Administrator password?
To reset passwords for domain Administrators, please use Windows Key Enterprise.
Did you use Professional or Enterprise?
Also when you reset the password was the admin account really named Administrator? On Server 2008 that would be most unusual as the Built-in account named "Administrator" is typically disabled.
I'm using Passware Kit Forensics which has more features than Professional or Enterprise and allows resetting the local admin passwords.
As for the admin user, it was really named Administrator. When I look at the SAM registry file with AccessData Registry Viewer, I can see "Account Disabled False" (it sucks that we can't post screenshots here…)
As I am re-reading the scenario, I think since you are logging in with the local admin account to a server that is in AD you will need to restart in Directory Services Restore Mode.
http//
That worked!
Thank you very much.