How to suppress a password recovery disk

[YS1]

Good afternoon.

I have created a Password Recovery Disk for my WinXPHome (SP2) account.
Now I would like to delete it, ie. to remove the possibility of
resetting my account's password with this disk (without physically or
logically damaging my disk, of course!).

I have searched for this procedure both in Windows Help and on the
Internet, but I have not managed to find any valuable information.

Can anyone help me? Any relevant information would be greatly appreciated.

 

[Guest]

You should be able to just put the disk in and open the folder then delete
the file that you see (assuming you have nothing else on the disk it should
be easy to locate) you may have to choose to show hidden files and folders.
(hold shift when you press delete as this bypasses the recycle bin)

 

[peter]

Format comes to mind
peter

 

[YS1]

Thanks for the idea. I just tried it, but formatting my USB key does not
remove its ability to reset my password. I assume that Windows has
stored something like the serial number of the key.

 

[Vanguard]

Thanks for the idea. I just tried it, but formatting my USB key does
not remove its ability to reset my password. I assume that Windows has
stored something like the serial number of the key.

You will need to rephrase your original question. You said that you
exported the file used to perform a disaster password recovery. Now you
say that you don't want to have your password reset by anyone. Delete
the file from wherever you saved it if you don't want anyone, including
yourself, the ability to use that file to recover your forgotten
password. As for resetting your password, any admin user can do that.
You can configure your account so the password doesn't expire (providing
you are an admin to change it) but admins, like yourself, can change the
account's password policy.

If you don't want anyone, even other admins, from being able to reset
your logon password then configure your BIOS to ask for a password. The
OS can't change that password.

 

[Allan]

Good afternoon.

I have created a Password Recovery Disk for my WinXPHome (SP2) account.
Now I would like to delete it, ie. to remove the possibility of resetting
my account's password with this disk (without physically or logically
damaging my disk, of course!).

I have searched for this procedure both in Windows Help and on the
Internet, but I have not managed to find any valuable information.

Can anyone help me? Any relevant information would be greatly appreciated.

The disk should be rendered useless by running a demagnitizer over it (like
the kind used to erase VHS tapes sold at Radio Shack). After that it may be
reusable; at worst you can discard it. The instructions in Windows are to
discard the disk when it is no longer needed.

 

[YS1]

You said that you exported the file used to perform a disaster password recovery.
I did not say so. I do not know which file you are talking about. The
"Create a Password Recovery Disk" Wizard did not create any visible file
on my USB key (and I have configured Explorer to show hidden and
system-hidden files).

Now you say that you don't want to have your password reset by anyone.

I am not saying so. I am saying that I do not want my password to be
reset using this USB key.

Delete the file from wherever you saved it if you don't want anyone,
including yourself, the ability to use that file to recover your
forgotten password.

Again, I do not know what file you are talking about.

As for resetting your password, any admin user
can do that. You can configure your account so the password doesn't
expire (providing you are an admin to change it) but admins, like
yourself, can change the account's password policy.

Yes, I knew that already.

If you don't want anyone, even other admins, from being able to reset
your logon password then configure your BIOS to ask for a password.
The OS can't change that password.

I have already done so. But I do not see the link with my original question.

Nevertheless, I thank you for your reply.

I am sorry if the formulation of my sentences makes my statements
unclear, but English is not my original language.

 

[YS1]

The disk should be rendered useless by running a demagnitizer over it

(like the kind used to erase VHS tapes sold at Radio Shack).

The problem is that I do not have a demagnetiser ; and I do not want to
take the risk to harm my USB key : it cost me 25€ (33,6$).

But since not every disk can reset my password, Windows has a the
ability to identify this USB key. This identification must be stored
somewhere (possibly encrypted).

 

[Allan]

The problem is that I do not have a demagnetiser ; and I do not want to
take the risk to harm my USB key : it cost me 25€ (33,6$).

But since not every disk can reset my password, Windows has a the ability
to identify this USB key. This identification must be stored somewhere
(possibly encrypted).

