How to Change or Spoof MAC Address in Windows XP, Vista, Server 2003/2008, Mac OS X, Unix and Linux

MAC address (Media Access Control address) is a quasi-unique identifier consists of a six byte number that attached to most network adapter card or network interface card (NIC). As such, all network cards, whether it’s of Ethernet NIC, Gigabit Ethernet NIC or wireless 802.11a/b/g/n WiFi or HiperLAN adapter, should have different MAC addresses, which also known as Ethernet Hardware Address (EHA) or adapter address.

In operating system, MAC address is often represented in 12-digit hexadecimal number. For example, 1A-2B-3C-4D-5E-6F. In practical usage, layer 2 MAC address is converted from layer 3 protocol addresses such as Internet Protocol (IP address) by ARP (Address Resolution Protocol), which then allowed each host to be uniquely identified and frames to be marked for specific hosts on broadcast networks, such as Ethernet. After translated (or when a host on LAN sends its MAC address to another machine which does n ot configured not to accept unrequested ARP replies on the network for preemptive caching), MAC address is cached on source PC ARP table for later use. Content of ARP table on each computer can be viewed by typing arp -a in Windows or arp in Linux. MAC address thus forms the basis of most of the layer 2 networking upon which higher OSI Layer protocols are built to produce complex, functioning networks.

There are many reasons or possibilities that an user may want to change the MAC address or a network adapter, which also known as MAC spoofing. For example, to bypass the MAC address filtering on firewall or router. The trick can be used to get pass the network access restriction by emulating a new unrestricted MAC address, or to gain access connection by spoof an authorized MAC address after sniffing the legitimate MAC address out of the air in MAC filtering Wi-Fi network.

Beside, hackers or enthusiasts also spoofing another host’s MAC address as their own in order to receive traffic packets not meant for them, although ARP poisoning technique is more commonly used. However, changing MAC address can still keep the real information from been detected and logged by various services such as IDS, firewall, DHCP server, wireless access points and etc, and is essential protect user’s privacy. MAC spoofing also potentially trigger a Denial of Service (DoS) attack by causing routing problem with duplicating MAC address exists in the network, especially those similar with gateway and AP router’s BSSID (Basic Service Set Identifier.)

Whatever the reason, it’s pretty easy to change the MAC address or perform MAC spoofing on most of today’s hardware, listed below. Actually, the original MAC address is burnt and imprinted to the network card, and cannot be changed. However, operating system can spoof as if there is different MAC address for the network interface card using tricks below.

Change the MAC address in Windows

1. Go to Start -> Control Panel. Double click on Network Connections (inside Network and Internet Connections category in Windows XP). The, right click on the active network connection with network adapter that you want to change the MAC address (normally Local Area Network or Wireless Network Connection) and click on Properties.

   Above steps work in Windows XP, Windows 2000 and Windows Server 2003. For Windows Vista, access to NIC’s properties is from Control Panel -> Network and Internet -> Network and Sharing Center -> Manage Network Connections.

   Alternatively, if you already know which network adapter that’s responsible for your network or Internet connection, go to Device Manager and open the properties dialog by double click on the NIC itself.

2. In the General tab, click on the Configure button.
3. Click on Advanced tab.
4. In the Property section, select and highlight Network Address or Locally Administered Address.
5. To the right, “Not Present” radio button is by default selected as value. Change the value by clicking on radio button for Value:, and then type in a new MAC address to assign to the NIC.

   

   The MAC address consists of 6 pairs of numbers (0 – 9) and characters (A – F) combination. For example, 88-17-E8-90-E2-0A. When entering the new MAC value, omit the dash (-), for example 8817E890E20A.

6. Click OK when done.
7. To verify the change of MAC address, go to command prompt, then type in one of the following commands:

   ipconfig /all
   net config rdr

8. Reboot the computer if successful to make the change effective.

Note: To restore or reset back to original default MAC address, simply set back the option to “Not Present”.

Change the MAC Address of NIC in Windows via Registry

1. Open a command prompt.
2. Type the following command and hit Enter.

   ipconfig /all

3. Record down the Description and the Physical Address (is MAC address) of the active network connection (discard those with Media Disconnected state).

   

   For example, in figure above, Description is Intel(R) Wireless WiFi Link 4965AGN and MAC address is in the format of 00-XX-XX-XX-XX-XX.

4. In the command prompt also, type the following command and hit Enter.

   net config rdr

5. Record down the GUID for the MAC address for the active connection’s NIC which MAC address to be changed. The GUID is contained within the { and } brackets right in front of the MAC address as shown in figure below.

