• Introduction
• Software License
• How to create a bootable UFD
• How to use the program
• Requirements and limitations

Elcomsoft System Recovery (ESR) is a special boot disk (CD of UFD) based on Microsoft Windows Preinstallation Environment (Windows PE). Windows PE is a hardware-independent minimal Windows system that provides limited services based on the Windows Server 2008 kernel, including native support of NTFS file systems without 3rd party software of drivers. With it, you can use the same preinstallation and troubleshooting environment on all of the desktop computers in your company, or on your home computer, and recovery efforts are less time-consuming and more productive.

ESR has the following features and benefits:

• Out-of-the-box solution, no other software is needed -- simply insert the disk and boot from it
• An ability to create USB Flash Drives (UFD) to boot computers that don't have CD or DVD drives
• Based on Windows PE: licensed, industry-standard, 100% compatible with all hardware
• Supports Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008
• Supports 32-bit and 64-bit (x86) operating systems
• Supports all non-US versions of Windows, multilingual user names and password (UNICODE compliant)
• Complete support of all RAID and SCSI devices (using Windows drivers)
• Detect all Windows operating systems installed on the computer -- just select from the list (or browse for specific Registry files)
• Dump password hashes from SAM/SYSTEM files or Active Directory database, and write them to the text file for further analysys and password recovery
• Get the list of all local user accounts and their properties; highlight Administrator accounts
• Lookup account privileges (except ones set through local or group policies)
• Detect accounts with empty passwords
• Show password hashes (LM and NTLM)
• Give Administrator privileges to any user account
• Enable/unlock disabled/locked accounts
• Instantly recover passwords for some special/system accounts (like IUSR_, HelpAssistant etc)
• Recovery short and simple passwords in just seconds using pre-configured built-in brute-force and dictionary attacks
• Reset and change passwords for any local accounts
• Backup SAM/SYSTEM files if any changes were made, and restore these files from backup (e.g. after successfull logon with new password)

Note: some features are available in Standard and/or Professional version of the ESR only.

Software license

The ESR license is available online.

How to create a bootable UFD

To create a bootable UFD (USB Flash Disk), start the ESRBOOT utility (from the CD) and follow a few simple steps to create a bootable UFD:

• Accept the ElcomSoft end user license agreement
• Attach the removable device you would like to format as a bootable disk (warning: all data on this disk will be deleted!)
• Select the disk from the list of drives drop-down box. It is recommended to have an option Show compatible devices only enabled; you may wish to switch it off only if ESRBOOT does not show your removable disk while you're sure you can boot from it.
• The program verifies that the given disk can be configured to boot ESR; creates a special partition; creates a logical drive; formats the drive; makes this drive bootable; copies the ESR files (Windows PE and ESR itself).

How to use the program

To boot your computer from ESR CD, you should setup you BIOS to have the CD-ROM drive as the first device in the list.

Then, simply insert the ESR CD and reboot. You will see the Press any key to boot from CD message. Simply press any key (such as or ), and ESR will start booting (creating the RAM drive and loading Windows PE).

When Windows PE (and so ESR) is started, you may need to specify additional mass-storage drivers: press Load driver button, and browse for the disk (floppy, USB flash disk or CD) that contains the drivers for your disk(s). ESR will load the driver yiou specified, and update the list of available partitions. The Driver load status window will let you know whether the driver has been loaded successfully..

If you boot from the UFD (see the next topic, the steps are generally the same. You will just have to setup your BIOS to boot from the USB device first (not the CD); also, there will be no Press any key... message during boot process.

The complete ESR reference is available online.

Requirements and limitations

• A minimum of 512 MB of RAM.
• The product allows to view/change some properties (Administrator account, Account is locked/disabled, Password expired, Password never expires) for local user accounts only, but not for AD accounts.
• Some computers may require 3rd party mass-storage drivers (RAID, SCSI, SerialATA etc). You can load additional drivers right when ESR is already booted (from CD, USB flash drive or floppy disk).
• When you boot from the CD, you cannot save password hashes back to the disk, but only to the hard drive.

There are also some special requirements for booting the computer from UFD (USB Flash Drive), as defined by Microsoft for Windows PE:

• The size of the UFD cannot be smaller than 256 megabytes.
• The size of the UFD cannot be larger than 32 GB.
• The UFD must report a drive type of Removeable, not Fixed.
• The UFD must be first in the list of boot devices in the computer BIOS.
• The computer BIOS must support the extended INT 13h (xINT13) BIOS interrupt for UFDs.
• The computer BIOS must support booting from UFDs.
• The computer's USB controller must support bulk-only transport (BOT).

ESR has been designed for maximum compatibility and should be able to boot even from external hard disk (USB or FireWire), but some restrictions still apply.

Please note that after you reset the password, you may lose access to the user's: web page credentials, file share credentials, EFS-encrypted files and certificates with private keys (signed/encrypted e-mail). For more information, please look at Microsoft Knowledgebase article: KB290260.