Breaking Windows
by The Camelback Juggler
When was the last time that you wandered into your local computer discount store to test drive that new Pentium based PC? Armed with a fresh stack of formatted 3.5" diskettes, you find your way to the hottest new machine in the store. As you approach the machine of your choice, you notice that flashy screensaver that's so familiar. However, as soon as you touch the mouse, that damn password verification window rears its ugly head.
Now consider your options - you could hack away trying to guess the password, or you could go ask one of the customer service geeks to supply the password (he will probably give a demonstration of all the computer skill that he possesses).
The first method is brute-force and obviously time consuming, the second method works. However, now you have someone shoulder surfing so purloining files and roaming are not within the realm of possibility. The third method is a bit more elegant.
Your first goal will be to exit Windows. The best way to accomplish this is to simply hit the standard Ctrl+Alt+Del. If that does not work you may need to reset or cycle the power off and on. Try and observe what the computer does next. If the computer boots directly to Windows and the screensaver does not appear immediately, then you are in good shape and you don't need to worry about defeating the password. However, if the screensaver starts automatically after Windows starts, chances are a more computer savvy person set the machine up and you need to do a little more work.
If the screensaver begins immediately after Windows starts, reboot the machine. During the boot up cycle, press F5. This will circumvent the standard boot cycle and the computer will drop to the DOS level prompt.
Next, you will need to start the MS-DOS editor by typing EDIT. Then, you will need to open the file, C:\WINDOWS\CONTROL.INI. Scroll down until you see a file which looks similar to the following:
At this point you will need to modify a couple of things depending upon what you want to accomplish.
In this case the utilized screensaver is the Marquee. By simply changing the line PWProtected=1 to PWProtected=0 the password will be disabled.
Unfortunately, the password itself cannot be determined from the line Password=1237 because the password is encrypted.
However, another technique would be to place a semicolon before the line Password=1237 (;Password=1237) and inserting the new line: Passwords=
By replacing the encrypted password with a blank, the screensaver password will still be active.
However, when a password request occurs, simply pressing return will do the job. The above methods are, what I call, breaking Windows with a glass cutter. There are some quicker and somewhat dirtier methods of accomplishing the same thing. These methods could be called breaking Windows with a sledge hammer.
The faster method consists of getting to the MS-DOS prompt level as described above. Then, create a temporary subdirectory and copy C:\WINDOWS\CONTROL.INI into the temporary directory. Then delete the C:\WINDOWS\CONTROL.INI from the WINDOWS directory. Also, you can simply rename CONTROL.INI to something like, CONTROL.OLD. Again, this will accomplish the same thing as modifying the CONTROL.INI file. However, the computer will display errors when Windows starts. So let the situation govern which method you choose.
Some machines use third-party security systems. These systems usually consist of a front-end for the standard Program Manager that comes stock with Windows. Packard Bell's Navigator is a good example of these security systems. The Navigator has a lock feature that requires a password to enter into the standard Program Manager.
To get around this system you will need to get to the MS-DOS prompt level using previously described methods. Then create a temporary directory and copy C:\WINDOWS\STARTUP.GRP into the temporary directory and remember to delete the original. Again, you could rename STARTUP.GRP to STARTUP.OLD. This should defeat most third-party password schemes.
Another trick that these retail outlets like to use is changing the attributes of the .INI files as well as related files (.GRP) to read only or hidden. Therefore, you may need to change all the files that you will be fiddling with to the standard archive format.
To display attributes of all files in the current directory, type ATTRIB C:\WINDOWS\*.INI (or .GRP) and Enter. Then use the ATTRIB command to change file attributes to archive.
Example: To remove the read only attribute from all files in the Windows directory, type the following command: ATTRIB -R C:\WINDOWS\*.* /S
The /S processes all files in the current directory and all subdirectories. Also, make sure the Save Settings on Exit option in Program Manager is enabled.
If there are many people around, you will want to accomplish all of this as quickly as you can. Try to copy all files that pertain to the task at hand onto floppies before you attempt to gain access, because some people like to delete the necessary files. Also, it may be a good idea to carry a system disk with you just in case you need to boot up clean.
If you are creative enough you can make a .BAT file that will automate most of the procedures that I have described, the old EDLIN command should serve you well if this is your goal. However, .BAT files can be problematic unless you have analyzed all pertinent files on your target computer.
Normally you don't want to leave any evidence behind. Of course, I keep all changes that I make relatively innocuous. However, just for fun, I like to modify the Marquee screensaver. My favorite font is Wingdings. If you use a capital N (Wingdings) the screensaver will display a skull and cross bones ☠. Then I reestablish all security measures that were originally in place, so they have to drag out the guy who set the machine up to reset the machine. Keeps 'em on their toes.
Have fun...