   

6. Type regedt32 or regedit in Start -> Run box or in Start Search for Windows Vista. Note: for Windows NT 4.0 and Windows 2000, regedt32 must be used.
7. Navigate to the following registry key:

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}

8. Expand the {4D36E972-E325-11CE-BFC1-08002BE10318} tree, and there will be more sub-keys in the form of 0000, 0001, 0002 and so on.
9. Go through each sub-key starting from 0000, look for subkey that has DriverDesc value data that matches NIC description copied from step above, that want its MAC address to be changed. In most cases, it will be similar to the network adapter card name.

   To verify that the subkey found is indeed a correct one, check the value of the NetCfgInstanceId, which should have the same value with the NIC’s GUID taken from step above.

10. Once a sub-key is matched to the network interface card that MAC address want to be spoofed, select and highlight the subkey. Right click on the sub-key (for example, 0000), then select New -> String Value. Name the new value name as NetworkAddress.

    Note: If NetworkAddress REG_SZ registry key is already existed in the right pane, skip this step.

11. The double click on NetworkAddress and enter a new MAC address as its value data.

    

    Note that the 12-digit MAC address in hexadecimal format, and should be entered without any dash (-). For example, 1A2B3C4D5E6F.

12. Reboot the system to make the new MAC address effective. Alternatively, if you don’t want to restart the system, try to disable and then re-enable the network adapter in Device Manager.
13. To verify the change of MAC address, go to command prompt, then type in one of the following commands:

    ipconfig /all
    net config rdr

Note: To restore or reset back to true original hardware burned-in MAC address, remove the NetworkAddress registry key that is been added.

Alternative: Third party tools and utilities to change the MAC address in Windows operating system are plenty, for example: SMAC (direct download link to smac20_setup.ex, supports Windows Vista, XP, 2003, 2000), Macshift (direct download link to macshift.zip, for Windows XP), BMAC (almost identical SMAC MAC changer clone by moorer-software.com), Mac MakeUp (direct download link to macmakeup.zip, for Windows 2000/XP/2003/Vista), MadMACs (MAC Address Spoofing And Host Name Randomizing App For Windows, directly download MadMACs.zip), EtherChange (direct download link to etherchange.exe), and Technitium MAC Address Changer (for Windows 2000 / XP / Server 2003 / Vista / Server 2008).

How to Change MAC Address (MAC Spoofing) in Linux and *nix

To change your MAC address in Linux and most Unix-like (*nix) system, run the following script commands:

ifconfig <interface> down

ifconfig <interface> hw <class> <MAC address>

ifconfig <interface> up

For example, the command looks lik “ifconfig eth0 down hw ether 1A:2B:3C:4D:5E:6F”. First command brings down the network interface, second command change its MAC address while third command bring up the interface again. Note that in some cases, to bring down and bring up the network interface, the following commands have to be used:

/etc/init.d/networking stop or /etc/init.d/network stop (in the case of Fedora Core 5)

/etc/init.d/networking start or /etc/init.d/network stop (in the case of Fedora Core 5)

Alternatively, for Fedora Code 5 Linux with Iproute2 tools installed, the following commands also can change the MAC address to spoofed version:

/etc/init.d/network stop

ip link set <interface> address 1A:2B:3C:4D:5E:6F

/etc/init.d/network start

For example, “ip link set eth0 address 1A:2B:3C:4D:5E:6F”. To check whether the MAC address has been spoofed, use ip link ls eth0 or ip addr ls eth0 instead of using ifconfig eth0.

How to Make the Spoofed MAC Address Permanently Even After Reboot in Linux

Edit the ifcfg-eth0 file (or other similar file if you’re changing different interface), add the following variable line to the file:

MACADDR=12:34:56:78:90:ab

Then run service network restart to make the change effective immediately.

How to Make the Spoofed MAC Address Permanently on Restart in Debian

Edit the /etc/network/interfaces file and add in the following variable line to the appropriate section so that the MAC address is set when the network device is started.

hwaddress <interface> 02:01:02:03:04:08

For example, “hwaddress ether 02:01:02:03:04:08″.

Alternative: GNU Mac Changer (for Debian, Slackware, ArchLinux, Mandrake, Crux and other RPM-based distributions such as Fedora, Red Hat, CentOS, ASPLinux, SUSE Linux, OpenSUSE and etc.

