®

Reset Windows Password

USER MANUAL

Copyright (c) 2019 Passcape Software. All rights reserved.

Passcape Software
Table of Contents 2

1. Introduction 4
1.1 About the program ............................................................................................................. 5
1.2 Features and benefits ......................................................................................................... 5
1.3 System Requirements ......................................................................................................... 6

2. Creating bootable environment 7

2.1 3 simple steps to launching the application from a boot disk ........................................ 8
2.2 Creating RWP boot disk ...................................................................................................... 8
2.3 Changing BIOS/UEFI settings ............................................................................................ 11
2.4 Running the program from the bootable CD/DVD/USB ................................................ 15
2.5 Running the program using UEFI's boot media selection option ................................. 18

3. Working with the program 20

3.1 Main window ..................................................................................................................... 21
3.2 Reset user passwords ........................................................................................................ 23
3.3 Reset DSRM passwords ..................................................................................................... 27
3.4 Reset domain cached password ....................................................................................... 28
3.5 Add new user account ...................................................................................................... 32
3.6 Edit user account properties ............................................................................................ 34
3.7 Password policy editor ..................................................................................................... 37
3.8 Search for logon passwords ............................................................................................. 40
3.9 Search for domain cached passwords ............................................................................. 42
3.10 Dump password hashes .................................................................................................... 45
3.11 Dump domain cached passwords .................................................................................... 48
3.12 Restoring previous modified password ........................................................................... 49
3.13 UTILS ................................................................................................................................... 52
3.13.1 Decrypt Windows Hello credentials ............................................................................ 52
3.13.2 Lookup PIN ................................................................................................................... 53
3.13.3 Search for SYSKEY startup password ........................................................................... 57
3.13.4 Search for lost product/CD keys .................................................................................. 62
3.13.5 Search for Internet/mail/network passwords ............................................................. 64
3.13.5.1 Search for Web passwords stored by Internet browsers ...................................................................... 66
3.13.5.2 Search for mail passwords saved by email clients ............................................................................... 68
3.13.5.3 Search LAN/WAN/RAS/DSL/VPN/WiFi and other network passwords ................................................ 69
3.13.6 Search for password-protected documents ................................................................ 70
3.13.7 Search for recently opened files ................................................................................. 73
3.13.8 Backup passwords and sensitive information ............................................................ 75

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Table of Contents 3

3.13.9 Removing user’s private information .......................................................................... 78

3.13.9.1 Removing password history of SAM or Active Directory users ............................................................ 80
3.13.9.2 Removing domain cached passwords ...................................................................................................... 82
3.13.9.3 Removing cached logon password ............................................................................................................ 85
3.13.9.4 Removing password reset disk information ............................................................................................ 87
3.13.9.5 Removing password hints ........................................................................................................................... 90
3.13.9.6 Resetting SYSKEY ............................................................................................................................................ 93
3.13.10 Loading additional hard disk drivers ........................................................................... 96
3.13.11 Unlock Bitlocker encrypted drives ............................................................................... 97
3.13.12 Mounting virtual drives ............................................................................................... 98
3.14 FORENSICS .......................................................................................................................... 99
3.14.1 Logon history and statistics ........................................................................................ 99
3.14.2 Hardware history ....................................................................................................... 102
3.14.3 Software history ........................................................................................................ 105
3.14.4 Network history ......................................................................................................... 108
3.14.5 Recent user activity ................................................................................................... 111
3.14.6 System events ........................................................................................................... 115
3.14.7 Web history ............................................................................................................... 117
3.14.8 Last modified files ..................................................................................................... 124
3.14.9 Last modified directories .......................................................................................... 126

4. License and registration 127

4.1 License Agreement .......................................................................................................... 128
4.2 Registration ..................................................................................................................... 129
4.3 Limitation of unregistered version ................................................................................ 129
4.4 Program editions ............................................................................................................. 129

5. Technical support 133

5.1 Reporting problems ........................................................................................................ 134
5.2 Suggesting features ......................................................................................................... 134
5.3 Contacts ........................................................................................................................... 134

Index 0

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Introduction
Introduction 5

1 Introduction
1.1 About the program

Reset Windows Password was developed for resetting, changing and recovering Windows logon
passwords. For example, when the computer Administrator's password is lost or forgotten. Reset
Windows Password is the most optimal and functionally richest solution in its class. The application
supports all versions of Windows (based on NT), works with Active Directory and domain cached
credentials, possesses artificial intelligence skills for recovering passwords instantly to certain accounts
and demonstrates a number of additional unique features.

The interface of the application is traditionally carried out in the form of a step-by-step wizard. Therefore,
the operation process does not seem complicated to even an inexperienced user. For example, resetting
an administrator password takes just three simple steps:
1. Select the SAM and SYSTEM files (the application automatically searches all hard drives for the
registry files.)
2. Select the user account.
3. Reset or modify the password.

Using a built-in utility, you can easily create a bootable CD, DVD or USB disk (including devices like
Compact Flash, SmartMedia, SONY Memory Stick, Secure Digital, ZIP drives, USB Hard Disk drives,
etc.) within a few minutes, from an existing ISO image with the program. Reset Windows Password has
a graphic user interface, supports loading IDE, SATA, SCSI, RAID volumes on the fly, is compatible with
FAT, FAT32, NTFS, NTFS5 file systems, goes with a large collection of hard disk drivers from Highpoint,
Intel, Jmicron, Marvell, Nvidia, Silicion Image, Sis, Uli, Via, Vmware.

1.2 Features and benefits

Application's advantages:

· Support for all versions of NT-based Windows.

· Support for 32/64-bit Windows.
· Large collection of hard disk drivers. Loads additional drivers from the application.
· Reset and modify passwords of local and domain users, local administrator, domain administrator,
other Active Directory accounts.
· Enable and unlock user accounts, both local and domain administrators.
· Disable password expiry options.
· Detect several operating systems.
· Support for non-English versions of Windows and passwords in national encoding.
· Dump user password hashes from SAM for further analysis.
· Dump password hashes from Active Directory.
· Dump domain cached passwords.
· Several modules to extract and decrypt Active Directory plaintext passwords.
· Allow undoing changes made to the system.
· Delete passwords and other sensitive data from PC.
· Advanced password search and recovery algorithms.
· Reset SYSKEY security.
· SYSKEY startup password recovery.
· Search for lost serial keys.
· Search for network passwords.

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Introduction 6

· Backup registry/Active Directory and other sensitive information.

· Unlock Bitlocker drives.
· View user activity, different forensic information.
· Edit local or domain password policy.

The software is available in three editions: Light, Standard and Advanced. The detailed list of features
for each edition is available here.

1.3 System Requirements

Requirements
x64-based microprocessor, a minimum of 1 GB of RAM, CD-ROM or USB drive. The size of the bootable
USB drive should be 512 Mb or bigger (it is recommended 2-32 Gb USB stick for better compatibility).
Computer BIOS must support booting from CD, DVD or USB device.

Compatibility
Windows NT, Windows 2000, Windows XP, Windows Vista, Windows 7/8/10, Windows Server
2000/2003/2008/2012/2019. File systems: FAT, FAT32, NTFS, NTFS5. The program is compatible with
the majority of CD/DVD recorders and USB devices, including Memory Stick, Compact Flash,
SmartMedia, Secure Digital, USB flash drives, USB ZIP drives, USB Hard Disk drives, etc.

Restrictions
Once your system uses a non-standard mass storage device, you may need to specify a 3d-party driver
compatible with Windows 10. Please refer to your motherboard manual for the details.

Known issues or bugs

· If you have 2 or more logical disks in your system, the disks letters may be reassigned/reodered.
· If you are resetting a password of the built-in Administrator account in some editions of Windows,
please keep in mind that in order to activate the built-in Administrator account and log on the system,
you will need to load the system in the safe mode.
· The program supports all types of SYSKEY encryption. In some cases you may need to provide the
SYSKEY startup password or startup diskette. However the program also allows to reset/lookup
SYSKEY password. So even if you forgot your SYSKEY, it's not a problem.
· After you reset the password of a local account, you may lose access to your Web page passwords,
wireless network and file share credentials, EFS-encrypted files, e-mail messages encrypted with
private keys. Please refer to Microsoft Knowledgebase for further details.
· Resetting Active Directory passwords for certain accounts may have no effect. For example, on a
RODC.
· Password reset (as well as other features that imply disk-write operations) on a virtual OS will have no
effect.
· When resetting a password for Microsoft Account, you should provide a non-empty password.
Otherwise you will not be able to log on the system.

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Creating bootable environment
Creating bootable environment 8

2 Creating bootable environment

2.1 3 simple steps to launching the application from a boot disk

1. Download Reset Windows Password package at https://www.passcape.com/download/rwp.zip (or

using the link that was sent to you in the registration e-mail)
2. Create RWP boot disk: unpack the RWP.ZIP file, run IsoBurner.exe, select an item for creating
bootable CD/DVD/USB, show the path to the unpacked ISO image and write it to the disk.
3. Start the target computer and change its BIOS/UEFI settings to make the boot device (CD-ROM,
DVD-ROM or USB disk) first on the list. Save the settings, reboot once again to start the program off
your bootable CD, DVD or USB disk. You can use fast boot option if your BIOS/UEFI supports fast
boot media selection during startup.

2.2 Creating RWP boot disk

Passcape ISO Burner

Passcape ISO Burner is a program for creating bootable CD, DVD or USB disks from ISO-9660
images. The program is free and comes with RWP. it is also available for downloading and using at our

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Creating bootable environment 9

website: https://www.passcape.com/download/pib.zip

The application’s interface is ultimate-simple. When started, the application asks you to select what you
would like to do:
- Record ISO image to CD/DVD using this application
- Record ISO image to CD/DVD using an external burning application installed on your computer. For
example, Nero or its free analog ImgBurn.
- Use ISO image to create a USB boot disk
- Extract ISO image to disk (keep in mind that this action causes the loss of boot data).

Creating Reset Windows Password bootable CD

Select the first menu item: 'Burn ISO image to CD/DVD'. At the bottom of the screen, enter path to the
file with the ISO image. That enables the 'Next' button, and you can move on to actually creating the
disk. All we need to do here is select the recorder we are going to use, insert a blank CD/DVD in it and
click on the <<BURN>> button to create a boot disk from the ISO image selected on the previous step.

Creating Reset Windows Password bootable USB

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Creating bootable environment 10

Select the existing bootable ISO image with the program and set the ‘Create bootable USB disk ’ option
on. Enter the product serial number if you have one. When the next window appears, plug the USB
device to your computer; it should automatically appear on the list of found USB devices. Click on the
'Create' button to format and create the boot USB. In some cases (for example, if the USB device is
installed as a hard disk drive, and an extended partition entry is found on that disk) the application will
require restarting for reassigning drive letters.