I thought it was a floppy disk, as in 3.5 inch magnetic-type. A demagnetizer
won't work on a USB flash drive anyway, as far as I know. I made my backups
on the 3.5 inch floppy disks because I plan on destroying them when
finished. How about changing the password and reusing the same USB flash
drive as the backup recovery "disk" again; will it let you do that? If so,
then after writing the new password recovery disk (with the new password
saved on your computer), change the password back to the original value.
Your backup recovery disk, even if it contains some encrypted data, may then
become useless for the intended purpose. Or, simply change your password
once again and don't create a recovery disk this time. This will work even
if Windows XP won't let you rewrite your flash drive as the recovery disk.

 

[YS1]

How about changing the password and

reusing the same USB flash drive as the backup recovery "disk" again;
will it let you do that? If so, then after writing the new password
recovery disk (with the new password saved on your computer), change
the password back to the original value. Your backup recovery disk,
even if it contains some encrypted data, may then become useless for
the intended purpose. Or, simply change your password once again and
don't create a recovery disk this time. This will work even if
Windows XP won't let you rewrite your flash drive as the recovery
disk.

This does not work. The ability for a floppy disk or USB key to reset a
password is independent from the current password. It seems that the
"Create a Password Recovery Disk" wizard does not write anything to the
specified disk (floppy or USB), but only reads its identification data
(serial number?) and stores something (in the Registry?) meaning that
"the disk with identification number xxxx can be used to reset the
password of account yyyy".

So what I would like to do is find this information and delete it from
Windows Registry (or whichever else Windows file it is stored).

 

[Jesse Houwing]

* YS1 wrote, On 29-6-2007 18:28:

This does not work. The ability for a floppy disk or USB key to reset a
password is independent from the current password. It seems that the
"Create a Password Recovery Disk" wizard does not write anything to the
specified disk (floppy or USB), but only reads its identification data
(serial number?) and stores something (in the Registry?) meaning that
"the disk with identification number xxxx can be used to reset the
password of account yyyy".

So what I would like to do is find this information and delete it from
Windows Registry (or whichever else Windows file it is stored).

Just checked my own password recovery disk and it contains a file named:
userkey.psw in the root directory.

When I insert the same key without the file I cannot reset my password.
Copying the file back on it does allow me to reset my password.

Have you actually tried resetting your password with the usb key you
made? Maybe the process was flawed or you've already managed to remove
the file.

I also tried copying the file to another flash disk to try your theory
on the drive identification somewhere in the registry, but it accepted
any storage card, ipod or usb drive I copied the file onto. So your
theory doesn't hold on my system.

Jesse

 

[YS1]

Just checked my own password recovery disk and it contains a file

named: userkey.psw in the root directory.

When I insert the same key without the file I cannot reset my
password. Copying the file back on it does allow me to reset my
password.

I have checked many times and there is no such file anywhere on my USB
key. I also formatted it many times (I am trying to make a bootable USB
key), and the chances that I missed it are very low (I would say zero).

Have you actually tried resetting your password with the usb key you
made?

Yes, I did, and it works each time, even after several formatting
operations...
But when I try with another key (which of course does not have this
userkey.psw either), the wizard stops and complains that "this disk is
not a reinitialisation disk".

I also tried to use my valid USB key to reset the password of another
account, and this does not work (fortunately!).

I also tried copying the file to another flash disk to try your
theory on the drive identification somewhere in the registry, but it
accepted any storage card, ipod or usb drive I copied the file onto.

Of course I could not try this, because of the lack of userkey.psw.

So your theory doesn't hold on my system.

Maybe they are not similar? I am using a (French) Windows XP Home
Edition with SP2, fully up to date according to Microsoft Update.

 

[Vanguard]

I did not say so. I do not know which file you are talking about. The
"Create a Password Recovery Disk" Wizard did not create any visible
file on my USB key (and I have configured Explorer to show hidden and
system-hidden files).

"I have created a Password Recovery Disk". Yep, that means you created
the .psw file, or you tried to create one, on whatever you selected as
the storage media on which to save that file. The Password Recovery
Disk wizard creates a .psw file that is about 1.5KB in size. If the
file is not there, Password Recovery Disk did not work. Of course, you
could re-initialize your USB thumb drive using whatever utility its
maker provides for that device. Have you copied any other files to your
USB thumb drive to know if it is still usable. They do go bad with
repeated use or abuse and why they should never be used for permanent
storage (or your only copy which means you should have a backup on other
media).