How to Change MAC Address (MAC Spoofing) in BSD or FreeBSD

Issue the following commands in shell:

ifconfig <interface> down

ifconfig <interface> <class> <MAC address>

ifconfig <interface> up

First command brings down the network interface (optional), second command change its MAC address while third command bring up the interface again (optional). For example, the command looks lik “ifconfig xl0 link 1A:2B:3C:4D:5E:6F” or “ifconfig fxp0 ether 1A:2B:3C:4D:5E:6F”

How to Change MAC address in Solaris

The shell command to change the MAC address in Sun Solaris is as below:

ifconfig <interface> <class> <address>

For example, the command looks like “ifconfig hme0 ether 1A:2B:3C:4D:5E:6F”. Note that the change is temporary that does not persist after a reboot. To make this change permanent, the command can be placed in a runtime control script (/sbin/sh).

How to Spoof MAC Address in HP-UX

It’s possible to change MAC address using HP-UX SAM. Select Networking and Communications, then selecting the interface, then click on Action -> Modify -> Advanced Options. Finally, change the value of station address, which is MAC address name in HP-UX.

How to Spoof and Change MAC Address in OpenBSD

Use the following command to change MAC Address to spoofed MAC in OpenBSD (after version 3.8):

ifconfig <interface> lladdr <MAC address>

For example, “ifconfig bge3 lladdr 1A:2B:3C:4D:5E:6F”.

How to Change to Spoofed MAC Address Permanently in OpenBSD

To make the MAC address changed at boot before network connection is established, and even before parsing of hostname.* file, edit the /etc/netstart file to add in the following lines before the line of “# Now parse the hostname.* file”:

if [ "$if" = "INTERFACE" ]; then
ifconfig <interface> lladdr <MAC address in format of 00:00:00:00:00:00>
fi

# Now parse the hostname.* file
....

How to Change MAC Address in Mac OS X

Since Mac OS X 10.4.x (Darwin 8.x) onwards, the MAC address of wired Ethernet interface can be altered in Apple Mac OS X in a fashion similar to the Linux and FreeBSD methods. To do so, type the following command in Terminal.app:

sudo ifconfig en0 ether aa:bb:cc:dd:ee:ff

or

sudo ifconfig en0 lladdr aa:bb:cc:dd:ee:ff (for Mac OS X 10.5 Leopard)

where en0 is the network interface (numbered from en0, en1, en2 …) and aa:bb:cc:dd:ee:ff is the desired MAC address in hex notation.

Alternative: MacDaddy (download MacDaddyX.dmg, support Airport wireless adapter)

Change Oracle Database User Password

To ensure security of the Oracle database system and prevent unauthorized access to the Oracle database, it’s important for Oracle users to not only using strong and long Oracle passwords to avoid brute force or dictionary attacks, but also to change the Oracle user password regularly. Oracle users also have to change the password when the password has or going to expire, if database system administrator implements and enforces strict password control with PASSWORD_LIFE_TIME option for user profiles which limits the number of days the password can be used for authentication to login to the system.

To change the Oracle password, users can use SQL*Plus or Oracle SQL and PL/SQL language interface administration tool such as Toad for Oracle. No matter what SQL apps you use, the commands and SQL query languages used to change the password are similar.

There are two SQL command syntaxes that can be used to change Oracle database user password:

ALTER USER user_name IDENTIFIED BY new_password;

or (from Oracle8 and above):

PASSWORD

For above SQL query, if you need to change another user’s password, use the following command:

PASSWORD user_name

For PASSWORD command, after you press Enter, you will be prompted to input the old password and new password interactively. For example:

SQL> password
Changing password for DAVID
Old password:
New password:
Retype new password:

Note: You need to have enough privileges to change other Oracle user’s password.

As the variable in italic implied by name, user_name is the user whose password wishes to be changed, and new_password is the new password to assign.

As ALTER USER SQL syntax will send the new password to the Oracle database server unencrypted if use without Advanced Security Option, and thus expose to security risk, Oracle users should always use the PASSWORD command to change the Oracle user password.

Disable Direct Root Login and User Access via SSH to Server

Everybody knows, including hackers and attackers that all Linux and UNIX flavored systems come with a all powerful root user account, which once get compromised, mean all hell breaks loose. So it’s a good security practice to disable the ability for root user to able to login and gain access to the server system via SSH directly (of course, the system must have disabled FTP access). After disabling direct root SSH remote login, the chance for the brute force hacking to success is greatly reduced.

To turn off and disable direct root SSH login, follow this simple tutorial:

IMPORTANT: Make sure you have another account (preferably belongs to wheel user group too) which is able to login via SSH remotely, and able to SU to root user account. Else you risk been locked out from your server.