The program offers several partition schemes (formatting modes) to supply better compatibility when
booting from USB devices. If you feel uncertain about what partition scheme to select, consider using
the following simple algorithm:
- If the target PC is based on UEFI (graphical) interface, select 'Max compatibility with new PCs (FAT32
MBR for UEFI)' mode. This scheme will create a USB to be run on UEFI-based PCs where secure boot
mode is turned on.
- If your target PC is based on BIOS (textual) interface, select 'Max compatibility with old PCs (FAT32
MBR for BIOS)' mode. This mode will create a USB that is fully compatible with BIOS firmware.
- If you know nothing about target PC, switch to 'Max possible compatibility' scheme. This mode creates
bootable USBs that can run on both BIOS- and UEFI-based computers (with Compatibility Support
Mode is turned on). On some PCs or laptops the Compatibility Support Mode is also known as Legacy
Boot Mode.

If you bought your PC after 2010, most likely, it comes with UEFI. New computers use UEFI firmware
instead of the traditional BIOS. Both are low-level software that starts when you boot your PC and are
used to 'communicate' with hardware. Unlike BIOS, UEFI is a more modern solution with graphic
interface, supporting larger hard drives, faster boot times and more security features.

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Creating bootable environment 11

Be careful! All data on the target drive will be overwritten. If the application is unable to detect boot files
in the source ISO image, it will show the respective warning.

Some AntiVirus/AntiMalware software block creating bootable disks or copying some boot files to media
even without onscreen warnings!

2.3 Changing BIOS/UEFI settings

General information
In order to load Reset Windows Password, you may need to adjust your computer’s BIOS/UEFI settings
to make the boot device (CD, DVD, or USB) first on the list of devices. This is the routine to follow for
that:
1. When booting the computer, press the Del key to enter the BIOS menu. Some versions of BIOS use
other hotkeys; those could be F2, F10, F11, ESC, etc. The hint is normally displayed at the bottom
of the boot screen.
2. Enter the BIOS/UEFI, then on the menu find the item that’s in charge of the initial boot devices. Edit
it to make the CD or USB with the Reset Windows Password first on the list.
3. Make sure to have saved the changes and then reboot the computer.

If your PC uses UEFI firmware, you can use fast boot selection switch without altering any settings. For
more information, please refer to your computer’s motherboard user manual.

Setting up BIOS, questions and answers

Q: My computer’s BIOS has several items for booting from USB devices: USB FDD, USB ZIP, USB
HDD, USB CDROM. Which one should be selected?
A: Different BIOS manufacturers set up the initial boot different ways. In the majority of cases, to boot
from a regular flash: on old motherboards you would need to select the USB ZIP option; on some other
ones - USB HDD.

Q: The application takes too long (sometimes up to 10 minutes) to boot from USB media.
A: That indicates that the device runs over the slow USB protocol, 1.1. First, the storage device must
support the 2.0+ specification. Second, the USB port in the motherboard where you plug the storage
device must support the 2.0+ specification. And third, you must enable the USB 2.0 (or higher) support
in the BIOS.

Q: The computer wouldn’t boot from USB devices at all. When attempting to boot – either black screen
or the 'no operating system' error message.
A: Try finding the ‘Legacy USB storage detect’ option and make it ‘Enabled’. In the boot options, you
should have only one USB device. If you have two or more USB devices plugged to the computer (eg.
UPS, printer, scanner, modem, etc.), leave only one bootable USB disk. Unplug the USB device from
the computer, turn the computer off, plug the USB device to a different USB port, turn your computer on
and attempt to boot again. If that didn’t help – update your BIOS. Also there is a chance that your
motherboard doesn’t support booting from USB devices or doesn’t support the file system used on this
USB storage device.

Q: Blue or black screen, all kinds of driver, registry load, etc. errors occur when booting from CD or
USB.
A: Maybe your computer does not have sufficient memory. The minimum required by the application is 1

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Creating bootable environment 12

GB RAM. To run it with comfort, you would need 2 GB or more.

Q: Can't get into my BIOS. A password is required.

A: An unpleasant surprise can watch for you when you try to modify the boot device settings in BIOS.
The matter is that some hardware manufacturers, sellers or previous owners of the PC may have set
their own passwords for accessing BIOS. In other words, in order to modify BIOS settings, you would
need to enter that password, which usually is not possible to find out.
Some versions of BIOS allow resetting their settings by pressing a certain key on the keyboard;
normally that’s Ins. For some type of AMI BIOS it is a Ctrl+Alt+Del+Ins combination. On AWARD
BIOS, the key is to be pressed and held down until the computer is turned on. That will load the default
settings. However, this option is to be used extremely carefully, as it resets all other settings of the
BIOS.
Also, there are universal back-door passwords. They are provided below for many popular old versions of
BIOS. If you don’t know it, BIOS type and version is normally displayed for a few seconds during the
initial boot of the computer at the bottom of the screen.
If none of the universal passwords has worked out, you can take advantage of the method described in
many motherboard user manuals: simply reset BIOS settings by shorting the respective jumper. It is
normally located near the large CMOS battery. If the motherboard doesn’t have a CMOS battery, find the
microchip with the Dallas or Odin marking; the jumper must be somewhere nearby. Simply removing the
CMOS battery doesn’t always help, as the BIOS microchip can live for several hours without the power.
Also, you are highly discouraged from shorting the CMOS itself for resetting BIOS settings, as that may
cut the battery life essentially.
On the Net, you can find a number of software solutions for recovering passwords and resetting BIOS.
For example, cmospwd and killcmos. You are highly discouraged from resetting all BIOS settings in
laptops. That may lead to the complete halt of the system.

Q: A error pops up which states that the CPU does not support 64-bit mode or running 64-bit
applications.
A: Reset Windows Password does not support 32-bit CPUs any longer (but has support for 32-bit OSes
though). Contact tech. support to get a link for the latest 32-bit compatible version.

Q: Can I boot a BIOS compatible CD/USB drive in UEFI?

A: Yes. Enter your UEFI settings (press ESC, F2 or DEL). Open 'Boot' menu and enable 'Launch CSM'
option. Now locate 'Security' tab and disable 'Secure Boot Control'. Save changes and reset your PC.
Enter the UEFI setup once again and make sure your DVD/USB drive is available under the 'Boot' tab.
Some UEFIs also have a boot device menu (it is usually launch by hitting F8) where you can select your
boot device and mode.

Q: Can I create a USB drive that will be able to boot in both BIOS and UEFI?
A: Yes. Run the IsoBurner tool and select 'Max possible compatibility' partition scheme when creating a
bootable USB. This mode creates bootable USBs that can run on both BIOS- and UEFI-based
computers (with Compatibility Support Mode is turned on). On some PCs or laptops the Compatibility
Support Mode is also known as Legacy Boot Mode.

Q: USB is not listed as a boot option in my UEFI. How can I enable booting for a USB stick?
A: Seems that the USB was formatted either to BIOS or UEFI CSM mode but your UEFI allows booting
in Secure Boot mode only. You will have to allow booting in legacy mode. In your UEFI settings disable
both 'Boot - Fast Boot' and 'Security - Secure Boot' and enable 'Compatibility Support Mode (CSM)' or
similarly worded options. Another workaround would be just creating a bootable USB using 'Max
compatibility with new PCs (FAT32 MBR for UEFI)' scheme. This scheme is fully compatible with UEFI
Secure Boot mode.

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Creating bootable environment 13

Back-door BIOS passwords

BIOS manufacture Universal password

AWARD_SW, 01322222, j262, TTPTHA, KDD, ZBAAACA, aPAf,

AWARD BIOS 2.50
lkwpeter, t0ch88, t0ch20x, h6BB

AWARD_WG, HLT, BIOSTAR, SWITCHES_SW, 256256, j256,

AWARD BIOS 2.51
ZAAADA, Syxz, ?award, alfarome, Sxyz, SZXY

HEWITTRAND, HLT, biostar, HELGA-S, bios*, g6PG, j322, ZJAAADC,

AWARD BIOS 2.51G
Wodj, h6BB, t0ch88, zjaaadc

condo, biostar, CONDO, CONCAT, 1EAAh, djonet, efmukl, g6PG, j09F,

AWARD BIOS 2.51U
j64, zbaaaca

AWARD_SW, AWARD_PW, PASSWORD, SKYFOX, award.sw,

AWARD BIOS 4.5
AWARD?SW, award_?, award_pc, ZAAADA, 589589

AWARD_SW, HLT, KDD, ?award, lkwpeter, Wodj, aPAf, j262, Syxz,

AWARD BIOS 6.0
ZJAADC, j322, TTPTHA, six spaces, nine spaces, 01355555, ZAAADA

AMI, SER, A.M.I., AMI!SW, AMIPSWD, BIOSPASS, aammii, AMI.KEY,

AMI BIOS amipswd, CMOSPWD, ami.kez, AMI?SW, helgaЯs, HEWITT RAND,
ami', AMISETUP, bios310, KILLCMOS, amiami, AMI~, amidecod

AMPTON BIOS Polrty

AST BIOS SnuFG5

BIOSTAR BIOS Biostar, Q54arwms

COMPAQ BIOS Compaq

CONCORD BIOS last

CTX International BIOS CTX_123

CyberMax BIOS Congress

Daewoo BIOS Daewuu, Daewoo

Daytec BIOS Daytec

DELL BIOS Dell

Digital Equipment BIOS komprie

Enox BIOS xo11nE

Epox BIOS Central

Freetech BIOS Posterie

HP Vectra BIOS hewlpack

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Creating bootable environment 14

IMB BIOS IBM, MBIUO, sertafu

Iwill BIOS iwill

JetWay BIOS spooml

Joss Technology BIOS 57gbz6, technology

M Technology BIOS mMmM

MachSpeed BIOS sp99dd

Magic-Pro BIOS prost

Megastar BIOS star, sldkj754, xyzall

Micronics BIOS dn_04rjc

Nimble BIOS xdfk9874t3

Packard Bell BIOS bell9

QDI BIOS QDI

Quantex BIOS teX1, xljlbj

Research BIOS Col2ogro2

Shuttle BIOS Col2ogro2

Siemens Nixdorf BIOS SKY_FOX

SpeedEasy BIOS lesarot1

SuperMicro BIOS ksdjfg934t

Tinys BIOS tiny, tinys

TMC BIOS BIGO

Toshiba BIOS Toshiba, 24Banc81, toshy99

Vextrec Technology BIOS Vextrex

Vobis BIOS merlin

WIMBIOS v.2.10 BIOS Compleri

Zenith BIOS 3098z, Zenith

ZEOS BIOS zeosx

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Creating bootable environment 15

2.4 Running the program from the bootable CD/DVD/USB

Turn on your computer. Press the Del key to enter the BIOS menu. Some versions of BIOS use other
hotkeys; those could be F2, F10, F11, ESC, etc. The hint is normally displayed at the bottom of the
boot screen.