 

[Vanguard]

Well, I just ran the Password Reset wizard and it is hardcoded to write
the .psw file to the A: drive which is usually a floppy. Did you manage
to slide your USB thumb drive so it was assigned as the A: drive?

 

[Allan]

I have checked many times and there is no such file anywhere on my USB
key. I also formatted it many times (I am trying to make a bootable USB
key), and the chances that I missed it are very low (I would say zero).

Yes, I did, and it works each time, even after several formatting
operations...
But when I try with another key (which of course does not have this
userkey.psw either), the wizard stops and complains that "this disk is not
a reinitialisation disk".

I also tried to use my valid USB key to reset the password of another
account, and this does not work (fortunately!).

Of course I could not try this, because of the lack of userkey.psw.

Maybe they are not similar? I am using a (French) Windows XP Home Edition
with SP2, fully up to date according to Microsoft Update.

After trying to run the wizard again, I found the solution which it states
when you run the wizard. Namely, just create a new password recovery floppy
disk and the previous one (on your USB flash drive) will be invalidated.
Then you can discard the new recovery floppy disk or do whatever you wish
with it. Then reinitialize your USB flash drive and see if it can be reused.

 

[YS1]

"I have created a Password Recovery Disk". Yep, that means you

created the .psw file, or you tried to create one, on whatever you
selected as the storage media on which to save that file. The
Password Recovery Disk wizard creates a .psw file that is about 1.5KB
in size.

I have never seen such a file after executing the "Create a Password
Recovery Disk". It seems that the wizard did not create such a file.

If the file is not there, Password Recovery Disk did not
work.

It seems that the wizard worked correctly nonetheless, since my USB disk
can actually be used to reset my password (while other disks with which
I have not executed the wizard cannot).

Of course, you could re-initialize your USB thumb drive using
whatever utility its maker provides for that device. Have you copied
any other files to your USB thumb drive to know if it is still
usable.

I have read and written hundreds of files since I executed the wizard
(this was more than 6 months ago), and it works very well.

They do go bad with repeated use or abuse and why they
should never be used for permanent storage (or your only copy which
means you should have a backup on other media).

I use my key as a transfer media (between my laptop and the school's
computers, since connecting to their network is forbidden). That is why
I have copied so many files to it.

 

[YS1]

After trying to run the wizard again, I found the solution which it states

when you run the wizard.
Namely, just create a new password recovery floppy
disk and the previous one (on your USB flash drive) will be invalidated.
Then you can discard the new recovery floppy disk or do whatever you wish
with it. Then reinitialize your USB flash drive and see if it can be reused.

I have started and completed the wizard again, and I have seen no such
message. Maybe it was forgotten during the translation process??

My laptop does not have a floppy drive, so I could only create another
USB stick recovery disk, which would move the problem from one disk to
another.

I have downloaded a disk editor and used it to set every byte of my USB
disk to 00 (directly accessing to the physical drive, so I erased the
boot sector as well). I have not reformatted my disk after that, so it
contains really no data at all. But the Password Recovery Wizard still
accepts it as a valid reinitialisation disk !

I have also downloaded VolumeId by MS TechNet/SysInternals to change the
volume ID of my USB disk, and the Wizard still accepts it after this !

 

[Vanguard]

Sounds like you have some odd configuration of this particular USB thumb
drive, like maybe a hidden partition. That's why I mentioned using the
maker's initialize utility rather than trying to just format it.

 

[YS1]

Vanguard a écrit :

Sounds like you have some odd configuration of this particular USB thumb
drive, like maybe a hidden partition. That's why I mentioned using the
maker's initialize utility rather than trying to just format it.

Thanks for the idea, but Intuix does not provide any utility for my USB
key. On the other hand, I have accessed the physical drive using a disk
editor and set each byte to 0x00, thus destroying any partition (I think).