To start off normally I do not turn off or restart my XP Pro machine.
The other day I had restarted it for something and when I went to log
into my user account which has admin rights it said my password was
incorrect. I tried two other admin level accounts that were set up on
the machine. One was the built-in Administrator account that actually
has the same password set that my user account did and it to no longer
accepts it either. Another account I had set also a member of
Administrators also told me the password was incorrect. The only one
that worked was my wife account that does not have a password set and
is only a member of Users. But of course because of her limited rights,
from her desktop I had no access to the User Account settings so her
account was useless to reset anything. Basically I was locked out. I
downloaded a program that runs off a floppy to reset passwords in the
SAM file. I've used this before on customers machines and its always
worked. When I tried to do it, it claimed that the password change had
worked but when I rebooted the system and tried to get in again I had
same issue. I wound up booting to a 2000 server CD and getting to the
recovery console. For some reason if I boot using a 2000 server CD on a
machine running XP it does not ask me for the Administrator password to
get to the the C prompt. Thank God for that. Well anyway, I was then
able to copy a backup copy of the SAM file that Windows stores in
C:\Windows\Repair over to the System32/Config folder. After doing this
I was able to log in and everything seemed to be fine. This was a about
2 weeks ago. Today I happen to reboot the machine again and the same
thing happened. Of course I did the SAM file copy again and got back
in. I keep thinking something or someone got into the network but I run
all the machines behind a router/firewall and run MS Antispyware as
well as Norton and both programs are up to date but found NOTHING. The
other part to this is this and the other 2 machines I run, one running
2000 server and the other running XP Home all are being denied access
to each other when trying to access shares I have set. They all have
the same user accounts configured so they should be allowed. This
problem is may be related to my SAM file issue on my XP Pro machine
though those to machines have not had the SAM file issue at this point.
But network rights seem to be affected all around. Any ideas before I
have to resort to reformatting and reloading all the machines?

Thanks in advance,
Adam

It is very hard to say what is going on offhand. It sounds like someone or
some process running as administrator/system is changing your passwords. I
know you said that you scanned for malware and spyware but I would also use
Process Explorer, TCPView, and Autoruns from SysInternals to take a closer
look at what processes are running on your computer and scrutinize them to
see if they all look legitimate or not. Process Explorer will show the
publisher of the executable that maps to a process which may help in
identifying processes and a process mapped to an executable without a
publisher name is always very suspect. Even the publisher name is not 100
percent proof of authenticity unless the publisher has been verified in the
general page of the process properties due to the executable being digitally
signed but I have yet to see a process trying to use a legitimate
publisher's name. While malware and spyware detection and removal tools do
what they do well they can not detect a "hacked" computer where another
malicious user may have gained control at some point in time and maybe
installed a backdoor program that may also log keyboard activity and/or
installed some scripts.

http://www.sysinternals.com/Utilitie...sExplorer.html --- Process
Explorer
http://www.sysinternals.com/Utilities/Autoruns.html --- Autoruns
http://www.sysinternals.com/Utilities/TcpView.html --- TcpView

Another thing you want to do is to enable auditing of account management for
success and failure and logon events for success and failure in Local
Security Policy of the XP Pro computer. Then you should see an event
recorded when password changes, the day/time, and by what user. If it shows
system for user then it is not by a specific user but by the operating
system which could be a startup/shutdown script or a task scheduled by the
AT command. Also look at the system and application logs for anything that
may be suspicious. Autoruns will try and show where any process is being
started up by startup/logon and I believe will also try to show any
startup/shutdown scripts or Scheduled Tasks. You should manually check for
the existence of ant Group Policy scripts, AT command tasks [type AT at the
command prompt], and Scheduled Tasks and the history of Scheduled Tasks by
looking in the log in advanced - view log for Control Panel/Scheduled Tasks.
The link below shows where to check for Group Policy scripts assuming the
computer only has local Group Policy applied to it. Use gpedit.msc to open
local Group Policy. You can also use rsop.msc on the XP Pro computer to see
effective Group Policy settings for computer and user.