1. SSH into server and login as root.
2. In command shell, use pico or vi to edit sshd_config file by typing one of the following commands:

   pico /etc/ssh/sshd_config
   vi /etc/ssh/sshd_config

3. Scroll down the SSH server configuration file and locate a line like below:

   #PermitRootLogin yes

4. Uncomment the line by removing the hash symbol (#), and then change the “yes” to “no”. The final line should look like below:

   PermitRootLogin no

5. Save the config file. In pico, press Ctrl-o, follow by Ctrl-x. In vi, type :wq and press Enter.
6. Restart SSH server by typing the following command in command line, and press Enter:

   /etc/rc.d/init.d/sshd restart

Logout from SSH connection. Try to login as root, it should fail with Access denied error. To access root account, login with your own user name and password, and then SU to root.

Change and Reset MySQL root Password

Other then the ways specified here to reset and change the root password for mySQL database in the case that the password is forgotten or lost, the following instructions explain in details the alternative way at the last part of the guide, where no additional file needs to be created:

1. Login as root to the Windows or Unix-like (Unix, Linux or BSD) machine with the MySQL server.
2. Stop the MySQL server by using either of the following command:

   Linux: /etc/rc.d/init.d/mysql stop
   FreeBSD: /usr/local/etc/rc.d/mysql-server.sh stop

3. Open the mysql server startup script (i.e. mysql-server.sh – the file executed to start or stop MySQL server.
4. Add -skip-grant-tables to the end of the line that contains the mysqld_safe command as its parameter.
5. Start MySQL server with the following command:

   Linux: /etc/rc.d/init.d/mysql start
   FreeBSD: /usr/local/etc/rc.d/mysql-server.sh start

6. Alternatively, start the MySQL server directly and skip the editing with the following command:

   mysqld_safe -skip-grant-tables &

   Depending on your path environment, you may need to point to the correct directory where mysqld_safe is instead.

7. Run the following commands to login as the mysql user and connect to mysql user/permission database:

   # mysql -u root mysql

8. Run the update queries to change the MySQL password:

   mysql> UPDATE user SET Password=PASSWORD(‘newrootpassword’) WHERE User=’root’;
   mysql> FLUSH PRIVILEGES;

   Note: Replace newrootpassword with the new root password for MySQL server. Flush Privileges is needed to making the password change effect immediately.

9. Exit mysql database client by typing exit.
10. Stop MySQL server with commands listed at step 2.
11. Open the mysql server startup script edit in step 3 again and remove the -skip-grant-tables parameter that has been added.
12. Start MySQL server by using command from step 5 or 6.

For Redhat Linux users, use the following instructions as the root user of Redhat Linux machine:

1. Stop MySQL process by using command:

   # killall mysqld

2. Start the MySQL server with following options:

   # /usr/libexec/mysqld -Sg -user=root &

3. Start the MySQL client:

   # mysql

   You should see the following message:

   Welcome to the MySQL monitor. Commands end with ; or g.
   Your MySQL connection id is 1 to server version: 3.xx.xx

   Type ‘help;’ or ‘h’ for help. Type ‘c’ to clear the buffer.

   mysql>

4. Use mysql database:

   mysql> USE mysql

   You should see the following message:

   Reading table information for completion of table and column names
   You can turn off this feature to get a quicker startup with -A

   Database changed

5. Then, update the password for the root user with the following command:

   UPDATE user SET password=password(“newpassword”) WHERE user=”root”;

   Replace newpassword with your desired password. You should see the following message:

   Query OK, 2 rows affected (0.03 sec)
   Rows matched: 2 Changed: 2 Warnings: 0

   Rows affected may be different, but the Query OK should be there.

6. Flush the database privileges to reload it in order to make the changes effective:

   mysql> flush privileges;

   You should get the following result:

   Query OK, 0 rows affected (0.02 sec)

7. Exit the MySQL client by typing exit.
8. Kill the MySQL server process by typing killall mysqld.
9. Then start MySQL again:

   /etc/init.d/mysqld start

Reset and Change Windows NT/2000 Administrator or User Password with chntpw in Linux

Windows NT, Windows 2000 and Windows XP users who have forgotten the administrator account password has many ways to hack, crack, recover or reset the administrator password. Another way to break into a Windows PC which locks with forgotten or unknown password is to use chntpw, a Linux based program to change and reset the password of a Windows administrator account.

Chntpw is a program designed to overwrite and set Windows NT or Windows 2000 SAM password of any user that has a valid (local) account by modifying the encrypted password in the registry’s SAM file. User of chntpw does not need to know the old password to set a new password. Actually, chntpw is now available in the form of bootdisk or LiveCD which includes necessary stuff to access NTFS partitions and scripts to glue the whole thing together.

