XP account passwords change spontaniously

[sithlord70]

To start off normally I do not turn off or restart my XP Pro machine.
The other day I had restarted it for something and when I went to log
into my user account which has admin rights it said my password was
incorrect. I tried two other admin level accounts that were set up on
the machine. One was the built-in Administrator account that actually
has the same password set that my user account did and it to no longer
accepts it either. Another account I had set also a member of
Administrators also told me the password was incorrect. The only one
that worked was my wife account that does not have a password set and
is only a member of Users. But of course because of her limited rights,
from her desktop I had no access to the User Account settings so her
account was useless to reset anything. Basically I was locked out. I
downloaded a program that runs off a floppy to reset passwords in the
SAM file. I've used this before on customers machines and its always
worked. When I tried to do it, it claimed that the password change had
worked but when I rebooted the system and tried to get in again I had
same issue. I wound up booting to a 2000 server CD and getting to the
recovery console. For some reason if I boot using a 2000 server CD on a
machine running XP it does not ask me for the Administrator password to
get to the the C prompt. Thank God for that. Well anyway, I was then
able to copy a backup copy of the SAM file that Windows stores in
C:\Windows\Repair over to the System32/Config folder. After doing this
I was able to log in and everything seemed to be fine. This was a about
2 weeks ago. Today I happen to reboot the machine again and the same
thing happened. Of course I did the SAM file copy again and got back
in. I keep thinking something or someone got into the network but I run
all the machines behind a router/firewall and run MS Antispyware as
well as Norton and both programs are up to date but found NOTHING. The
other part to this is this and the other 2 machines I run, one running
2000 server and the other running XP Home all are being denied access
to each other when trying to access shares I have set. They all have
the same user accounts configured so they should be allowed. This
problem is may be related to my SAM file issue on my XP Pro machine
though those to machines have not had the SAM file issue at this point.
But network rights seem to be affected all around. Any ideas before I
have to resort to reformatting and reloading all the machines?

Thanks in advance,
Adam

 

[Steven L Umbach]

It is very hard to say what is going on offhand. It sounds like someone or
some process running as administrator/system is changing your passwords. I
know you said that you scanned for malware and spyware but I would also use
Process Explorer, TCPView, and Autoruns from SysInternals to take a closer
look at what processes are running on your computer and scrutinize them to
see if they all look legitimate or not. Process Explorer will show the
publisher of the executable that maps to a process which may help in
identifying processes and a process mapped to an executable without a
publisher name is always very suspect. Even the publisher name is not 100
percent proof of authenticity unless the publisher has been verified in the
general page of the process properties due to the executable being digitally
signed but I have yet to see a process trying to use a legitimate
publisher's name. While malware and spyware detection and removal tools do
what they do well they can not detect a "hacked" computer where another
malicious user may have gained control at some point in time and maybe
installed a backdoor program that may also log keyboard activity and/or
installed some scripts.

http://www.sysinternals.com/Utilities/ProcessExplorer.html --- Process
Explorer
http://www.sysinternals.com/Utilities/Autoruns.html --- Autoruns
http://www.sysinternals.com/Utilities/TcpView.html --- TcpView

Another thing you want to do is to enable auditing of account management for
success and failure and logon events for success and failure in Local
Security Policy of the XP Pro computer. Then you should see an event
recorded when password changes, the day/time, and by what user. If it shows
system for user then it is not by a specific user but by the operating
system which could be a startup/shutdown script or a task scheduled by the
AT command. Also look at the system and application logs for anything that
may be suspicious. Autoruns will try and show where any process is being
started up by startup/logon and I believe will also try to show any
startup/shutdown scripts or Scheduled Tasks. You should manually check for
the existence of ant Group Policy scripts, AT command tasks [type AT at the
command prompt], and Scheduled Tasks and the history of Scheduled Tasks by
looking in the log in advanced - view log for Control Panel/Scheduled Tasks.
The link below shows where to check for Group Policy scripts assuming the
computer only has local Group Policy applied to it. Use gpedit.msc to open
local Group Policy. You can also use rsop.msc on the XP Pro computer to see
effective Group Policy settings for computer and user.

http://support.microsoft.com/kb/198642

As far as your troubles in accessing shares then you need to make sure that
the user accounts have the same password on both the client and server
computer [again assuming no AD domain and that the XP Pro computer has
simple file sharing disabled] and that the user has the proper permissions
to the share. Keep in mind that XP Pro can use stored credentials so it
could be possible that a user that has changed their password is still
trying to access the share with stored credentials with the old password.
Again look in the security log of the server [computer with the share] to
see if a failed logon exists and the reason why and monitor for password
changes. Also I would be sure to change the administrator passwords on all
your computers for any user in the local administrators group and disable
the administrator account in XP Pro which will only allow it to be logged
onto in Safe Mode. Be sure to use strong passwords. --- Steve

 

[Guest]

New computer, only one user, set as administrator.
I was downloading a large QuickBooks/Peachtree conversion program,
computer went in hibernation while I was "away"
Will not recognize my password to get back into system.