http://support.microsoft.com/kb/198642

As far as your troubles in accessing shares then you need to make sure that
the user accounts have the same password on both the client and server
computer [again assuming no AD domain and that the XP Pro computer has
simple file sharing disabled] and that the user has the proper permissions
to the share. Keep in mind that XP Pro can use stored credentials so it
could be possible that a user that has changed their password is still
trying to access the share with stored credentials with the old password.
Again look in the security log of the server [computer with the share] to
see if a failed logon exists and the reason why and monitor for password
changes. Also I would be sure to change the administrator passwords on all
your computers for any user in the local administrators group and disable
the administrator account in XP Pro which will only allow it to be logged
onto in Safe Mode. Be sure to use strong passwords. --- Steve


<sithlord70@yahoo.com> wrote in message
news:1135888413.246400.124590@g47g2000cwa.googlegr oups.com...
> To start off normally I do not turn off or restart my XP Pro machine.
> The other day I had restarted it for something and when I went to log
> into my user account which has admin rights it said my password was
> incorrect. I tried two other admin level accounts that were set up on
> the machine. One was the built-in Administrator account that actually
> has the same password set that my user account did and it to no longer
> accepts it either. Another account I had set also a member of
> Administrators also told me the password was incorrect. The only one
> that worked was my wife account that does not have a password set and
> is only a member of Users. But of course because of her limited rights,
> from her desktop I had no access to the User Account settings so her
> account was useless to reset anything. Basically I was locked out. I
> downloaded a program that runs off a floppy to reset passwords in the
> SAM file. I've used this before on customers machines and its always
> worked. When I tried to do it, it claimed that the password change had
> worked but when I rebooted the system and tried to get in again I had
> same issue. I wound up booting to a 2000 server CD and getting to the
> recovery console. For some reason if I boot using a 2000 server CD on a
> machine running XP it does not ask me for the Administrator password to
> get to the the C prompt. Thank God for that. Well anyway, I was then
> able to copy a backup copy of the SAM file that Windows stores in
> C:\Windows\Repair over to the System32/Config folder. After doing this
> I was able to log in and everything seemed to be fine. This was a about
> 2 weeks ago. Today I happen to reboot the machine again and the same
> thing happened. Of course I did the SAM file copy again and got back
> in. I keep thinking something or someone got into the network but I run
> all the machines behind a router/firewall and run MS Antispyware as
> well as Norton and both programs are up to date but found NOTHING. The
> other part to this is this and the other 2 machines I run, one running
> 2000 server and the other running XP Home all are being denied access
> to each other when trying to access shares I have set. They all have
> the same user accounts configured so they should be allowed. This
> problem is may be related to my SAM file issue on my XP Pro machine
> though those to machines have not had the SAM file issue at this point.
> But network rights seem to be affected all around. Any ideas before I
> have to resort to reformatting and reloading all the machines?
>
> Thanks in advance,
> Adam
>

New computer, only one user, set as administrator.
I was downloading a large QuickBooks/Peachtree conversion program,
computer went in hibernation while I was "away"
Will not recognize my password to get back into system.

I guess I'll have to call my brother ... again ... unless someone has a
user-friendly idea on how a un-learned computer user can fix this.
So far Microsoft Tech support hasn't come thru ...
Thanks




"Steven L Umbach" wrote:

> It is very hard to say what is going on offhand. It sounds like someone or
> some process running as administrator/system is changing your passwords. I
> know you said that you scanned for malware and spyware but I would also use
> Process Explorer, TCPView, and Autoruns from SysInternals to take a closer
> look at what processes are running on your computer and scrutinize them to
> see if they all look legitimate or not. Process Explorer will show the
> publisher of the executable that maps to a process which may help in
> identifying processes and a process mapped to an executable without a
> publisher name is always very suspect. Even the publisher name is not 100
> percent proof of authenticity unless the publisher has been verified in the
> general page of the process properties due to the executable being digitally
> signed but I have yet to see a process trying to use a legitimate
> publisher's name. While malware and spyware detection and removal tools do
> what they do well they can not detect a "hacked" computer where another
> malicious user may have gained control at some point in time and maybe
> installed a backdoor program that may also log keyboard activity and/or
> installed some scripts.
>
> http://www.sysinternals.com/Utilitie...sExplorer.html --- Process
> Explorer
> http://www.sysinternals.com/Utilities/Autoruns.html --- Autoruns
> http://www.sysinternals.com/Utilities/TcpView.html --- TcpView
>
> Another thing you want to do is to enable auditing of account management for
> success and failure and logon events for success and failure in Local
> Security Policy of the XP Pro computer. Then you should see an event
> recorded when password changes, the day/time, and by what user. If it shows
> system for user then it is not by a specific user but by the operating
> system which could be a startup/shutdown script or a task scheduled by the
> AT command. Also look at the system and application logs for anything that
> may be suspicious. Autoruns will try and show where any process is being
> started up by startup/logon and I believe will also try to show any
> startup/shutdown scripts or Scheduled Tasks. You should manually check for
> the existence of ant Group Policy scripts, AT command tasks [type AT at the
> command prompt], and Scheduled Tasks and the history of Scheduled Tasks by
> looking in the log in advanced - view log for Control Panel/Scheduled Tasks.
> The link below shows where to check for Group Policy scripts assuming the
> computer only has local Group Policy applied to it. Use gpedit.msc to open
> local Group Policy. You can also use rsop.msc on the XP Pro computer to see
> effective Group Policy settings for computer and user.
>
> http://support.microsoft.com/kb/198642
>
> As far as your troubles in accessing shares then you need to make sure that
> the user accounts have the same password on both the client and server
> computer [again assuming no AD domain and that the XP Pro computer has
> simple file sharing disabled] and that the user has the proper permissions
> to the share. Keep in mind that XP Pro can use stored credentials so it
> could be possible that a user that has changed their password is still
> trying to access the share with stored credentials with the old password.
> Again look in the security log of the server [computer with the share] to
> see if a failed logon exists and the reason why and monitor for password
> changes. Also I would be sure to change the administrator passwords on all
> your computers for any user in the local administrators group and disable
> the administrator account in XP Pro which will only allow it to be logged
> onto in Safe Mode. Be sure to use strong passwords. --- Steve
>
>
> <sithlord70@yahoo.com> wrote in message
> news:1135888413.246400.124590@g47g2000cwa.googlegr oups.com...
> > To start off normally I do not turn off or restart my XP Pro machine.
> > The other day I had restarted it for something and when I went to log
> > into my user account which has admin rights it said my password was
> > incorrect. I tried two other admin level accounts that were set up on
> > the machine. One was the built-in Administrator account that actually
> > has the same password set that my user account did and it to no longer
> > accepts it either. Another account I had set also a member of
> > Administrators also told me the password was incorrect. The only one
> > that worked was my wife account that does not have a password set and
> > is only a member of Users. But of course because of her limited rights,
> > from her desktop I had no access to the User Account settings so her
> > account was useless to reset anything. Basically I was locked out. I
> > downloaded a program that runs off a floppy to reset passwords in the
> > SAM file. I've used this before on customers machines and its always
> > worked. When I tried to do it, it claimed that the password change had
> > worked but when I rebooted the system and tried to get in again I had
> > same issue. I wound up booting to a 2000 server CD and getting to the
> > recovery console. For some reason if I boot using a 2000 server CD on a
> > machine running XP it does not ask me for the Administrator password to
> > get to the the C prompt. Thank God for that. Well anyway, I was then
> > able to copy a backup copy of the SAM file that Windows stores in
> > C:\Windows\Repair over to the System32/Config folder. After doing this
> > I was able to log in and everything seemed to be fine. This was a about
> > 2 weeks ago. Today I happen to reboot the machine again and the same
> > thing happened. Of course I did the SAM file copy again and got back
> > in. I keep thinking something or someone got into the network but I run
> > all the machines behind a router/firewall and run MS Antispyware as
> > well as Norton and both programs are up to date but found NOTHING. The
> > other part to this is this and the other 2 machines I run, one running
> > 2000 server and the other running XP Home all are being denied access
> > to each other when trying to access shares I have set. They all have
> > the same user accounts configured so they should be allowed. This
> > problem is may be related to my SAM file issue on my XP Pro machine
> > though those to machines have not had the SAM file issue at this point.
> > But network rights seem to be affected all around. Any ideas before I
> > have to resort to reformatting and reloading all the machines?
> >
> > Thanks in advance,
> > Adam
> >
>
>
>