Chntpw works on NT system which is offline (turned off), and can only be used on local machine and cannot be used on a remote machine. However, chntpw can be installed on a Linux system such as Ubuntu, and then used to recover by resetting Windows user account password by mounting the Windows drive, connected via physical IDE/SATA/SCSI interface or USB portable disk.

Chntpw can be installed using aptitude for user using Debian based system,

It is pretty easy to use and can be found and installed using aptitude if your using debian based system, or can be downloaded and installed in Ubuntu with a simple “sudo apt-get install chntpw” command. Chntpw is likely to be contained in other distributions package manager too, or the source code can be downloaded from http://home.eunet.no/~pnordahl/ntpasswd/editor.html.

Chntpw Usage Guide

1. Mount the Windows NTFS, FAT or FAT32 partition to the Linux system, allowing read and write access support.
2. Locate the SAM file for Windows 2000, Windows NT or Windows XP, which is normally located at the either \Windows\System32\config or \Winnt\System32\config folder. Change directory to inside the folder, there are a number of files such as SAM, SYSTEM and SECURITY.

   Inside the folder, issue the following command to automatically change the administrator password:

   chntpw SAM

   Issue the following command (replace USERNAME with actual user name on the computer) to change the password for a normal restricted user account:

   chntpw -u USERNAME SAM

   Tip: To list all the users in the SAM file, use the chntpw -l SAM command.

3. Chntpw will display some information on screen, and then prompt for new password to reset the existing password. Enter a new password for the administrator or user account.

   Tip: To reset the password to blank (no) password, enter * (asterisk).

4. Unmount the drive, and then restart the Windows computer. The password for the administrator or user account reseted should be changed accordingly.

There are other options for chntpw, which can be displayed with the following command:

chntpw -h

# chntpw help and usage

chntpw version 0.99.3 040818, (c) Petter N Hagen
chntpw: change password of a user in a NT SAM file, or invoke registry editor.
chntpw [OPTIONS]
 [systemfile] [securityfile] [otherreghive] [...]
 -h          This message
 -u
   Username to change, Administrator is default
 -l          list all users in SAM file
 -i          Interactive. List users (as -l) then ask for username to change
 -e          Registry editor. Now with full write support!
 -d          Enter buffer debugger instead (hex editor),
 -t          Trace. Show hexdump of structs/segments. (deprecated debug function)
 -v          Be a little more verbose (for debuging)
 -L          Write names of changed files to /tmp/changed
 -N          No allocation mode. Only (old style) same length overwrites possible
See readme file on how to extract/read/write the NT's SAM file
if it's on an NTFS partition!
Source/binary freely distributable. See README/COPYING for details
NOTE: This program is somewhat hackish! You are on your own!

Enable Multiple Concurrent Remote Desktop Connections or Sessions in Windows XP

Windows XP Professional and Windows XP Media Center Edition (MCE) has Remote Desktop (RDP) service that allows the computer to be remotely connected, accessed and controlled from another computer or host. However, Windows XP machine only allows one concurrent remote desktop connection from a single user been connected to it with no multiple remote desktop sessions or connections support.

Whenever there is a remote user who user Remote Desktop Connection (RDC) client to connect to a Windows XP host, the local user is disconnected with the local console screen locked, with or without his or her permission. Remote Desktop, unlike Terminal Server Services in Windows 2000, Server 2003 and Server 2008, is designed for single user use only, no matter it’s local or remote user.

Here’s a hack to unlock the single user limitation and enable multiple concurrent remote desktop connection sessions support in Windows XP Professional and Media Center Edition, using a either a patched termserv.dll or old patched cracked termserv.dll build version version 5.1.2600.2055, so that unlimited users can simultaneously connect to a computer via Remote Desktop.

1. Download a copy of patched termsrv.dll (in ZIP file) which has the Remote Desktop connection limitation deactivated for your version of Windows XP:

   Windows XP RTM, SP1 and SP2: termsrv.dll (version 5.1.2600.2055)
   Windows XP SP2: termsrv.dll (version 5.1.2600.2180)
   Windows XP SP3: termsrv.dll (version 5.1.2600.5512)

   For information, the termsrv.dll patch normally has the following HEX code bits overwritten with following value:

   00022A17: 74 75
   00022A69: 7F 90
   00022A6A: 16 90

2. Restart the computer and boot info Safe Mode by pressing F8 during initial boot up and select Safe Mode. This step is only required if you’re currently running Windows Terminal Services or Remote Desktop service, and System File Protection has to be skipped and bypassed, else it will prompt the following error message to restore the original termsrv.dll.