I guess I'll have to call my brother ... again ... unless someone has a
user-friendly idea on how a un-learned computer user can fix this.
So far Microsoft Tech support hasn't come thru ...
Thanks

It is very hard to say what is going on offhand. It sounds like someone or
some process running as administrator/system is changing your passwords. I
know you said that you scanned for malware and spyware but I would also use
Process Explorer, TCPView, and Autoruns from SysInternals to take a closer
look at what processes are running on your computer and scrutinize them to
see if they all look legitimate or not. Process Explorer will show the
publisher of the executable that maps to a process which may help in
identifying processes and a process mapped to an executable without a
publisher name is always very suspect. Even the publisher name is not 100
percent proof of authenticity unless the publisher has been verified in the
general page of the process properties due to the executable being digitally
signed but I have yet to see a process trying to use a legitimate
publisher's name. While malware and spyware detection and removal tools do
what they do well they can not detect a "hacked" computer where another
malicious user may have gained control at some point in time and maybe
installed a backdoor program that may also log keyboard activity and/or
installed some scripts.

http://www.sysinternals.com/Utilities/ProcessExplorer.html --- Process
Explorer
http://www.sysinternals.com/Utilities/Autoruns.html --- Autoruns
http://www.sysinternals.com/Utilities/TcpView.html --- TcpView

Another thing you want to do is to enable auditing of account management for
success and failure and logon events for success and failure in Local
Security Policy of the XP Pro computer. Then you should see an event
recorded when password changes, the day/time, and by what user. If it shows
system for user then it is not by a specific user but by the operating
system which could be a startup/shutdown script or a task scheduled by the
AT command. Also look at the system and application logs for anything that
may be suspicious. Autoruns will try and show where any process is being
started up by startup/logon and I believe will also try to show any
startup/shutdown scripts or Scheduled Tasks. You should manually check for
the existence of ant Group Policy scripts, AT command tasks [type AT at the
command prompt], and Scheduled Tasks and the history of Scheduled Tasks by
looking in the log in advanced - view log for Control Panel/Scheduled Tasks.
The link below shows where to check for Group Policy scripts assuming the
computer only has local Group Policy applied to it. Use gpedit.msc to open
local Group Policy. You can also use rsop.msc on the XP Pro computer to see
effective Group Policy settings for computer and user.

http://support.microsoft.com/kb/198642

As far as your troubles in accessing shares then you need to make sure that
the user accounts have the same password on both the client and server
computer [again assuming no AD domain and that the XP Pro computer has
simple file sharing disabled] and that the user has the proper permissions
to the share. Keep in mind that XP Pro can use stored credentials so it
could be possible that a user that has changed their password is still
trying to access the share with stored credentials with the old password.
Again look in the security log of the server [computer with the share] to
see if a failed logon exists and the reason why and monitor for password
changes. Also I would be sure to change the administrator passwords on all
your computers for any user in the local administrators group and disable
the administrator account in XP Pro which will only allow it to be logged
onto in Safe Mode. Be sure to use strong passwords. --- Steve

To start off normally I do not turn off or restart my XP Pro machine.
The other day I had restarted it for something and when I went to log
into my user account which has admin rights it said my password was
incorrect. I tried two other admin level accounts that were set up on
the machine. One was the built-in Administrator account that actually
has the same password set that my user account did and it to no longer
accepts it either. Another account I had set also a member of
Administrators also told me the password was incorrect. The only one
that worked was my wife account that does not have a password set and
is only a member of Users. But of course because of her limited rights,
from her desktop I had no access to the User Account settings so her
account was useless to reset anything. Basically I was locked out. I
downloaded a program that runs off a floppy to reset passwords in the
SAM file. I've used this before on customers machines and its always
worked. When I tried to do it, it claimed that the password change had
worked but when I rebooted the system and tried to get in again I had
same issue. I wound up booting to a 2000 server CD and getting to the
recovery console. For some reason if I boot using a 2000 server CD on a
machine running XP it does not ask me for the Administrator password to
get to the the C prompt. Thank God for that. Well anyway, I was then
able to copy a backup copy of the SAM file that Windows stores in
C:\Windows\Repair over to the System32/Config folder. After doing this
I was able to log in and everything seemed to be fine. This was a about
2 weeks ago. Today I happen to reboot the machine again and the same
thing happened. Of course I did the SAM file copy again and got back
in. I keep thinking something or someone got into the network but I run
all the machines behind a router/firewall and run MS Antispyware as
well as Norton and both programs are up to date but found NOTHING. The
other part to this is this and the other 2 machines I run, one running
2000 server and the other running XP Home all are being denied access
to each other when trying to access shares I have set. They all have
the same user accounts configured so they should be allowed. This
problem is may be related to my SAM file issue on my XP Pro machine
though those to machines have not had the SAM file issue at this point.
But network rights seem to be affected all around. Any ideas before I
have to resort to reformatting and reloading all the machines?

Thanks in advance,
Adam

 

[Steven L Umbach]

You could hard reboot the computer using the reboot button on the front of
the computer case, shit it down, or trying control-alt-delete and selecting
shutdown. When it restarts you should be back to normal logon mode. ---
Steve

New computer, only one user, set as administrator.
I was downloading a large QuickBooks/Peachtree conversion program,
computer went in hibernation while I was "away"
Will not recognize my password to get back into system.