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Creating bootable environment 16

Edit Boot menu the way to make the CD or USB disk with the Reset Windows Password first on the list
of boot devices.

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Creating bootable environment 17

Make sure to have saved the changes and then reboot the computer.

If everything's gone smoothly, you'll see the following textual message. Hit any key to load from Reset
Windows Password bootable disk. Otherwise your old OS will started.

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Creating bootable environment 18

RWP has been successfully loaded and ready to use.

2.5 Running the program using UEFI's boot media selection option

If your UEFI supports boot media selection, you can use it to start the program easily off the boot disk.
The option is invoked by hitting a hot key (usually, F8) on PC startup. In most versions of UEFI this
option is also available from the main menu.

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Creating bootable environment 19

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program
Working with the program 21

3 Working with the program

3.1 Main window

First, the program suggests to select one of the recovery modes: SAM – regular user accounts, AD –
Active Directory accounts, DCC - domain cached passwords, UTILS - other tools and utilities, and
FORENSICS - system investigation tools. As you make the selection, the list of available operations
should be available for the mode.

SAM - regular user accounts

· Reset user account password

· Add new user account
· Edit account properties
· Password policy editor
· Lookup user passwords
· Dump password hashes
· Restore previously modified passwords, rollback changes

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 22

AD - Active Directory domain accounts

· Reset user account password

· Reset or change DSRM (Directory Services Restore Mode) password
· Edit account properties
· Password policy editor
· Lookup user passwords
· Dump password hashes
· Restore previously modified passwords, rollback changes

DCC - domain cached credentials

· Reset domain cached password

· Lookup DCC passwords
· Dump domain cached credentials to text file
· Restore previously modified passwords, rollback changes

UTILS - miscellaneous tools

· Decrypt Windows Hello credentials

· Lookup PIN
· Lookup SYSKEY startup password
· Lookup lost product keys and serial numbers
· Search for Internet/mail/network passwords
· Search for protected documents
· Search for recently opened documents
· Backup Passwords and sensitive information
· Remove user sensitive information
· Load IDE/SATA/SCSI/RAID driver
· Unlock Bitlocker-encrypted drives
· Mounting virtual drives

FORENSICS - system investigation tools

· Logon history and statistics

· Hardware history
· Software history
· Network history
· Recent user activity
· System events
· Web history
· Last modified files
· Last modified directories

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 23

Schematic description of logon types

SAM
A regular user account of any home PC. Password hashes are stored in SAM registry file on the same
computer.

Active Directory
A domain user account. Password hashes are stored in NTDS.DIT database on domain PC.

DCC
Cached credentials of domain accounts. Password hashes can be stored (depending on domain security
policy) on the local PC. The account login is performed either through the domain or using the cached
credentials.

3.2 Reset user passwords

Selecting data source

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 24

To reset a regular account password, you should select two registry files: SAM and SYSTEM. The
application automatically searches all files and suggests the first ones it finds. The registry files are
located in the %WINDIR%\system32\config folder. Where %WINDIR% is your windows directory.

If you select Active Directory mode during the previous step, you should set the location of the Active
Directory database instead of the SAM registry file. By default, that’s the %WINDIR%\NTDS folder. So
the full path to the AD database may look like this: C:\Windows\NTDS\ntds.dit

Choosing a Windows account

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 25

The top of the dialog displays the list of user accounts found. By clicking on one of them, you can see
the properties of the account; namely: whether the account is locked or disabled, whether the password
is required, whether password history is available, whether password hint is available, etc.

Resetting password

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 26

To reset the password, leave the 'New password' field blank and click on the 'Reset/Change' button. Take
a note of the additional options. The account must be not locked, disabled or expired.

Besides that, if local or domain password policies are set, make sure that the new password complies
with the length and complexity requirements and does not match any of the passwords used earlier (if
password history exists.) Otherwise, you will be unable to logon to the system even if you reset the
password successfully.

If you are resetting a password of the built-in Administrator, keep in mind that in order to activate this
account and logon to the system, you would need to load the system in Safe mode. To do that, before
Windows starts loading, keep pressing the F8 key until the textual system boot selection dialog
appears. In that dialog, select the safe mode item. After that, the built-in Administrator account will
become active, and you will be able to use it.

On Windows 8 and later operating systems, click the Power button, press and hold the SHIFT key on
your keyboard and select Restart.

Note that you will have to enter a non-empty password in order to be able to log on LiveID or Microsoft
account.

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 27

3.3 Reset DSRM passwords

What is DSRM
DSRM (known as Directory Services Repair Mode or Directory Services Restore Mode in versions
prior to Windows Server 2012) is a special boot mode of a Windows Server domain controller that is
something similar to Safe Mode with Networking, but without Active Directory running. DSRM is used to
restore Active Directory from a backup. It is also helpful in different situations and problems with the AD.

To get into DSRM one needs to press the F8 key immediately after BIOS/UEFI POST screen, but before
the Windows logo appears. In Windows Server 2012 and later OSes there's Advanced Boot Options
menu or Windows Recovery Environment for that.

Selecting data source

Password recovery process for DSRM account is almost the same as for regular user account. First
you'll have to show the location for SAM and SYSTEM registry files.

Resetting password

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 28

Type in a new password or just set the input field blank if you want to reset it. Then confirm the changes
by clicking the 'RESET/CHANGE' button. The program may ask you to create a backup file. You can
use the backup file later to roll-back the changes.

3.4 Reset domain cached password

When a user logs on to a Windows domain, the user's domain credentials are securely cached and
saved to his/her PC. This feature allows users logging on to the domain when the local workstation is
disconnected from the network or even if no domain controller is available. To get around the problem of
lost or forgotten password for the domain account, you can simply reset your domain cached credentials
using Reset Windows Password. The process consists of 3 simple steps.

Selecting registry files

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 29

To reset a domain cached password, you should provide two registry files: SECURITY and SYSTEM.
Both files are located in the %WINDIR%\system32\config folder. Where %WINDIR% is your windows
directory. Usually, the program takes care of that and suggests the files it found.

Before proceeding to the next recovery step, make sure you selected exactly the files you need.

Selecting domain account

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 30

The upper part of the dialog displays a list of found cached entries with the names of the user accounts.
Select one of the entries to view its properties: the full name of the user account, last login date, logon
domain, home directory, etc.

Resetting password

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 31

To reset the password, leave the 'New password' input box empty and click the 'RESET/CHANGE'. Do
pay special attention to the additional option. Domain cache is arranged in such a manner that it can
contain multiple entries of the same user. If the 'Change password for all cached entries for this user
account' option is set, then the program will try to change/reset passwords of all found entries of the
selected account (with the specified RID). Otherwise it will reset the password for the selected entry
only. It is recommended to set this option on unless you know what you do.

Make sure that your new password meets the domain length and complexity requirements and does not
match any of the previously entered passwords (if security policy and password history are used.)
Otherwise, Windows may deny access even if the password is successfully modified.

Please note, to log in to your domain account successfully after the cached password is reset, you
must temporarily disable connection to the domain! Otherwise, Windows will not use the local
cached entry but the regular domain credentials instead.

Keep in mind, logging on to the domain with cached credentials gives you access to local resources
only.

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 32

3.5 Add new user account

Adding new local account is simple as it is. We tried to arrange it into 3 common steps.

1. Selecting data source

You should select SAM and SYSTEM files first. The program usually searches for and suggests the files
automatically. In case you need to set the files manually for some reason, do know that the registry files
are located in the %WINDIR%\system32\config directory.

2. Choosing a donor account

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 33

Select a user you want to use as a donor account. All properties of the source account will be copied to
the newly created one. No problem if the source account is locked or disabled, the program should fix
some of its critical properties and set up default flags. For example, if the source account is set to allow
logging on to system in certain hours, the program will zero out the restriction.

3. Adding new account

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 34

Now all you need is to set a name, description and a password for the new account. Leave the password
field blank to set empty password. Note that if the target OS has password policy set, your new
password should conform the policy.

You should pay a special attention setting group membership of the new account. Usually, you should
make it a member of 'Administrators' and/or 'Users' group in order to be able to log on locally, if
otherwise is not specified by your security policy. Setting an incorrect membership may cause troubles,
for example, deleting the account.

After the account is created successfully, you can step back to the main dialog, select 'Edit account
properties' mode and set/unset some extended flags, if needed.

3.6 Edit user account properties

New version of the program allows you manipulating with extended properties of the target user account,
as well as changing Microsoft Live ID account to local account or vice versa. This is an extremely helpful
when you need to unlock/enable locked/disabled account, unset the 'password expired' flag, disable the

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 35

"Smart card logon" if your smart card has lost occasionally, etc. Modifying properties of the problem
account is easy pretty much. First you should select the target Operating System's files.

Selecting data source

Two files are needed. These are either SAM and SYSTEM (in case you're modifying a local account) or
NTDS.DIT and SYSTEM (when you need to change the propertied of a domain user). The program
automatically searches for these files and suggests the first ones it finds. You can also show paths to
these files manually. They are located in the %WINDIR%\system32\config and %WINDIR%\NTDS
folders. Where %WINDIR% is your windows directory. So the full path to the Active Directory database
may look like this: C:\Windows\NTDS\ntds.dit

Choosing a Windows account

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 36

Once the source files are selected, the program enumerates and displays the list of all found user
accounts. Select one you need and click 'Next' button to open the final dialog with the user's properties.

Changing account properties

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 37

You can set/unset here different flags that control the behavior of the user account.

Be careful, changing some flags may cause the target account to be locked/disabled etc.

3.7 Password policy editor

Sometimes to functioning security settings properly, it is vitally required to set up workstation's or

domain's password policy. For example, if you want to to deny domain users to log on to a system
without supplying strong passwords, you should restricted it through the domain password policy.
However that would be quite a problem if you cannot log on to the workstation or to the domain as an
administrator. The new RWP's password policy editor can get around the problem and allows changing
various password policy's properties on any Windows system without logging on to the system.

Selecting data source

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 38

First of all, you will need to feed the program with two system files:
- either SAM and SYSTEM, in case you' want to modify password policy of a workstation or a
standalone PC;
- or NTDS.DIT and SYSTEM, when you need to change the password policy properties of a domain.
The program should try to find the files automatically. You can however provide the paths manually.

Changing password policy

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 39

Here's the short description of what you can modify in password policy of the target system:
· Minimum password length - minimum length of a valid password, in characters.
· Password history length - number of previous passwords saved in the history list. A user is not
allowed to reuse a password from the list.
· Maximum password age - maximum length (in days) that a password can remain the same.
Passwords older than this must be changed.
· Minimum password age - minimum length of time before a password can be changed.

