Gaining Admin Rights on Windows Boxen

Prerequisites: 

Linux on a flash drive; explained in my tutorial entitled "Portable Linux".
Physical access to the Windows box you want admin rights on.

################################################################################
#  ####### ####### ########        ##    #####   ##     ## ####### ##       #  #
#  #       #          #           #  #   #    #  # #   # #    #    # #      #  #
#  #       #          #          #    #  #     # #  # #  #    #    #  #     #  #
#  #  #### ####       #         ######## #     # #   #   #    #    #   #    #  #
#  #     # #          #         #      # #     # #       #    #    #    #   #  #
#  #     # #          #         #      # #     # #       #    #    #     #  #  #
#  #     # #          #         #      # #     # #       #    #    #      # #  #
#  ####### #######    #         #      # ######  #       # ####### #       ##  #
################################################################################

Windows keeps it's password files in a few different locations:

#1) some where in the registry, only GOD and maybe RaT know the exact locations.
Either way that option is a little bit of a pain.
But if you want to do some searching you can access your registry by typing regedit in either the "run box"(click start, then run) or by typing regedit in the command prompt. If you want to make a script for registry keys use the dos command REG.
(be careful, if you fuck it up, you're gonna find yourself re-installing windows)

#2)in a file called your SAM database or SAM file (yes the file is called SAM and it is a hidden system file)
the directory for this is c:\windows\system32\config\

Now some passwords for different applications may be stored in a cache somewhere or in a cookie for web passwords, but for right now we just want admin.
Well, you cant open the file and you can't copy the file so what do you do? You can't copy the file because it is a system file and runs along with the windows operating system. So you then have roughly 2 more options:

#1) Use a cd like "hirens,hirem,heimen(i dont remember the fuckers name) boot cd" or "8iso" or even easy password recovery whatever the fuck.
Basicly it's 3rd party application that you boot from in order to reset the password or one of the accounts so you can get admin.
Well going with this idea, if you reset the admin password there's a bigger possibility of getting caught than if you were to reset a local-to-the-machine's username. But of course that local user still has to have admin rights to do us any good, so.. before any rebooting or password changing, cracking, etc.. is done, we want to run the following command under our local command prompt dos window while we're logged into windows with our normal account.
net localgroup administrators
This will list all accounts that are in the administrators group and have admin privs. If you still only have the one named administrator and nothing else you can go ahead and use that one to reset the password on, but i much prefer the next method I will list over this first method as you don't reset anything and thus a better chance of NOT getting caught.

#2) Use a LINUX LIVECD and boot into linux. Mount the hard drive useing something along the lines of:
cd /..
mkdir cdrive
mount -t /dev/hda1 /cdrive
(or something like that)

Once the drive is mounted the windows operating system is NOT running therefore you can successfully copy the SAM database file from the mounted hard drive partition to a USB Flash drive, a floppy drive, or burn a cd rom if you want, however you want to go about getting that file, just get it!

After you have the file, you can put it any windows cracking program you choose; be it john the ripper, l0pht crack, or cain and abel, whatever you want, but once you crack the password you will then be able to successfully login to the windows box as the administrator, turn off any logging, create an account for yourself and give yourself admin privs, or better yet, modify one of the system accts and give it admin privilages.

Also, from what I hear you can use a livecd titled "konboot", I haven't tested this personally but give it a try.
To find out more about konboot go here: http://www.soldierx.com/tools/KON-BOOT

-cisc0ninja

Reference: 

cisc0ninja's cranium