HOWTO: Reset VSS 6 Admin Password

[Paul Gurtler]

This is F.Y.I. if you have forgotten a VSS admin password:

From time to time, there have been questions about forgotten admin
passwords, and the usual answer has been to contact Microsoft. Fortunately,
there is an easier way. Here is a step-by-step guide:

The best place to do this, is in an empty VSS database. Save the data\um.dat
file here, and get a copy of the data\um.dat file from the database where
the admin password is lost. Verify that you are prompted for a password when
opening VSS Admin on this database.

With a good binary data editor, like UltraEdit-32, replace the 2 bytes just
before "Admin" with BC 7F, and the 2 bytes at offset +32 bytes counting from
the A in Admin with 90 6E. In a database where Admin is the first entry, the
(decimal) offsets are 130, 131 for the first 2 bytes, (the 'A' in Admin has
offset 132), and 164, 165 for the last 2 bytes. When Admin is not the first
entry (VSS saves users alphabetically), these offsets are +64 per user
before Admin. You can also easily test that this is the needed change by
saving um.dat before and after setting the Admin password in an empty VSS
database, and (binary) compare the before and after um.dat files (this is
how we found this hack anyway). Now verify with VSS admin that there is no
password prompt anymore, and then copy the fixed um.dat file back to the
database where the problem occurred.

You could also easily write a C-program to do the modifications. This one
works at our place:

// Reset Admin password in um.dat to blank:
//
// Must be able to read and write in current directory containing
// um.dat. The fixed version of um.dat is written to umfix.dat, which
// must be manually renamed to um.dat (be sure to backup um.dat
// first).
//
// Compile with Visual C: cl resetadm.c

#include <stdio.h>
#define MAXBUF 65536
// The entire um.dat file is read and written in one chunk. If 64K is
// not enough, increase this value.

main()
{
FILE *fpr, *fpw;
char buf[MAXBUF];
int nr, nw, i;

fpr=fopen("um.dat", "rb");
if(!fpr)
fprintf(stderr, "Cannot open um.dat for read\n");
fpw=fopen("umfix.dat", "wb");
if(!fpw)
fprintf(stderr, "Cannot open umfix.dat for write\n");
if(!fpr || !fpw)
{
perror("fopen");
exit(1);
}

nr = fread(buf, sizeof(char), MAXBUF, fpr);
if(!feof(fpr))
{
fprintf(stderr, "Did not reach EOF on um.dat\n");
exit(2);
}

// Search for admin password:
for(i=132; i<nr; i+=64)
{
if(0==memcmp(buf+i, "Admin", 5))
break;
}

if(i>nr)
{
fprintf(stderr, "Could not find admin password\n");
exit(3);
}

buf[i-2]=0xBC;
buf[i-1]=0x7F;
buf[i+32]=0x90;
buf[i+33]=0x6E;

nw = fwrite(buf, sizeof(char), nr, fpw);
if(nw != nr)
{
fprintf(stderr, "Could not write umfix.dat\n");
exit(4);
}

printf("Now backup um.dat, and rename umfix.dat to um.dat\n");

fclose(fpr);
fclose(fpw);

return 0;
}

Cheers,
Paul.G...@simcorp.com