· Password must meet complexity requirements - passwords must meet the following minimum
requirements: contain no user's account name or a part of it, be at least six characters in length (if
otherwise is not set), contain characters from at least three charsets, do not be one used previously (if
password history is set).
· The password cannot be changed without logging on - password cannot be changed without logging
on. Otherwise, if it has expired, you can change it and then log on.
· Force to use a protocol that does not allow DC to get the plaintext password - forces the client to use
a protocol that does not allow the domain controller to get plaintext passwords.
· Allows the built-in administrator account to be locked out from network logons
· Store passwords using reversible encryption - force to store plaintext passwords for all users instead
of hashing the passwords.
· Refuse weekly password change for machine accounts - removes the requirement for any machine
account to automatically change its password every week.

To disable an editable attribute, just set zero value into its edit box.

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 40

Be careful, altering any value of the password policy will affect on all security of the Windows system!
3.8 Search for logon passwords

Setting search and recovery methods

Finding user’s passwords takes 11 steps:

1. Finding information in Windows system cache. This method, in its turn, consists of over a dozen of
mini-attacks, during which the program analyzes all kinds of system passwords, from secrets
through DSL, FTP, IM, etc. passwords.
2. Analyzing simple, short passwords, keyboard shortcuts, etc.
3. Password search using deep learning algorithms. Even though these algorithms are cut significantly
to meet CPU requirements, they work much better compared to previous ones.
4. Scan, parse and analyze most recently used files of the target system.
5. Primitive dictionary attack. The application checks all passwords from the built-in dictionary for the
Light and Standard editions or from several dictionaries (Arabic, Chinese, English, French, German,
Portuguese, Russian, Spanish) for the Advanced Edition. If the deep search option is on, simple word
mutations will also be taken into account during the search.
6. Primitive brute-force attack.
7. Artificial Intelligence attack. This is our little 'know-how'. The attack analyzes network activity of a
user on the computer. Over thirty mini-modules take care of that. Upon the results of the analysis,
the application generates user preferences and generates a semantic dictionary for the attack, which
it later uses it for finding the password.

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 41

8. Look for passwords in deleted files.

9. Primitive Fingerprint attack on some complicated English passwords.
10. Extract strings from huge files: RAM images, hiberfil.sys, pagefile.sys and so on. When this option
is set, the program will try to skip files useless in password analysis like video, archives, audio files,
etc.
11. Search passwords by reading and analyzing raw sectors of the selected drive. This feature works for
both LM and NTLM hashes, looking for both ASCII and UNICODE passwords. If the 'Password
mutation level' is set to 'Favor efficiency', the program additionally tries to mutate all found
passwords, thus walking through all sectors of the target drive may take quite a time. Note that the
sector-based scanning algorithm is not effective against drives which have a full-disk encryption set
on. Like Bitlocker or TrueCrypt, for example.

Selecting data source

When searching for passwords, special attention is to be paid to entering files and folders required for
the analysis process. Without those, password search will be inefficient. The application finds the files
automatically, but sometimes, e.g., when the computer has several operating systems installed, you
may need to use the 'manual control'. Please also keep in mind that if the computer has 2 or more hard
disk drives, the sequence of the letters for these disks can be set totally different than in the original
system.

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 42

Searching and decrypting passwords

Finding/analyzing passwords can take some time, which depends on attack settings and peculiarities of
your system. Completing the search normally takes approximately 10-15 minutes without Passcape
table and disk search attacks. The Passcape table attack takes much longer and depends on your CPU
and the number of hashes to recover. For example, on a 2-core CPU it takes usually up to 3 minutes for
a single hash.

3.9 Search for domain cached passwords

Setting search and recovery options

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 43

Domain cached password recovery consists of several modules. Each one can be turned on/off
separately:

1. Finding information in Windows system cache. This module consists of over a dozen of mini-attacks,
during which the program analyzes all kinds of system passwords: LSA secrets, DSL, FTP, LAN,
WAN passwords, Internet and email credentials, etc. Later the found passwords are used by the
program to check other passwords by generating more complex variations.
2. Analyzing simple, short and numeric passwords, keyboard combinations, etc. Over 20 mini-modules
in total.
3. Scanning, reading and analyzing most recently used files of the target system. The program parses
the files and creates a list of words (by generating various mutations) to be checked as passwords.
4. Primitive dictionary attack. The application checks all passwords from the built-in dictionary for the
Light and Standard editions or from several dictionaries (Arabic, Chinese, English, French, German,
Portuguese, Russian, Spanish) for the Advanced Edition. If the deep search option is on, simple word
mutations will also be taken into account during the search.
5. Primitive brute-force module that consists of several simple attacks to search for short passwords.
6. Artificial Intelligence module analyzes network activity of users on the target computer. Over thirty
mini-modules take care of that. Upon the results of the analysis, the application generates user
preferences and creates a semantic dictionary for the attack. Then the dictionary is uses for
guessing passwords.
7. Looking for passwords in deleted files.
8. Primitive Fingerprint attack on English passwords. This module may take a lot of time to complete.
9. Extract strings from huge files: RAM images, hiberfil.sys, pagefile.sys and so on. The program can
skip files useless in password analysis like video, archives, audio files, etc.

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 44

10. Searching for passwords by reading and analyzing raw sectors of the selected drive. If the Password
mutation level is set to 'Favor efficiency', the program additionally tries to mutate all found passwords
as well, thus walking through all sectors of the target drive may take quite a time. This module is not
effective for drives which have a full-disk encryption set on. Like Bitlocker or TrueCrypt, for example.

Selecting data source

When searching for domain cached passwords, special attention is to be paid to proper setting files and
folders required for the process. RWP finds the files automatically, but sometimes, e.g., when the
computer has several operating systems installed, you may need to adjust it manually. Also keep in
mind that if the target PC has 2 or more hard disk drives, the sequence of the letters for these disks can
be set totally different than in the original system.

Searching for domain cached passwords

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 45

Domain cached credentials are of two types. DCC type 1 has very weak encryption and was used in
Windows 2000, Windows XP and Windows 2003 OSes. Recovery rate can exceed millions or even
billions passwords per second. DCC type 2 is used in Windows Vista and later operating systems. Its
encryption is much much stronger and quite resistant to cracking. The brute-force speed is only
hundreds/thousands passwords per second. Just imagine, guessing an 8 character long password
consisting of upper and lower case letters using brute-force attack might take over 1000 years!

Do take into account the following considerations:

· Process of searching for DCC type 2 is extremely slow. Completing some modules (for example,
Fingerprint attack) may take hours or even days.
· To speed up the search, select only account you need the password for. Just right-click the cached
entry and select 'Exclude from search all entries except selected'. Otherwise, the speed of the
password recovery will decrease by a multiple of the number of accounts.

3.10 Dump password hashes

Selecting data source

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 46

On this step, specify the location of SAM and SYSTEM files. Or, in the case with domain users, –
ntds.dit and SYSTEM.

Export password hashes

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 47

Select the format and type of the dump file. While generating the dump, you can also delete, if that’s no
value to you, individual unnecessary attributes of the account. If the Passcape format is selected, you
can also dump plaintext passwords (if ones were found). The application scans your computer for the
availability of such and, if such are available, maps them to the accounts while saving to the dump file.

Plaintext passwords are stored in domain when the option ‘Store passwords using reversible encryption
for all users in the domain’ is set; you can find it in the groups policy console.

Further on, you can use the dump file with different password audit and recovery applications.

Please note also that Reset Windows Password, thanks to the AI attack technology developed by
Passcape Software, can decrypt passwords to certain accounts literally instantly, without searching. For
details, please refer to the Lookup user passwords section.

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 48

3.11 Dump domain cached passwords

Selecting data source

For decrypting domain cached credentials, the program needs to 'know' the location of two system
registry files: SECURITY and SYSTEM. Select them from the list or, if the application was unable to
locate them, provide the path to them manually.

Dumping domain cached credentials

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 49

The final dialog provides just two options:

- Dump file format. ASCII is good for all cases, but problems may occur with non-English user names
and, respectively, with further analysis and decryption of those hashes. UNICODE supports all
languages, but compatibility problems may occur when reading this format in different applications.
- Dump file type can be either CACHEDUMP – a simple but widespread format. No compatibility
problems will occur. However, this format imposes a number of restrictions. First, it does not support
non-English user names. Respectively, further on, you will be unable to decrypt the account password,
as it is bound to the name. Second, the current version of the CACHEDUMP format does not support
operating systems Windows Vista and higher.
Passcape format – free from these disadvantages and can be successfully used in password audit and
recovery applications like, for example, Network Password Recovery.

3.12 Restoring previous modified password

Choosing a roll-back file

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 50

If for whatsoever reason you need to undo (i.e. restore) the password that was reset or modified earlier,
on the second step of the Wizard, provide the application with the *.puc file with the roll-back (undo)
sessions. Activate the type of the password to be restored: regular SAM account password, Active
Directory, DSRM password or domain cached credentials, password policy flags. After that, select the
date when the change was made.

Restoring previously modified password

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 51

On the last step, the application will offer you to review the details of the undo session; please pay close
attention to the last three items:

· Account to be managed.
· Data to be restored. That’s the data you have modified at some point.
· Whether or not this undo session has been used already

Let’s review this situation for an example:

A computer security expert needs to logon to Windows under a certain account. The password for that
account is unknown. At the same time, the account password must remain unmodified.

Here is the routine:

· Run Reset Windows Password, select the corresponding account and reset its password. At the
same time, save the undo session to a *.puc file (the application will prompt you to do that when you
modify the password).
· Close Reset Windows Password and start Windows. Logon under the modified account with the blank
password. Do what you need under that account.
· Now you need to restore the old account password. For that purpose, reboot once again and launch
Reset Windows Password. On the main menu, select ‘Restore previously modified password or data’,
enter path to the undo file where you have saved the changes you had made. Move on to the third step
and make sure that this is the account you need. Click on the <<Restore>> button, and the old
password will be restored.

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 52

3.13 UTILS

3.13.1 Decrypt Windows Hello credentials

Windows Hello is a biometric security system that allows Windows users to log into OS, applications
and their devices without passwords but using a fingerprint, iris scan, facial or voice recognition.
Windows Hello stores different types of users personal information: digital identities, PINs, plaintext
logon passwords, etc.

Selecting Windows directory

Reset Windows Password recovers all kinds of personal data saved in Windows Hello. First of all, you
will need to specify Windows directory of the target Windows 10 system.

Decrypting passwords

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 53

The program should then scan the target Windows directory for any personal data and output found
information to the screen. Reset Windows Password automatically decrypts logon passwords if the user
accounts was set up to logon using biometrics, for example, fingerprint or face recognition.

Some items in the table may be marked in red. It means that to finalize the decryption the program
needs to know the PIN code of the user account. Double-click the item and type in the PIN that
corresponds to the user account.