I guess I'll have to call my brother ... again ... unless someone has a
user-friendly idea on how a un-learned computer user can fix this.
So far Microsoft Tech support hasn't come thru ...
Thanks

It is very hard to say what is going on offhand. It sounds like someone
or
some process running as administrator/system is changing your passwords.
I
know you said that you scanned for malware and spyware but I would also
use
Process Explorer, TCPView, and Autoruns from SysInternals to take a
closer
look at what processes are running on your computer and scrutinize them
to
see if they all look legitimate or not. Process Explorer will show the
publisher of the executable that maps to a process which may help in
identifying processes and a process mapped to an executable without a
publisher name is always very suspect. Even the publisher name is not 100
percent proof of authenticity unless the publisher has been verified in
the
general page of the process properties due to the executable being
digitally
signed but I have yet to see a process trying to use a legitimate
publisher's name. While malware and spyware detection and removal tools
do
what they do well they can not detect a "hacked" computer where another
malicious user may have gained control at some point in time and maybe
installed a backdoor program that may also log keyboard activity and/or
installed some scripts.

http://www.sysinternals.com/Utilities/ProcessExplorer.html --- Process
Explorer
http://www.sysinternals.com/Utilities/Autoruns.html --- Autoruns
http://www.sysinternals.com/Utilities/TcpView.html --- TcpView

Another thing you want to do is to enable auditing of account management
for
success and failure and logon events for success and failure in Local
Security Policy of the XP Pro computer. Then you should see an event
recorded when password changes, the day/time, and by what user. If it
shows
system for user then it is not by a specific user but by the operating
system which could be a startup/shutdown script or a task scheduled by
the
AT command. Also look at the system and application logs for anything
that
may be suspicious. Autoruns will try and show where any process is being
started up by startup/logon and I believe will also try to show any
startup/shutdown scripts or Scheduled Tasks. You should manually check
for
the existence of ant Group Policy scripts, AT command tasks [type AT at
the
command prompt], and Scheduled Tasks and the history of Scheduled Tasks
by
looking in the log in advanced - view log for Control Panel/Scheduled
Tasks.
The link below shows where to check for Group Policy scripts assuming the
computer only has local Group Policy applied to it. Use gpedit.msc to
open
local Group Policy. You can also use rsop.msc on the XP Pro computer to
see
effective Group Policy settings for computer and user.

http://support.microsoft.com/kb/198642

As far as your troubles in accessing shares then you need to make sure
that
the user accounts have the same password on both the client and server
computer [again assuming no AD domain and that the XP Pro computer has
simple file sharing disabled] and that the user has the proper
permissions
to the share. Keep in mind that XP Pro can use stored credentials so it
could be possible that a user that has changed their password is still
trying to access the share with stored credentials with the old password.
Again look in the security log of the server [computer with the share] to
see if a failed logon exists and the reason why and monitor for password
changes. Also I would be sure to change the administrator passwords on
all
your computers for any user in the local administrators group and disable
the administrator account in XP Pro which will only allow it to be logged
onto in Safe Mode. Be sure to use strong passwords. --- Steve

To start off normally I do not turn off or restart my XP Pro machine.
The other day I had restarted it for something and when I went to log
into my user account which has admin rights it said my password was
incorrect. I tried two other admin level accounts that were set up on
the machine. One was the built-in Administrator account that actually
has the same password set that my user account did and it to no longer
accepts it either. Another account I had set also a member of
Administrators also told me the password was incorrect. The only one
that worked was my wife account that does not have a password set and
is only a member of Users. But of course because of her limited rights,
from her desktop I had no access to the User Account settings so her
account was useless to reset anything. Basically I was locked out. I
downloaded a program that runs off a floppy to reset passwords in the
SAM file. I've used this before on customers machines and its always
worked. When I tried to do it, it claimed that the password change had
worked but when I rebooted the system and tried to get in again I had
same issue. I wound up booting to a 2000 server CD and getting to the
recovery console. For some reason if I boot using a 2000 server CD on a
machine running XP it does not ask me for the Administrator password to
get to the the C prompt. Thank God for that. Well anyway, I was then
able to copy a backup copy of the SAM file that Windows stores in
C:\Windows\Repair over to the System32/Config folder. After doing this
I was able to log in and everything seemed to be fine. This was a about
2 weeks ago. Today I happen to reboot the machine again and the same
thing happened. Of course I did the SAM file copy again and got back
in. I keep thinking something or someone got into the network but I run
all the machines behind a router/firewall and run MS Antispyware as
well as Norton and both programs are up to date but found NOTHING. The
other part to this is this and the other 2 machines I run, one running
2000 server and the other running XP Home all are being denied access
to each other when trying to access shares I have set. They all have
the same user accounts configured so they should be allowed. This
problem is may be related to my SAM file issue on my XP Pro machine
though those to machines have not had the SAM file issue at this point.
But network rights seem to be affected all around. Any ideas before I
have to resort to reformatting and reloading all the machines?

Thanks in advance,
Adam