   

3. Go to %windir%\System32 and make a backup copy (or rename) the termsrv.dll.
4. Rename or delete the termserv.dll in the %windir%\System32\dllcache folder.
5. Copy the downloaded termsrv.dll into %windir%\System32, %windir%\ServicePackFiles\i386 (if exist) and %windir%\System32\dllcache.
6. Then download and run the ts_multiple_sessions.bat (in ZIP file) to merge the registry value into registery, or you can run Registry Editor to manually add the following registry value:

   [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\Licensing Core]
   “EnableConcurrentSessions”=dword:00000001

   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   “EnableConcurrentSessions”=dword:00000001

   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   “AllowMultipleTSSessions”=dword:00000001

7. Click on Start Menu -> Run command and type gpedit.msc, follow by Enter to open up the Group Policy Editor.
8. Navigate to Computer Configuration -> Administrative Templates -> Windows Components -> Terminal Services.
9. Enable Limit Number of Connections and set the number of connections to 3 (or more). The setting allows more than one users to use the computer and logged on at the same time.
10. Ensure the Remote Desktop is enabled in System Properties’ Remote tab by selecting the radio button for Allow users to connect remotely to this computer.
11. Enable and turn on Fast User Switching in Control Panel -> User Accounts -> Change the way users log on or off.
12. Restart the computer normally.

Note that if you cannot replace or overwrite termserv.dll with access denied or file in use error, turn off the “Termine Services” in “Services” control panel of “Administrator Tools”. Besides, each connecting physical connections must have their own user account in the target host, and must authenticate with corresponding own user name and password credential.

To uninstall and revert back to original termsrv.dll, simply delete the patched version, and rename the backup copy back to “termsrv.dll”. You probably have to do it in Safe Mode if the Terminal Services is enabled and running.

If the Windows XP computer is connected to a domain on local networks, Windows will set the value of the regkey “AllowMultipleTSSessions” to “0″ every time the computer is restarted. To ensure that multiple or unlimited Remote Desktop connection sessions is allowed in AD domain environment, the value data for “AllowMultipleTSSessions” has to be set to “1″ on each system startup. To change the value, simply rerun the ts_multiple_sessions.bat every time the computer is started. Alternatively, put the ts_multiple_sessions.bat at C:\Documents and Settings\All Users\Start Menu\Programs\Startup folder so that it will be automatically run on first user with administrative privileges that logs on to the desktop. Another workaround is to install additional service or define a sub-key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry branch that run the registry batch file automatically on boot up, and this is useful if the computer won’t be logged on by anybody, but still requires the hack to allow unlimited Remote Desktop users to work.

Another issue is that if user closes the remote connection instead of logging off, when he or she tries to log back in, an error message related to TCP/IP event ID 4226 may occur. To resolve the issue, download and apply the Windows XP TCP/IP connection limit and Event ID 4226 patch, and set the connections to at least 50.

Enable and Allow Windows XP and Vista Remote Desktop Login Without Password (or With Blank Null Password)

When attempting to connect or establish Remote Desktop connection to a remote Windows XP or Windows Vista computer in order to remotely logon to the machine, the log on may be rejected with Remote Desktop client returns one of the following error messages.

Your credentials did not work.

or,

Unable to log you on because of an account restriction.

or,

An authentication error has occurred.
The Local Security Authority cannot be contacted

Remote Computer: xxxxx

By default, Windows XP and Windows Vista does not allow nor permit user account without password set or user name with blank (null) password to connect and log in remotely via Remote Desktop Protocol (RDP).

The obvious resolution is definitely to create and set a password for the user account that requires to logon remotely to a computer via Remote Desktop, and it’s recommended for security reason too. However, user who for some reason such as for the purpose of convenient, and thus unable or cannot assign a password to the user account, can use the following workaround to allow user to login remotely via Remote Desktop Connection (RDP) client to Windows XP and Windows Vista PC.

How to Enable Remote Login via Blank Passwords using Local Security Policy or Group Policy Editor

The configuration to enable null (blank) passwords logon must be done on the host computer, i.e. the remote computer to remotely controlled. To configure the Remote Desktop host computer to accept user name with blank password, go to Control Panel -> Administrative Tools (Under System and Maintenance in Windows Vista) -> Local Security Policy. Alternatively, run GPEdit.msc (Group Policy Editor).