3.13.2 Lookup PIN

When you set up Windows Hello first, you're asked to create a PIN. The PIN is used as an alternative to
biometric logon, when the biometric sensor is unavailable or not working properly. Unlike Windows 8,
Windows 10 ensures very strong encryption (using even undocumented features and APIs) to protect
PINs. Therefore, the problem of forgotten PIN's recovery is extremely vital and faces every user.

Selecting Windows directory

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 54

First of all, you should select the Windows directory or browse for it manually.

Setting up search and recovery options

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 55

On the next step, the program offers available recovery methods used to search for PINs. The program's
code is highly optimized for speed. But in spite of this, the process of searching for a PIN is extremely
slow. For this reason, it is highly recommended to turn off most time-expensive attacks, for example,
like on the picture above.

Searching for PIN

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 56

The search speed is inversely proportional to the number of pins sought. That is, the more PIN codes are
searched simultaneously, the lower the search speed. Therefore, it is recommended to exclude all
unnecessary PINs from the search, and leave only necessary one. You can do it simply right-clicking on
the PIN you need to recover and selecting 'Exclude all except selected'. To start the process, hit the <<
FIND PINS >> button.

Do know that some PINs can be guaranteed to be decrypted in a reasonable amount of time. If the
program can detect such a vulnerable PIN, it offers to launch the guaranteed recovery, just like on the
screenshot below.

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 57

3.13.3 Search for SYSKEY startup password

Syskey is the additional layer of security, was introduced first in Windows 2000. It is used by default
and offers 3 types of protection:
1. Default - when the syskey encryption key is stored in Windows registry.
2. Startup disk - syskey encryption key is stored on a diskette.
3. Startup password - syskey encryption key is generated from a user pass-phrase.

Scammers take advantage of the SYSKEY power and often set a syskey startup password on a victim's
PC. Usually they contact you with a thick Indian accent identifying themselves as a member of Microsoft
support and tells that your PC need to be fixed immediately because it has a critical problem. They will
try convincing you to allow them to connect your system remotely and fix the issues. If you do make the
mistake, they will set a SYSKEY startup password. Since you do not know the password, after
reloading the system you will get the screen like that (see below) and will not be able to logon unless
you pay for fix.

Fortunately, in most cases the passwords they use are pretty trivial and can be decrypted using our
SYSKEY password lookup feature. You will have to go through the 3 simple steps to start searching the
password.

Setting SYSKEY recovery methods

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 58

SYSKEY password lookup may take quite some time and consists of the following steps:

1. Searching information in Windows system cache. This method consists of over a dozen of mini sub-
attacks, during which the program analyzes all kinds of user passwords: LSA secrets, DSL, VPN,
WiFI, FTP, IM, browser passwords, etc.
2. Analyzing simple, short passwords, keyboard combinations, etc.
3. Scan, parse and analyze most recently used files of the target system.
4. Primitive dictionary attack. The application checks all passwords from the built-in dictionary for the
Light and Standard editions or from several dictionaries (Arabic, Chinese, English, French, German,
Portuguese, Russian, Spanish) for the Advanced Edition. If the deep search option is on, simple word
mutations will also be taken into account during the search.
5. Primitive brute-force recovery will try to reveal short passwords. The brute-force options are also
depend on the mutation level.
6. Artificial Intelligence attack analyzes network activity of a user on the computer. Upon the results of
the analysis, the application generates user preferences and generates a semantic dictionary for the
attack, which it later uses it for finding and guessing the password.
7. Look for passwords in deleted files.
8. Searching for complicated English passwords (Fingerprint attack).
9. Extract strings and words from huge files: RAM images, hiberfil.sys, pagefile.sys ans so on. When
this option is set, the program will try to skip files useless in password analysis like video, archives,
audio files, etc.

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 59

10. Search passwords by reading and analyzing raw sectors of the selected drive. If the 'Password
mutation level' is set to 'Deep search', the program additionally tries to generate different
combinations and 'mutate' found passwords, thus walking through all sectors of the target drive may
take quite a time. Note that the sector-based scanning algorithm is not effective against drives which
have a full-disk encryption set on.

Selecting data source

When searching for the SYSKEY startup password, special attention is to be paid to supplying correct
files and folders required for the analysis process.Otherwise, password search will be inefficient or even
not available. The application tries to locate the files automatically, but sometimes, e.g., when the
computer has several operating systems installed, you may need to use the 'manual control' over it.
Please also keep in mind that if the problem PC has 2 or more logical drives, the sequence of the letters
for these disks may be set totally different than in the original system.

Searching for SYSKEY password

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 60

Finding/guessing the password may take some time, which depends on attack settings and peculiarities
of your system. Note that only simple and vulnerable passwords can be recovered!

Once you retrieve the SYSKEY plaintext password, all you need is to turn off the SYSKEY startup
prompt and set your system back to its original state. Turn on your problem PC and use the found
password to bypass the SYSKEY startup dialog. Then logon into your Windows account, hit 'Win+R'
keys, type in 'SYSKEY' and click 'OK' button.

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 61

This should bring up the SYSKEY options dialog. All you need here is to click the 'Update' button and
switch the 'Password Startup' option back to 'System Generated Password' by supplying the found
plaintext.

So, after all changes, you should have it look like this:

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 62

3.13.4 Search for lost product/CD keys

Using this feature, you can easily recover lost product keys and serial numbers, even if the target
system is not bootable any longer.

Almost all commercial programs for Windows come with a serial key that binds the program to your PC
and makes the software legal or fully featured. By losing this key, you will no longer have access to your
own software unless you get the key back. Just imagine that one day you need to reinstall your
operating system. There might be a lot of reasons why you want to do so, from updating to getting rid of
viruses, fixing a problem, etc. And after reinstalling, you will find out that you need to reinstall most of
your software and supply it with serial codes that you no longer have access to. Without the keys, you
cannot reinstall the software.

Luckily, a large proportion of computer programs store their product keys in the Windows registry and
thus can easily be extracted. That's what this feature is for. Using a built-in script language, the 'Reset
Windows Password' can recover serial keys for more than 1,000 software products. And yet it is very
simple to use.

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 63

First, indicate to the program whether you need to recover serial keys for all local users or for a selected
account only. Recovering keys for all user accounts needs at least two parameters to be set properly:
1. SOFTWARE registry file that is located at the following directory: 'C:\Windows\System32\Config'.
Note, the drive letter as well as the Windows folder may be different. For example, 'D:\Windows', 'E:
\Win', etc.
2. Profiles folder. That is the directory where all local user accounts are physically stored. For Windows
Vista and higher OSs, it is usually 'C:\Users' while Windows XP uses the 'C:\Documents and Settings'
folder. Usually, the profiles folder is on the same drive where the Windows directory is located, not
always though.
The program will attempt to detect these folders automatically. All you need to do is select one from the
drop-down list or show an alternative path otherwise.

If you need to recover serials for a certain user, just set the appropriate option and additionally select the
user from the 'User profile directory' list.

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 64

After the required options are set, proceed to the final step and clicking the '<< FIND KEYS >>' button
to start the program searching for lost serial keys.

3.13.5 Search for Internet/mail/network passwords

One of the application’s most notable features is searching and decrypting PC users’ network
passwords. Reset Windows Password supports all major popular browsers and email clients. The
interface is split into three steps to make the process as easy as possible, and the specific details are
left to the program.

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 65

On the first step of the Wizard, the program prompts you to select the type of passwords to be searched
for and the source drive with the Windows folder. By default, the program selects the first hard drive,
where the operating system is installed.

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 66

On the next step, specify the location of the Windows folder and the folders where the program will try to
find the passwords: all user profiles or only the selected one. In the latter case, select the respective
folder.

In the final dialog, clicking the << Search Passwords >> button launches the process of gathering,
analyzing, and decrypting data. Please be patient; depending on the selected options and the number of
users in the system, the process may take quite some time.

3.13.5.1 Search for Web passwords stored by Internet browsers

Selecting the internet password search opens a screen like this:

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 67

The application decrypts passwords from all major Web browsers:

· Internet Explorer
· Edge
· Firefox
· Opera
· Chrome
· Safari
· Majority of Mozilla-based browsers: Flock, Seamonkey, Pale Moon, Waterfox, etc.
· Major browsers based on Chromium sources: Comodo Dragon, CoolNovo, Google Chrome, Yandex
browser, and so on.

Web browsers use different algorithms for protecting users’ personal data. Passwords from the following
browsers can be decrypted almost instantly:
· Internet Explorer 4-6
· Firefox and other Mozilla-based browsers (unless Master Password is set)
· Old versions of Opera (unless Master Password is set)

Decrypting other data requires additional information. That is usually the Master Password or the user
logon password:
· Internet Explorer 10
· Edge
· Firefox (if Master Password is set)
· Opera (if Master Password is set)

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 68

· Chrome
· Safari

To activate the next step of the decryption, simply double-click on the record highlighted in red.

Internet Explorer 7-9 require three-step decryption. First, one should enter the URL where the password
was saved, then enter the account password. More information on this tricky kind of protection used in
Internet Explorer 7-9 can be found in our article.

3.13.5.2 Search for mail passwords saved by email clients

The following email clients are supported:

· Outlook Express
· Microsoft Office Outlook
· Internet Mail
· Internet Live Mail
· Windows Mail
· TheBat!
· Incredimail
· Eudora

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 69

Please keep in mind that some email passwords could be stored in browsers. This depends on whether
the user used the email client or read their email using a Web browser. Passwords from Outlook
Express, TheBat!, Incredimail, Eudora, and some versions of MS Office Outlook can be decrypted
almost instantly. Decrypting other data requires the account password. Simply double-click on the
record highlighted in red. That activates the second step of analyzing found data. If the entered user
password matches the other records, they will be decoded automatically.

3.13.5.3 Search LAN/WAN/RAS/DSL/VPN/WiFi and other network passwords

For gathering network passwords, the program has several modules for reading and decrypting secrets
of LSA, protected storage, password manager, Windows Vault, etc.

The decryption of data stored in LSA secrets and in the protected storage is carried out automatically
and does not require entering additional parameters. This applies to the following data:
· Cached user passwords
· Passwords of some system accounts, SQL server, remote assistant, etc.
· Passwords of services launched with specific credentials
· Some network passwords stored in server OSes
· Wired connection passwords: RAS, DSL, VPN, etc
· Passwords from old versions of Internet Explorer/Outlook/Outlook Express/FTP, etc.
· Passwords for wireless (WPA/WPA2) connections

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 70

· Passwords from domain group policies

For other passwords protected with DPAPI, user account password is required for the successful
decryption:
· Passwords stored in Credential manager: passwords for remote computers in your LAN, passwords
for some mail accounts (stored by Microsoft Outlook), MSN Messenger passwords, Internet Explorer
7-9 passwords for Web sites that use Basic Authentication or Digest Access Authentication, Remote
Desktop, RSS feed credentials, etc.
· Windows Vault records: passwords for some versions of Internet Explorer/Outlook/Windows Mail,
account passwords when using PIN/Picture password or biometric authentication (only for Windows
8).

