Deleted SAM in Windows XP Pro 1

[d1novak]

During a migration at my office one of my IT guys used ntfspro to delete my sam on my xp workstation to gian administrative rights. Now I can't boot xp. I get the message:

Security accounts manager initilizaion failed because of the following errors. A device attached to the system is not functioning. Error status: 0xc0000001. Please click ok to shutdown this system and reboot into safe mode. check the event log for more detailed information.

I get the same message in safemode. I was told the guy deleted the sam file in windows\system32\config. I tried to copy the one from windows\repair but still recieve the same
message.

The recovery console won't let me log in and I failed to make an ASR.

Is there any way to fix this without reinstalling?

Dan

 

[bcastner]

Two issues:

First, you cannot access Recovery Console because the Administrator password does not work.

See this thread: thread779-618136

Second, if you can now use the Recovery Console, this is a clear English version of a registry restore:

http://www.digitalwebcast.com/2002/03_mar/tutorials/cw_boot_toot.htm

Third, if you can only copy files, copy all five hives and not just the SAM from either c:\windows\repair, or c:\System Volume Files, as explained below:
Since you can copy files:

Create a new directory c:\windows\tmp

Open the System Volume Information folder. This folder appears dimmed because it is set as a super-hidden folder. You may have to try and change the NTFS permissions if your utility permits this.

Note This folder contains one or more _restore {GUID} folders such as "_restore{87BD3667-3246-476B-923F-F86E30B3E7F8}".

Open a folder that was not created at the current time. You may have to click Details on the View menu to see when these folders were created. There may be one or more folders starting with "RPx under this folder. These are restore points.
Open one of these folders to locate a Snapshot subfolder; the following path is an example of a folder path to the Snapshot folder:

Open one of these folders to locate a Snapshot subfolder; the following path is an example of a folder path to the Snapshot folder:
C:\System Volume Information\_restore{D86480E3-73EF-47BC-A0EB-A81BE6EE3ED8}\RP1\Snapshot

From the Snapshot folder, copy the following files to the C:\Windows\Tmp folder:
_REGISTRY_USER_.DEFAULT
_REGISTRY_MACHINE_SECURITY
_REGISTRY_MACHINE_SOFTWARE
_REGISTRY_MACHINE_SYSTEM
_REGISTRY_MACHINE_SAM

Rename the files in the C:\Windows\Tmp folder as follows:
Rename _REGISTRY_USER_.DEFAULT to DEFAULT
Rename _REGISTRY_MACHINE_SECURITY to SECURITY
Rename _REGISTRY_MACHINE_SOFTWARE to SOFTWARE
Rename _REGISTRY_MACHINE_SYSTEM to SYSTEM
Rename _REGISTRY_MACHINE_SAM to SAM

Delete the five files in c:\windows\config
Copy the files from c:\windows\tmp to c:\windows\config

 

[d1novak]

bcastner

Worked like a charm. For future reference, it didn't work till I copied them to the c:\windows\SYSTEM32\config folder.

Thanks a billion!

d1novak

 

[bcastner]

My bad, you are correct about the directory.

Thank you.

You might tell the IT guy to read the Tek-Tip thread above for other ways to reset passwords besides deleting registry hives.

You should also point him to Knoppix, which includes not only NTFS directory tools, but a password unlocker. Freeware, recommended.