Then, expand Security Policies -> Local Securities -> Security Options (for user using Group Policy Editor or GPEdit.msc, expand Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options). Locate Accounts: Limit local account use of blank passwords to console logon only policy, and set its value to Disabled.

Once disabled, user account with blank or null passwords can now login remotely instead of just able to do so via local console.

How to Configure Blank Passwords Allowed for Remote Log On via Registry

Windows XP and Windows Vista stores the value of the policy set above in a registry key named “LimitBlankPasswordUse”. To unlock the limitation of cannot establish Remote Desktop logon with user account without a password, simply set the value data for LimitBlankPasswordUse to 0 (so that there is no limit on blank or null password use), as according to the code below. Alternatively, copy and paste the following text to a text file, and save with a .reg extension. Then run the .reg file to merge the value to registry.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa]
“LimitBlankPasswordUse”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
“LimitBlankPasswordUse”=dword:00000000

For convenient, two registry files have been created and available for free download, which will enable or disable usage of blank password (or absent of password) to login remotely. Download BlankPasswords.zip and run EnableBlankPasswords.reg to enable or DisableBlankPasswords.reg to disable remote login via blank password.

The trick works on both 32-bit and 64-bit operating systems.

How to Remotely Enable Remote Desktop (Terminal Services or RDP) via Registry in Windows 2000/XP/2000/Vista/2008

Remote Desktop or RDP service is a free yet useful tool to remotely log on to remote computer and gain full access and privileges as if user is in front of local console. Remote Desktop is also known as Terminal Services. It’s useful if the server, or PC is located miles away in remote location, and frequent trip to the site to troubleshoot, configure or manage the system is not a viable option.

Although most versions of Windows operating system such as Windows 2000, 2003, 2008, XP and Vista does come packaged with Remote Desktop, however it’s disabled by default. Turning on and enabling the Remote Desktop via local console is easy, where Microsoft provides similar GUI (graphical user interface) in all editions of Windows (refer to guide on enable Remote Desktop in Vista).

However, if an off-site server needs to be access via Remote Desktop Connection (RDC) client immediately, yet the Remote Desktop is not enabled on the server, then it will be a headache. Luckily it’s possible to remotely enable and turn of the Remote Desktop service on a remote PC or server by remotely editing its registry.

To remotely enable Remote Desktop on another computer, follow these steps:

1. Login to the workstation with administrator credentials.
2. Run Registry Editor (regedit).
3. Click on File menu.
4. Select the Connect Network Registry in the pull down menu.

   

5. A “Select Computer” dialog search box is opened. Type the host name of the remote computer in the text box, or browse Active Directory to locate the remote server, or click on “Advanced” button to search for the remote computer.

   

6. Click OK after the remote computer is selected. A node for the remote computer network registry will be displayed in the Registry Editor with HKEY_LOCAL_MACHINE (HKLM) and HKEY_USERS (HKU) hives.

   

7. Navigate to the following registry key for the remote computer:

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server

8. In the right pane, locate a REG_DWORD value named fDenyTSConnection. Double-click on fDenyTSConnection and change the value data from 1 (Remote Desktop disabled) to 0 (Remote Desktop enabled).

   

9. Reboot the remote machine by issuing the following command in Command Prompt:

   shutdown -m \\hostname -r

   Replace hostname with the actual computer name of the remote host.

10. Remote Desktop for the remote computer has been enabled, and listening on default Remote Desktop port for any incoming Remote Desktop Connection. For security reason, you may want to consider changing the Remote Desktop listening port.

.

How to Disable Registry Editor Editing Tool (RegEdit)

All Windows operating system, from as early as Windows 3.x has equipped with a registry editing tool, known as “Registration Info Editor” or “Registration Editor” at that time, which evolves to regedit.exe or regedt32.exe since Windows 9x and Windows NT. Messing and editing the registry is always dangerous, as any erroneous or careless registry editing may cause irrecoverable or irreversible system damage, worst may come to the extent the computer cannot be boot up properly anymore.

For user who doesn’t want to run or use Registry Editor at all, or for people who is using a shared computer and want to disable and stop all or some users from using Registry Editor, Windows operating system such as Windows XP, Windows Vista, Windows 7, Windows Server 2003 and 2008 allows administrator to use group policy to disable the Registry Editor.

To disable the Registry Editor for currently logged on user:

1. Click Start -> Run, and then type regedit (type in Start Search for Windows Vista and 7), and press Enter.
2. Navigate to the following registry key:

   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

3. Create a New -> Key named System.
4. At the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System registry branch, create a new DWORD (32-bit) Value (REG_DWORD) named as DisableRegistryTools.
5. Set the value data for DisableRegistryTools to 1 to disable the Registry Editor.