More on DPAPI encryption can be found in our detailed review that covers this protection method.

In some server operating systems, the program can successfully exploit the vulnerability we have found,
which allows decrypting DPAPI blobs without entering the data owner’s account password! More
information on this is available in our article that covers vulnerabilities in server OSes.

3.13.6 Search for password-protected documents

This program's feature is aimed to scan and search a PC for encrypted documents, password-protected
archives and files. It is easy to use, and fast and flexible in its configuration. You can even specify your
own file types to look for. The search process is divided into three simple steps:

1 Selecting document type

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 71

By default, the program searches for the following pre-defined documents:

· File archives (zip, rar, 7z)
· Adobe PDF documents
· MS Word documents
· MS Excel tables
· MS Access databases
· MS PowerPoint presentations
· MS OneNote notes
· MS Outlook data files
· OpenOffice/LibreOffice Writer documents
· OpenOffice/LibreOffice Calc tables
· OpenOffice/LibreOffice Base databases
· OpenOffice/LibreOffice Impress presentations
· OpenOffice/LibreOffice Draw documents
· OpenOffice/LibreOffice Math documents

Use the [>] and [<] buttons to include or exclude available documents from the search process. If you
want to add your own file types to search for, use the [+] button and specify your description and a
search mask. For example, the following mask can be used to search for KeePass data files:
*.kdbx, *.kdb, *.pwd
Keep in mind that password protection analysis is not used for the custom masks.
The 'Check if document protection is set...' option is used to completely turn off the password protection
analysis. That could significantly speed up the search process in some cases.

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 72

2 Selecting where to search

You can narrow down the scanning range by setting up, for example, the 'Documents' folder for a
selected account, or choosing a certain directory.

3 Searching for documents

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 73

Even though the program was optimized for fast search, scanning hard disks with a lot of files may take
a long time. After the search is over, right-click the list of found documents to show the available
operations. For example, you can save the list of files found to a text/ html file, or create a single zip
archive for the selected items.

3.13.7 Search for recently opened files

Sometimes it is vital to get a list of the last modified documents for a user account. For example,
forensics can use this tool to analyze files accessed by the user during the last logon session.

1 Selecting where to search

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 74

To extract the data, specify the target Windows directory and the user's profile.

2 Searching for recent files

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 75

Click the 'Search Files' button to start the process. After the search is over, right-click the table to
display the available operations. You can save the list of found items to a text/ html file, or backup the
selected files into a zip archive.

3.13.8 Backup passwords and sensitive information

Sometimes it is vital to make a copy of Windows registry or an Active Directory database. Reset
Windows Password is a lifesaver for those who need to back up the files easily. It can even make a
snapshot of all sensitive data of the target PC in just a couple of clicks.

First, we need to set up what to backup:

· Windows registry files
· Active Directory database
· All sensitive information including Windows registry, passwords, certificates, etc.

You will have to set a source drive where the target Windows directory resides and a target path. The
target path will be used to save the output archived files. By default, the program suggests first hard drive
as the source and first removable drive as the target.

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 76

Next step is a bit simpler. In case you selected Registry/Active Directory backup on the previous step,
all you need here is to confirm Windows/AD folders. Otherwise, you'll additionally have to select either
profiles directory or profile directory for selected user, depending on options you choose.

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 77

And the final dialog is just a progress for the backup operation. Click << Back up files >> button to
start the process. By successful completion you should get a *.ZIP archive which holds all requested
files. Later you can use these files to analyze the secret data in any 3d-party software. For example, in
Windows Password Recovery tool.

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 78

3.13.9 Removing user’s private information

Selecting data to be removed

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 79

The application has a number of advanced features. One of them is deleting information that can be used
by potential malefactors for recovering account passwords on your computer. Be careful; the information
will be removed permanently with no chances for recovery. So, it includes the following items:

1. Deleting password history for standard SAM accounts and Active Directory user accounts. SAM
password history, for example, is set in the groups policy of the local computer. Start -> Run ->
gpedit.msc -> click OK. Under Computer Configuration, drill down under Windows Settings ->
Security Settings -> Local Policies -> Security Options. Here look for policy: Interactive Logon:
Number of previous logons to cache.
2. Deleting domain cached passwords. More on domain cached passwords can be read here.
3. Deleting cached Windows logon password.
4. Deleting password reset diskette information. With that information and the password reset disk, one
can recover the original textual password.
5. Deleting password hints.
6. Resetting Syskey

To continue with the application, provide (or select from available) the following files:
- Deletion of AD password history – SYSTEM registry file and Active Directory database file (ntds.dit)
- Deletion of SAM password history – SAM and SYSTEM registry files
- Deletion of cached domain passwords – files SECURITY and SYSTEM
- Deletion of cached logon passwords – files SECURITY, SOFTWARE and SYSTEM
- Deletion of password reset information - files SAM, SECURITY and SYSTEM
- Deletion of password hints - SAM, SOFTWARE and SYSTEM

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 80

- Resetting SYSKEY - SAM, SECURITY and SYSTEM

All registry files, except Active Directory database, are stored in the following directory %WINDIR%
\system32\config. Where %WINDIR% stands for the Windows folder, by default - C:\Windows.

The location of the AD database is set during installation. By default, that’s the %WINDIR%\NTDS
folder.

3.13.9.1 Removing password history of SAM or Active Directory users

Selecting data source

Selecting user account

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 81

On the account list, select the one we need to delete password history for. The application shows only
users that have history.

Deleting password history

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 82

Click <<Delete>> and get rid of the unnecessary information permanently.

3.13.9.2 Removing domain cached passwords

Selecting data source

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 83

Selecting user account

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 84

Choosing the account you want to remove the passwords for.

Deleting domain cached passwords

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 85

Just confirm deleting all domain cached passwords for user1 account.

3.13.9.3 Removing cached logon password

Selecting data source

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 86

Deleting Windows cached logon password

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 87

And confirm the permanent removal of cached logon passwords.

3.13.9.4 Removing password reset disk information

Selecting data source

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 88

Selecting user account

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 89

Check the user whose information we want to delete. When creating a password reset disk, the user’s
encrypted password is stored in the registry. While the diskette stores the encryption key. Deleting the
encrypted password from the registry makes the further existence of the reset password diskette
useless.

Deleting password reset diskette information

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 90

Confirm deletion.

3.13.9.5 Removing password hints

Selecting data source

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 91

Password hints are stored either in the SOFTWARE registry (Windows XP, Windows 2003) or in the
SAM file (Windows Vista and higher OS). The decryption will also require the SYSTEM file.

Selecting user account

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 92

Select the user whose hint is to be cleared from the system and then follow the final removal dialog.

Removing hints

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 93

3.13.9.6 Resetting SYSKEY

Selecting data source

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 94

First you need to point to 3 registry hives: SAM, SYSTEM and SECURITY. Usually SYSKEY resides in
your SYSTEM registry under HKLM\CurrentControlSet\Control\Lsa key. But once you set your
SYSKEY for example to require a boot startup password and forgot it, there's no chance to boot up your
system. Needless to say that SYSKEY is extremely effective tool in the hands of a guru. Setting your
SYSKEY option to require a startup password or boot diskette is very effective against ANY(!) Windows
password breaker. In that case a password extractor program can not decrypt your password hashes
even if it get a full access to your system.

Resetting SYSKEY

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 95

Note! SYSKEY resetting is an unsafe operation that affects the whole system security. For example
after SYSKEY is reset, even if you can log on your system, you will not be able to decrypt your EFS
protected files, all DPAPI-protected passwords (eg. Outlook saved passwords) will be discarded as well.

There are a number of programs in the Net that proclaim they can reset SYSKEY. But none of them
works correctly at the moment. The reason is that SYSKEY resetting requires a lot of additional
operations for your system to prevent it from being broken. For example you need also to zero out SAM
domain session key(s), re-encrypt and reset local user hashes, LSA secrets, etc. Reset Windows
Password has 2 algorithms for resetting SYSKEY. Once the primary one fails, another one runs. After
SYSKEY is reset, all local user passwords will be set to blank automatically.

Note! After resetting SYSKEY on a Windows 8 and later OSes, you should change password for every
LiveID/Microsoft account to a non-empty one. Otherwise you will not be able to log on the system with
empty password.

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 96

3.13.10 Loading additional hard disk drivers

If when the application started it was unable to detect one or several hard disk drives, you will most likely
need to install a driver for that device. In the main window, on the task list, select ‘Load
IDE/SATA/SCSI/RAID/NVME driver’ and go to the driver installation dialog. The software comes with
several popular hard drive controller drivers: ATI, Highpoint, Intel, Jmicron, Marvell, Nvidia, Silicion Image,
Sis, Uli, Via, Vmware.

They all are stored in the folder X:\Apps\Drivers. For example, if your HDD controller is built upon the
Nvidia chipset, load the corresponding *.INF file from the folder X:\Apps\Drivers\Nvidia.

Normally when you buy a new PC you get loaded with a CD with the motherboard and hard disk drivers.
You can, and even are highly encouraged to use that disk for installing drivers for the missing devices.
Be careful; the drivers should be compatible with Windows 10 x64 operating system! Please refer to the
manual on your motherboard for more information on installing the drivers.

In Reset Windows Password drivers are installed 'on the fly'; therefore, rebooting the system is not
required. Upon the completion, the found devices should appear on the list of data storage devices. Once
the required driver is installed and the hard disk drive is found, you can go on with the next steps.

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 97

3.13.11 Unlock Bitlocker encrypted drives

Bitlocker is a full drive encryption. It was first introduced in Windows Vista and is aimed to protect your
data even if someone has physical access to your PC or laptop.

BitLocker encrypts all files on a drive, including those needed for startup. So its content is invisible to
system. In order to unlock the drive and get access to its content, you should use one of the following
unprotection methods:
· Unlock the drive with volume unlock password
· Unlock using recovery (numerical) password
· Unlock using external recovery key
· Unlock using Bitlocker certificate

Just select your Bitlocker-encrypted drive along with required unlock type and click << UNLOCK >>
button to decrypt it. The operation takes several seconds.

To extract Bitlocker recovery passwords from Active Directory, you can use our Windows Password
Recovery tool.

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 98

3.13.12 Mounting virtual drives

This dialog allows you to mount a disk image to the system as virtual drive. You can then refer to the
new drive by it's volume letter. Images are mounted as read-only so that the original file is not altered.
The following formats are supported:

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 99

AF*, BIN, DD, E01, FLP, IMG, ISO, NRG, S01, SDI, VHD, VMDK and some others.

Be patient, mounting some image types may take up to several minutes to complete.

3.14 FORENSICS

3.14.1 Logon history and statistics

This is a tool to view miscellaneous logon statistics of both regular and domain users.

