STANDARD DISCLAIMER: I am not responsible for your servers or your actions. If these instructions mess up your super important production server you probably shouldn't have lost the password in the first place ;) Instructional purposes only.
Tools you'll need:
- A Windows box that you can't get in to (guest on VMware)
- VMware tools need to be previously installed on the Windows box.
- Emergency Boot CD ISO (EBCD061P.ISO) Direct Downloads: HTTP HTTP HTTP
- Administrative Privileges for your guest OS via VMware Infrastructure Client
- *You must be able to change the SCSI controller settings from 'LSI Logic' to 'Bus Logic'
- Patience
1.) First things first:
You want to gracefully shutdown the Windows box from your VMWare console so the hard drive doesn't lock for the password reset tool. This is where the VMWare tools being installed comes in handy. With the tools installed, you can right click on the guest OS and "Shut Down Guest" which will gracefully shut the machine down even if you have disabled power downs from the CTRL+ALT+DEL screen.
2.) Critical Step:
The problem with resetting the passwords on Windows boxes hosted by a VMWare cluster is really pretty simple - The hard drive by default is "LSI Logic" which is not supported by current password reset utilities. Fortunately, you can change the SCSI controller type by doing the following:
Edit Settings of Guest OS > SCSI Controller > Change Type
Make the SCSI controller type "BusLogic"
After this, press OK until you get back to the black console screen. At this point, if you are able to configure the ISO while the machine is off go ahead and set the EBCD ISO (listed above) for boot. Now skip to step 5. If you have problems loading the ISO while the machine is off (like I did) keep reading.
3.) Getting the ISO loaded:
My VIC is pretty laggy, so I had to do this a few times to get it to work. Mainly you want to be prepared for the screens that you'll be presented with, so you'll see them below. Take a look at the screenshots to prepare yourself:
4.) Turn the Guest back on.
After you turn it on, it will present you with a dialog box confirming the SCSI controller change before it actually turns the guest OS on.
Right after you click "ok", the guest will begin starting up. Make sure you are ready to click inside of the console to gain control of the VMWare BIOS. Keep clicking the black console until you see the BIOS. As soon as you see the BIOS screen hit the ESC key ONCE quickly! This should (hopefully) load the boot options.
If you didn't catch the BIOS quick enough, Windows will begin loading and you'll be greeted with this screen.
Dont panic, just hit escape when you get back to the VMware BIOS after the machine reboots. Load up the ISO and continue with the CD-ROM boot.
5.) The Reset
After the ISO is loaded, make sure you select "CD-ROM Drive" and hit Enter. This will start EBCD. Select option 5.
After you select option 5, you may get an error and hang:
" PCI: Cannot allocate resource region 4 of device 00:07.1 "
Dont worry about this, it's likely not hung. Give it a minute to get past the error. You'll be asked to "Swap to SCSI-Drivers disk now if needed (not needed on CD). Press return/enter to continue". Hit enter and when you are prompted to "Probe for SCSI-drivers: [n]" type "y" and hit enter. This should automatically find the BusLogic driver.
If everything goes well, you'll eventually make it to the "What partition contains your NT installation?" screen. Select the right one (usually the default by hitting enter)
*NOTE: If you bluescreened and rebooted unclean, you'll get an error "mount: wrong fs type, bad option, bad superblock on /dev/XXXX or too many mounted file systems". With this version of EBCD, it seems to be able to recover from unclean shutdowns and should eventually sucessfully load the drive. See below for the rest of the process:
At the end of the password reset, you may notice some errors such as
"NTFS-fs error (device 08:01) ntfs_prepare_nonresident_write(): Writing beyond initialized size is not supported yet. Sorry"
Dont worry about this, the password should still be reset. Power the machine down.
6.) Change SCSI settings back to LSI Logic.
Change the settings back to normal and reboot the Windows machine. Try and log in to your local administrator account. All should be well. If it did not work and you bluescreened in step 2, keep trying until you are able to mount the ISO without Windows attempting to load in the BusLogic mode.
Questions? Comments? dh@slack.net
Daniel Hoffman
Network Security Consultant/Analyst
Buffalo NY
www.slack.net/~dh
