Arikirangi

Oh .. and sorry for multiple posting.. it may be in my case a good idea insert some code into a file an admin would access on login, which would be able to copy the sam to a unsecure part of the OS /email to GMail, whenever the admin logs in so i dont have to keep accessing the PC via boot disk when the admin routinly changes PWD.. that would put me 1 step ahead. Also I believe the domain admin password is diff to the local PWD in terms of storage of HASH.. Is the domain PWD stored on the local machine in XP / 2k. how easy is the stored domain PWD to the local pwd in terms of HASH?. can these PWDS be broken with normal LM rainbow tables?

Thanks mate.. gave me an Idea. i went to http://www.uktsupport.co.uk/reference/biosp.htm and found a reasonable list of BD passwords for the award bios.. it seems my target has a cheap MB.. and AWARD_PW worked great.. I have full access now to boot CD / USB and can now go about the simple task of pilfering SAM BTW it was not a matter of the case being locked but as in most cases the Security camerers make it too "james bond" to open case without bad consequences.

Is there a way to boot some sort of network device from the pxe / network boot to access the %system% . My target has bios locked, not possible to open case and no boot from cd etc.