Selecting Windows directory

First of all, you should select a target Windows directory or browse for it if the program fails to detect
one automatically.

Type of the logon accounts

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 100

Once the Windows directory is selected, the program will try to detect if the system contains any
domain accounts (in addition to regular ones). Select the type of the logon accounts you want to view
the statistics for and proceed to the next step.

Available reports

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 101

Here you can choose one of the following reports:

· Last logons - displays last logon date of the users
· Logon activity - outputs most active users
· Last logoffs - unfortunately, most versions of Windows stopped saving the logoff date. However, some
related information is available in 'User activity'.
· Bad password logons - the last time when a user attempted to log on into his/her account with an
invalid password.
· Password age - the last time when a user changed his/her password.
· Account age - when the account was created first.

Some of the reports are unavailable for domain cached accounts.

Logon statistics

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 102

You can copy statistics to the clipboard or save it to file.

3.14.2 Hardware history

The hardware history enumerates all hardware of the target OS and sorts it by installation or last
arrival/removal date.

Selecting Windows directory

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 103

Select the target Windows folder first. The program usually does it automatically.

Select output filters

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 104

Set up additional output filters to skip unnecessary items. You can set the program up so that to display
only hardware that was installed or arrived/removed last time on the date you specified.

Hardware history information

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 105

To sort the list, click one of the columns.

3.14.3 Software history

The software history displays all the programs that were installed in the target OS.

Selecting a type of software installations

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 106

Select what type of the software installations you want to view. This is either user specific installations
(programs installed for a certain user account) or system-wide installations (programs that are available
for all users).

Output filters

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 107

You can point the program to display all items or items that were created between given dates only. The
additional option is aimed to hide some system components, like system updates, etc.

Software installations

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 108

To sort the list click one of the columns.

3.14.4 Network history

The network connection history displays all available networks along with their installation and last
connection dates.

Selecting Windows directory

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 109

Select the target Windows folder first. The program should do it for you.

Setting output filters

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 110

Set up additional output filters to display only networks of your interest.

Network connection history

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 111

The extracted networks usually contain the date they were created at and the last connection date. To
sort the list by dates, click one of the correspondent column.

3.14.5 Recent user activity

This tool collects all available information about recent user activity occurred on this computer.

Selecting a type of activity

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 112

First of all, select if you want to view system-wide or user-specific data.

Setting output filters

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 113

Then specify if all entries are to be displayed or only ones that fit into specific time frames.

Displaying recent user activity

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 114

Be patient, gathering the statistics may take quite some time.

To hide unnecessary record(s), right-click your mouse on the list and select the appropriate menu item.

The current version of the program supports for the following information (some items are not available in
old OSes):
· Last items in file open/save dialogs
· Task Run items
· Mapped network drives
· Recent network find items
· Recent file/folder find items
· Recent files of Windows applets
· Last opened Regedit key
· Recently opened documents
· Recently opened MS Office documents
· Recent Outlook accounts and connections
· Recently run applications
· Recent application items
· Recent RDP connections
· Internet Explorer typed URLs
· Explorer typed paths
· Explorer search history
· Explorer User Assist items
· Recent background activity items
· Recent desktop activity items

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 115

· Wireless connections
· Bluetooth activity
· Recent portable devices
· Windows installation date
· Last system shutdown date

3.14.6 System events

All Windows OSes log various types of events that occur in the system time to time: errors in device or
driver installations, application failures, security notifications, etc. Events help users and administrators
to eliminate errors, perform diagnostics and monitoring the system, maintain its security. Events are
stored in *.evtx files and are recorded in chronological order. Every evtx file corresponds to a specific
event source or to an operating system component. For example, system.evtx keeps tracking of
common system notifications. Security.evtx holds all security events. And so on.

The system event viewer is a simple tool allowing to display major events that occur in Windows Vista
and later OSes. For example, starting or shutting down the system, logging on/off user accounts, drivers
installation, etc.

Selecting Windows directory

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 116

First, you must select the Windows directory that holds the event logs. Typically, C:\Windows or D:
\Windows.

Setting output filters

On the next step, you can additionally configure output filters to display events that occurred in specific
time. There's also an option for displaying all events (even unknown to the program). If the option is set,
the program outputs known/major events only, all events otherwise.

Viewing Windows events

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 117

Collecting and processing the information may take considerable time, depending on the size of *.evtx
files of the target system. In order to hide some certain records that are of no interest to you, right-click
on the list of events and select one of the corresponding menu items. To sort the list, click one of its
headers.

3.14.7 Web history

The Web history allows you to extract and collect statistics of visited Web pages, saved cookies, stored
form autocompletion data and saved passwords. The program supports all popular browsers: Internet
Explorer, Edge, Opera, browsers based on Mozilla source code (Firefox, SeaMonkey, etc.), Chromium
(Google Chrome, YandexBrowser, 360 Extreme Explorer, etc.)

Selecting data source

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 118

Initially, RWP offers to select the data source where to search. This is either a specific user's profile or
profiles for all users.

What to search for

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 119

By default, the program tries to search for the following items, you can turn on/off each of them
separately:
· The list of visited URLs
· Form auto-completion data
· Logon names and passwords (if ones can be decrypted instantly only)
· Cookies. May be used for determining what sites were visited and when, whether the user was logged
in and so on
· Download history. Note that not all browser keep this information

Setting up time filters

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 120

You can set up an additional time filter to skip out-dated or unnecessary items.

Web history

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 121

The statistics can be copied to the clipboard or saved to a file. Using the context menu, you can also
hide some items that are not of interest to you.

Where do browsers store their lists of visited URLs?

Internet Explorer
Visited places are stored in index.dat file. The index.dat contains different records: visited URLs and
local files, web mail accesses, cookies, etc. The database file has it's own format (Client UrlCache
MMF) and was first introduced in Internet Explorer 5. The format of index.dat file was not changed much
since that time, the physical location, however, may vary:
C:\Users\<USERNAME>\AppData\Local\Microsoft\History
C:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\History
C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Internet Explorer\UserData
Older OSes use different paths to keep the file.

Internet Explorer - typed in URLs

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs

Microsoft Edge

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 122

Similar to Internet Explorer, Microsoft Edge keeps the history of the Web browsing, cache, cookies,
along with other infornation in a single file called WebCacheV01.dat which seems to be is the successor
of the index.dat. The WebCacheV01.dat is located at the following path:
C:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\WebCache

Opera (older versions)

The browser history is kept in global_history.dat, global.dat, vlink4.dat files in the current Opera's profile.
The files have a different format (depends on browser version).

Chrome (along with Chromium-based browsers)

All visited URLs are kept in SQLite database called history. The location of the history is different and
depends on the browser. For example:
C:\Users\<USERNAME>\AppData\Local\Google\Chrome\User Data\Default

Firefox (along with Mozilla-based browsers)

This is either a history.dat file (a mork format) or a places.sqlite file in newer versions. A typical location
is C:\Users\<USERNAME>\AppData\Roaming\Mozilla\<PROGRAM>\Profiles. For example:
C:\Users\<USERNAME>\AppData\Roaming\Mozilla\Firefox\Profiles\owec6tnk.default

Where do browsers store the form autocompletion data?

Internet Explorer
Internet Explorer v4-6 keep autocompletion data in a special location of the user registry called protected
storage. Even though encrypted, it is easy to decrypt and view because decryption keys are stored
along with encrypted data. The registry location of the storage provider:
HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider

Internet Explorer v7-9 use a different and interesting technique. Instead of encrypting user-sensitive data
with a static secret key (IE 4-6) which can be figured out easily, IE 7-9 use the source URL address as
the encryption key to protect the data. Thus without knowing the Web page a certain data belong to, you
will not be able to decrypt the data. More details can be found here. RWP does not support extracting IE
7-9 form autocompletion data. Use our PIEPR for that. Here's the registry location where the encrypted
data is stored:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage1
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\FormData

Internet Explorer v10+ and Microsoft Edge have even better protection. All data entries are kept in
Windows Vault files and protected with DPAPI. There's no chance to decrypt it unless providing the
owner logon password and master key file.
A tricky part is that RWP can decrypt the data/passwords instantly if the browser has saved it under the
system account. The Vault location for the user data:
C:\Users\<USERNAME>\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28

Opera (older versions)

The form autocompletion data can be found in the following files:
C:\Users\<USERNAME>\AppData\Roaming\Opera\Profile\typed_history.xml
C:\Users\<USERNAME>\AppData\Roaming\Opera\Profile\search_field_history.dat

Chrome (and Chromium-based browsers)

The form submission data is kept in history and Web Data files, both have SQLite format. A typical
location for the Chrome browser is:

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 123

C:\Users\<USERNAME>\AppData\Local\Google\Chrome\User Data\Default

Firefox (and Mozilla-based browsers)

This is either a formhistory.dat file (older versions of the browser) or formhistory.sqlite file. A typical
location is C:\Users\<USERNAME>\AppData\Roaming\Mozilla\<PROGRAM>\Profiles. Like this:
C:\Users\<USERNAME>\AppData\Roaming\Mozilla\Firefox\Profiles\owec6tnk.default\formhistory.sqlite

Where do browsers store their passwords?

Internet Explorer
Internet Explorer v4-6 keep Web passwords in the protected storage.
HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider

Internet Explorer v7-9 passwords are kept in the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2

Internet Explorer v10 default location for the saved passwords:

C:\Users\<USERNAME>\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-
B380-DD4A704DDB28

Some versions of IE can also save HTTP basic authentication passwords in the 'Credentials
store' (Windows Vista and higher OSes). The DPAPI is used to protect the entries there.
C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Credentials

The program is smart enough to extract some extra data stored in other locations. For example, the
Reset Windows Password can parse Chrome databases to look for Internet Explorer items that are kept
there after data migration.

Opera (older versions)

All passwords are stored in wand.dat file in encrypted form along with decryption keys. The passwords
can easily be decrypted unless a Master password is set.
C:\Users\<USERNAME>\AppData\Roaming\Opera\Profile\wand.dat

Chrome (and Chromium-based browsers)

Chromium-based browsers protect user passwords with DPAPI in Windows and store them in Login
Data file which actually is an SQLite database. A typical database location for Google Chrome:
C:\Users\<USERNAME>\AppData\Local\Google\Chrome\User Data\Default\Login data

Firefox (and Mozilla-based browsers)

Mozilla had a long way evolving the password storage format. Initially, it was a simple textual file
signons.txt. Then in version 2 it came signons2.txt which had the "#2c" prefix at the beginning of the file.
Then signons3.txt with the "#2d" prefix in version 3, etc. Next the signons.sqlite database came into a
play. But it's not the end of the story. Firefox v32.x and higher has new storage for passwords -
logins.json which is actually a JSON format file. In spite of apparent diversity, data protection is almost
the same.
A typical location for the files is:
C:\Users\<USERNAME>\AppData\Roaming\Mozilla\<PROGRAM>\Profiles\<PROFILE>.

