Meet PassPass (Bypass the Password), a nifty Grub4DOS batch script to disable/re-enable Windows logon password validation. The latest version supports both 32-bit as well as 64-bit versions of Windows XP/Vista/7/8/8.1. Credit (as well as dis-credit) is to be equally shared between Wonko the Sane a.k.a. jaclaz and Holmes.Sherlock for the idea and coding respectively. We appreciate any success/failure report mentioning the following:
- Windows version (e.g. XP, Vista, 7)
- Service pack, if any
- Architecture (e.g. 32-bit/64-bit)
- msv1_0.dll version (e.g. 6.1.7600.16525) along with MD5 checksum, if possible
Technical Details: The script tries to locate all existing Windows installations and corresponding Windows editions as well. Thereafter, it replaces the CMP instruction responsible for password verification with a ‘benign’ sequence of bytes. For reverting back the changes, the process is just the opposite. The whole idea is derived from WindowsGate and Astr0baby’s tutorial.
- Install Grub4DOS. You may prefer using RMPrepUSB. Script tested with Grub4DOS v0.4.5c-2013-03-03.
- Download grubutils and copy WENV binary on the root of the boot media. Script tested with grubutils-2011-06-27.
- Copy PassPass, PassPass.bak and menu.lst on the root of the boot volume.
- Ideally ‘Autodetect’ mode should be able to list out all existing Windows installation. For buggy BIOS-es, try appropriate <Disk#> and <Partition#> to ‘Forcedetect’ Windows installations.
- Choose either ‘Patch’ or ‘Unpatch’ respectively for disabling/re-enabling password verification.
- Reboot and boot into target Windows.
- Download latest version of the script.
- Backup /
/system32/msv1_0.dll of target installation.
- Patch it.
- Test whether the patch is working by being able to log on with arbitrary password.
- Note MD5 checksum of the DLL.
- Unpatch it.
- Test whether whether unpatch is working by being not able to log in with all but correct password.
- Note MD5 checksum of the DLL.
- Compare the MD5 hashes.
- Success is defined by the patch working at step #4, unpatch working at step #6 and hashes matching at step #9.
- Report success/failure in the format mentioned above.
- Wonko the sane – For ideas, code snippets, information. The script embeds his DLL version detection script.
- Ectomorph a.k.a. Damian Bakowski – For his ‘unannounced’ patch for 32-bit version of msv1_0.dll.
- Astr0baby – For his reversing tutorial
- Steve Si – For including support for PassPass in his wonderful tool Easy2Boot.
|Date:||July 6, 2013|
|Date:||September 12, 2014|
It attaches to lsass.exe and locates module msv1_0.dll and patches it in memory in order to bypass local password validation. No need for a reboot. Just execute it, and any password will be accepted after that for local logins. Domain logins not supported. No binaries on-disk are patched.
Tested on 6.1.7601.17514 and 6.3.9600.16384 both x86 and x64. That means latest version of both archs for Windows 7 / Server 2008 R2 and Windows 8 / Server 2012 R2.
Just for the fun of it
Steve has added support for PassPass for his wonderful multi-boot tool Easy2Boot. I’d like to call his version of PassPass as PassPass_E2B. Alternatively, it can be downloaded from here. To mention, Steve contributed the patch for Windows 8.1.
PEPassPass is the brainchild of boulcat. It is an AutoIt executable intended to be run from either Windows PE or from a second NT installation, if any, to patch the first one. A possible use case is systems equipped with UEFI where Grub4DOS may fail to boot. For such systems, one needs to boot either Grub4DOS, hence PassPass in Legacy/BIOS compatible mode, or Windows PE/second NT installation to boot PEPassPass from.
The executables embed the sources, too. Use /Source switch to extract those out.