   Warning: Before enable to blocking of Registry Editor, think careful as once the setting is enabled, user will lock himself or herself out of the registry, and will not be able to use Regedit to undo the change. However, there are workarounds to re-enable the Registry Editor after disabling.

Note: It’s also possible to disable the Registry Editor for all user accounts on the PC by creating and changing the value of DisableRegistryTools to 1 in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System registry key.

Alternatively, users using operating system with Local Group Policy Editor (GPedit.msc) can navigate to User Configuration -> Administrative Templates -> System and locate Prevent access to registry editing tools option to disable the Registry Editor access.

How to Disable and Turn Off UAC in Windows 7

The user interface of User Account Control (UAC) settings in Windows 7 has changed to reflect the move to make UAC less annoying, more user control and more user friendlier approach. In Windows 7, the UAC has a slider bar which allows users to configure and select which level of notification (and hence protection against unauthorized and malicious access) they want. With the fine-tuning of UAC, the wording ‘disable’ or ‘turn off’ is no longer available. So how can you disable UAC? Or at least, how can you turn off the notification prompt or pop-up so that they appear less regularly?

In fact, the steps to disable UAC is Windows 7 is similar to steps to disable UAC in Windows Vista, only with slight user interface change, and there is plenty of methods to turn off UAC too.

Method 1: Disable or Turn Off UAC (User Account Control) in Control Panel

1. To user Control Panel to disable UAC in Windows 7, there are several methods to access the User Account Control settings page:
   1. Go to Start Menu -> Control Panel -> User Accounts and Family Safety -> User Account.
   2. Go to Start Menu -> Control Panel -> System and Security -> Action Center.
   3. Click or right click on Flag icon in notification area (system tray), and then Open Action Center.
   4. Type “MsConfig” in Start Search to start System Configuration, then go to Tools tab, select Change UAC Settings, then click on Launch button.
2. Click on User Account Control settings link.

   

3. Slide the slider bar to the lowest value (towards Never Notify), with description showing Never notify me.

   

4. Click OK to make the change effective.
5. Restart the computer to turn off User Access Control.

Method 2: Disable UAC with Registry Editor (RegEdit)

1. Run Registry Editor (RegEdit).
2. Navigate to the following registry key:

   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System

3. Locate the following REG_DWORD value:

   EnableLUA

4. Set the value of EnableLUA to 0.
5. Optional step to suppress UAC consent prompt dialog, locate the following REG_DWORD value:

   ConsentPromptBehaviorAdmin

6. Set the value of ConsentPromptBehaviorAdmin to 0 (optional).
7. Exit from Registry Editor and restart the computer to turn off UAC.

Method 3: Turn Off UAC Using Group Policy

For Windows 7 Ultimate, Business or Enterprise edition which has Local Group Policy, or computer joined to domain and has Active Directory-based GPO, the group policy can be used to disable UAC for local computer or many computer across large networks at once.

1. Enter GPedit.msc in Start Search to run Local Group Policy editor. (Or gpmc.msc to run Group Policy Management Console for AD-based domain GPO editor).
2. Navigate to the following tree branch:

   Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options

   In GPMC, browse to the required GPO which is linked to the domain or OU where the policy wants to apply.

3. Locate the following policy in the right pane:

   User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

   Set its value to Elevate without prompt.

4. Locate the following policy in the right pane:

   User Account Control: Detect application installations and prompt for elevation

   Set its value to Disabled.

5. Locate the following policy in the right pane:

   User Account Control: Run all administrators in Admin Approval Mode

   Set its value to Disabled.

6. Locate the following policy in the right pane:

   User Account Control: Only elevate UIAccess applications that are installed in secure locations

   Set its value to Disabled.

7. 

   Restart the computer when done.

Method 4: Using Command Prompt to Disable User Account Control

The command line option can also be used in batch script command file, i.e. .bat and .cmd files, providing greater convenient to advanced technical user. In actual, the commands,, which are also used to disable or enable UAC in Vista, are just doing the same thing as directly modifying the registry.

1. Open an elevated command prompt as administrator.
2. To disable the UAC, run the following commands:

   %windir%\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

   and optionally, the following comand to suppress all elevation consent request and notification:

   %windir%\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f

   Tip: To re-enable UAC, the command is:

   %windir%\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f

   and to turn on prompt for consent UI:

   %windir%\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 2 /f

Disable UAC may cause gadget not working in Windows 7. User who facing the issue can use another workaround to suppress User Account Control.