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 124

3.14.8 Last modified files

Sometimes it is required to figure out what files or folders were created or modified in a certain time. This
is what this tool was created for. We tried to make it as simple as possible. All you need is to set the
search location and to specify the time range for the sought files/folders.

Setting search location

To point the program the starting point for the files to search, select one of some predefined values like
documents folder of a certain user, the whole user's profile, etc. You can also specify your own location
by setting a custom path or a hard drive.

Setting the time range

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 125

Specify here if you need to search for files/folders with a certain creation date or a modification date. You
can set up the time up to seconds or turn the seconds off completely.

Displaying last modified files

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Working with the program 126

Be patient, searching may take quite a lot of time.

3.14.9 Last modified directories

This tool behaves exactly like the previous one except that it searches for the folders instead of files.
Please, refer to the file search tool for more information.

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
License and registration
License and registration 128

4 License and registration

4.1 License Agreement

==========================================
SOFTWARE LICENSE AGREEMENT
==========================================

IMPORTANT-READ CAREFULLY: This is the End User License Agreement (the "Agreement") is a legal
agreement between you, the end-user, and Passcape Software, the manufacturer and the copyright
owner, for the use of the "Reset Windows Password" software product ("SOFTWARE").

All copyrights to SOFTWARE are exclusively owned by Passcape Software.

The SOFTWARE and any documentation included in the distribution package are protected by national
copyright laws and international treaties. Any unauthorized use of the SOFTWARE shall result in
immediate and automatic termination of this license and may result in criminal and/or civil prosecution.

You are granted a non-exclusive license to use the SOFTWARE as set forth herein.

You can use trial version of SOFTWARE as long as you want, but to access all functions you must
purchase the fully functional version. Upon payment we provide to you the download link and the
registration code to the SOFTWARE .

Once registered, the user is granted a non-exclusive license to use the SOFTWARE on one computer at
a time for every single-user license purchased.

With the personal license, you can use the SOFTWARE as set forth in this Agreement for non-
commercial purposes in non-business, non-commercial environment. To use the SOFTWARE in a
corporate, government or business environment, you should purchase a business license. With the
business license you can run the SOFTWARE on multiple computers within a single organization.

The registered SOFTWARE may not be rented or leased, but may be permanently transferred together
with the accompanying documentation, if the person receiving it agrees to terms of this license. If the
software is an update, the transfer must include the update and all previous versions.

The SOFTWARE unregistered (trial) version may be freely distributed, provided that the distribution
package is not modified. No person or company may charge a fee for the distribution of the SOFTWARE
without written permission from the copyright holder.

You may not create any copy of the SOFTWARE. You can make one (1) copy the SOFTWARE for
backup and archival purposes, provided, however, that the original and each copy is kept in your
possession or control, and that your use of the SOFTWARE does not exceed that which is allowed in
this Agreement.

You agree not modify, decompile, disassemble, otherwise reverse engineer the SOFTWARE, unless
such activity is expressly permitted by applicable law.

Passcape Software does not warrant that the software is fit for any particular purpose. Passcape
Software disclaims all other warranties with respect to the SOFTWARE, either express or implied. Some
jurisdictions do not allow the exclusion of implied warranties or limitations on how long an implied
warranty may last, do the above limitations or exclusions may not apply to you.

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
License and registration 129

The program that is licensed to you is absolutely legal and you can use it provided that you are the legal
owner of all files or data you are going to recover through the use of our SOFTWARE or have permission
from the legitimate owner to perform these acts. Any illegal use of our SOFTWARE will be solely your
responsibility. Accordingly, you affirm that you have the legal right to access all data, information and
files that have been hidden.

You further attest that the recovered data, passwords and/or files will not be used for any illegal purpose.
Be aware password recovery and the subsequencial data decryption of unauthorized or otherwise
illegally obtained files may constitute theft or another wrongful action and may result in your civil and (or)
criminal prosecution.

All rights not expressly granted here are reserved by Passcape Software.

4.2 Registration

The software is available in three editions: Light, Standard and Advanced. The detailed list of features is
shown here. You can order fully registered version of Reset Windows Password at a cost of $45 for Light
Edition (personal usage), $145 for Standard Edition (personal usage) or $345 for Advanced Edition
(business license).

Detailed instructions for all kinds of orders are available online at Passcape ordering page. Online orders
are fulfilled in just a few minutes 24 hours a day 7 days a week. The ordering pages are on a secure
server, ensuring that your confidential information remains confidential.

As soon as your order is processed, you will be provided with the link to the fully-featured version of the
program. If you've made a payment, but haven't received a confirmation letter with the link within a
reasonable amount of time, please notify us!

Important: when completing the order form, please double-check that your e-mail address is correct. If it
will not, we'll be unable to send you the registration code.

To complete the registration process, you should download the program using the link that was sent to
you in your registration e-mail and follow the instructions to create a bootable disk.

4.3 Limitation of unregistered version

An unregistered version of the Reset Windows Password shows only first 3 characters of recovered
passwords and has some functional limitations. In particular, only hashes dump and password backup
features are working without any limitations. Registered version eliminates all restrictions.

4.4 Program editions

Reset Windows Password comes in three editions: Light, Standard and Advanced. The detailed list of
features is shown below.

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
License and registration 130

FEATURE Light Stan- Advan-

dard ced
Support for Windows NT/2000/XP/Vista/7/8/10 workstations + + +
Support for NT/2000/2003/2008/2012/2016/2019 servers + + +
Windows 64-bit support + + +
Non-US Windows support + + +
Multilingual passwords support + + +
Additional mass storage drivers + + +
Detect multiple Operating Systems + + +
Extended download warranty + + +
14-day money back guarantee + + +
License personal personal business
Support for all types of Windows accounts, including Live ID, Microsoft + + +
account, etc.
Create a bootable password reset CD/DVD + + +
Create a bootable password reset USB + + +
Create a bootable password reset HDD + + +
Support booting on UEFI-based computers + + +
Reset local Administrator password + + +
Change local Administrator password + + +
(1) + + +
Unlock disabled, locked or expired local Administrator account
Reset Domain Administrator password - - +
Change Domain Administrator password - - +
(1) - - +
Unlock disabled, locked or expired Domain Administrator account
Change a desktop account extended properties and flags + + +
Change extended properties and flags of Active Directory accounts - - +
Reset password to regular (SAM) accounts + + +
Change passwords to regular (SAM) accounts + + +
(1) + + +
Unlock disabled, locked or expired SAM account
Decrypt secret questions and answers for Windows 10 OS + + +
Reset password to Active Directory accounts - - +
Change passwords to Active Directory accounts - - +
(1) - - +
Unlock disabled, locked or expired Active Directory accounts
(2) - - +
Reset/Change password to DSRM account
Reset domain cached password - + +
Change domain cached password - + +
Instant load and install any IDE/SATA/SCSI/RAID driver + + +
Roll back changes (restore previously modified passwords) + + +
Support SYSKEY encryption + + +
Support SYSKEY startup password decryption + + +

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
License and registration 131

FEATURE Light Stan- Advan-

dard ced
Support SYSKEY floppy decryption + + +
Show password hints + + +
Dump LM/NTLM password hashes for regular (SAM) accounts + + +
Dump password history hashes - + +
Dump domain cached credentials (MSCACHE) - + +
Dump LM/NTLM password hashes for Active Directory accounts - - +
(3) - - +
Password recovery for Active Directory user accounts
Password recovery for regular (SAM) user accounts - + +
Password recovery for domain cached accounts - - +
Search for simple passwords - + +
Primitive dictionary analysis - + +
(4) - - +
Advanced dictionary analysis
Primitive brute-force attack against user passwords - + +
Recover passwords using Artificial Intelligence analysis - + +
Remove password history hashes out of regular (SAM) accounts - + +
Remove password history hashes out of Active Directory accounts - + +
Remove domain cached passwords - + +
Remove cached logon passwords - + +
Remove password reset information - + +
Remove password hints - + +
Reset SYSKEY security (with user passwords re-encryption) - + +
Lookup SYSKEY startup password - + +
Instant plaintext password recovery for accounts with Picture password - + +
Instant plaintext password recovery for accounts with Biometric logon - + +
(5)

PIN recovery - + +
Mount virtual drives + + +
Automatic detection and mounting virtual OSes
Search for lost product keys and serial numbers - + +
Convert Microsoft Live ID to local user account + + +
Backup passwords, registry and Active Directory + + +
Search for password-protected documents + + +
(7) + + +
Search for recently opened documents
Search and decrypt Internet browser passwords - + +
Search and decrypt passwords for popular e-mail clients - + +
Search and decrypt different network passwords - + +
Create new SAM accounts - + +
Unlock Bitlocker drives + + +
Local password policy editor - + +

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
License and registration 132

FEATURE Light Stan- Advan-

dard ced
Domain password policy editor - - +
Decrypt Windows Hello credentials - + +
(6) + + +
Logon history and statistics
(7) + + +
Hardware history
(7) + + +
Software history
(7) + + +
Network history
(6) + + +
Recent user activity
(6) + + +
System events
(6) + + +
Web history
Last modified files - + +
Last modified directories - + +
Price $45 $145 $345

Notes:
( 1 ) If the account is locked, disabled or expired
( 2 ) Directory Services Restore Mode
( 3 ) If Reversible Encryption is set. You can find this option in your domain password policy.
( 4 ) Using Arabian, Chinese, English, French, German, Portuguese, Russian, Spanish dictionaries.
( 5 ) Not for all accounts
( 6 ) Data export feature is available in Advanced edition only
( 7 ) Data export feature is available in Standard and Advanced editions only

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.
Technical support
Technical support 134

5 Technical support
5.1 Reporting problems

If you have a problem, please contact us at [email protected]. Please inform us about the
following:
· Windows version including service packs and other fixes installed
· Program full version (see About dialog)
· Program registration information if any
· Detailed description of your problem (as much information as possible)

If you're reporting an error, please attach RWPCrash.log file(s) that was saved during an unhandled
exception.

5.2 Suggesting features

If you have any questions, comments or suggestions about the program or would like more information,
email us at [email protected]. Please don't forget to mention the program name and version. Also
make sure you have the latest program version installed. Your feedback helps us to improve our
products and work more effective.

5.3 Contacts

Please don't hesitate to send your questions regarding our products to e-mail [email protected].
You will get reply during one or two days. Note, that registered users have priority in technical support.

If you experience any problems during registration process, please send a letter to
[email protected]
We will be happy to assist you with the registration.

Please write in English!

You can find other password recovery utilities at https://www.passcape.com.

© 2019 Passcape Software. All rights reserved.

Reset Windows Password Copyright (c) 2019 Passcape Software. All rights reserved.