Related
Guys,
My wife put in a password to lock her phone (sensitive data) and now she doesn't know what it is, is there a way that I can dump the contents or access the data on the device? She took client notes on it and they were not set to be sync'd with her desktop, she needs them desperately. I'm the one that set up the syncing for NOTES and not WORD docs so I'm in deep S&*t with her!
The docs are in 'my documents' on the phone and not on the SD card.
Anyone able to do it?
Is there a limit on the number of try's?
When using a remote viewing/control software could I simple write a program that continues to run through the 9999 combos or the x trillion combos if she used the alpha-num setting? Are you able to enter the password on the desktop machine?
I like my private parts, please help!
I know a hardreset will dump everything on the phone and then she would be able to use the phone but I'll still be missing a couple of valuable parts of my body, if you know what I mean!!!!!!!!!!!!!!
Try to get your wife to remember at least the first number, so that you only have 999 tries before you actually find the correct code.
I didn't think it was to much to ask her to reminber the other 3 also but as wives will do, its still my fault for not backing it up!
Don't know anything that might help right now, but if I find something, I'll let you know. Also, for information, you might want to try SignWise - it uses a signature as a 'password' - and it's quite good
if my memory is correct (which isn't always the case) there is a program that shows your xda screen on the pc and you can manipulate it there. This in cooperation with a macro/keyrecorder you might get thru it. It probably would still need a lot of editing of the macro.
Thanks guys,
dcs, but then I won't be able to check on her
Does anyone know how to hack this?
Im stuck too. I thought maybe downloading the rom to the SD card might work, but you would have to do hard reset which would lost the data.
You might be able to try setting the active synch to backup up word documents (do it from the pc) then put the XDA in the cradle. Then try to forcefully synch from the PC. It might bypass the password.
I may have a solution, give me a couple of days to try it out and I'll let you know. In the meantime dont hard
reset orplay with it.
Cradeling the device requires the password before the connection is completed so I can't explore the device.
it's not an xda then i suppose ?
because all the xda's i've had synch without the password unless you are forming a new pathership
Its an MDAIII, but I think it still works the same with the WM2003 XDA. Maybe the solution in an old active sync, but I don't think I can go back in a version because the device is updated when I went to 3.7
Can anyone confirm if you can access data when a password is set using an old active sync?
well i can confirm that when i once types in the password for a connection and make it save it then i'm never required to type in the password again when i sync
If I had the Password the first time she entered it we could have done that but she forgot it before it was ever sync'd with the computer. So I need the password for the first time.
Anyone ever use this?
pget.exe gets files from your PocketPC.
http://wiki.xda-developers.com/wiki/XdaUtils
pget.exe Doesn't work until the password is entered to establish the link, it just sits there waiting for a connection. As soon as the Password is entered, it dumped the files to the PC (testing on my phone)
You may patch Active Sync so that it would not stop asking you a password after 3 wrong attempts:
old wcescomm.exe - patched WCESCOMM.EXE
00006C26: 74 90
00006C27: 05 90
Then you can "guess" the password by a bruteforce.
This patch is for ActiveSync 3.7.1 build 4034
You should kill WCESCOMM.EXE process before patching.
Hi Guy's/Gal's,
As you may be familiar with my OLD Windows 8 Hack (Blog + Video), and that really wasn't too hard to figure out (since then the last windows release now actually doesn't fix it but makes it obvious how to do it, making it no longer a real hack... However, I have now figured out another one... This one exploits the security in Windows 8 to view a Folders contents and technically edit/open the contents without ever modifying ANY security settings.
You can read a bit more on my Blog (also has a How to video on the TechMeShow on YouTube) or just watch the Video.
Question is, why do I bother with these specific bypasses or point out what may not be useful to some? As a developer, I.T. Prof., and security expert and someone who gets paid to work in Enterprise, this is alarming and is NOT good for the future of Windows 8. They don't take my calls or emails and this information should be open until it gets fixed, plus they don't pay me but I do have other and worse hacks for Windows 8 but I hope I won't have to publicly release them cause I will have to uninstall Windows 8.
Thanks,
Lance
lseidman said:
Hi Guy's/Gal's,
As you may be familiar with my OLD Windows 8 Hack (Blog + Video), and that really wasn't too hard to figure out (since then the last windows release now actually doesn't fix it but makes it obvious how to do it, making it no longer a real hack... However, I have now figured out another one... This one exploits the security in Windows 8 to view a Folders contents and technically edit/open the contents without ever modifying ANY security settings.
You can read a bit more on my Blog (also has a How to video on the TechMeShow on YouTube) or just watch the Video.
Question is, why do I bother with these specific bypasses or point out what may not be useful to some? As a developer, I.T. Prof., and security expert and someone who gets paid to work in Enterprise, this is alarming and is NOT good for the future of Windows 8. They don't take my calls or emails and this information should be open until it gets fixed, plus they don't pay me but I do have other and worse hacks for Windows 8 but I hope I won't have to publicly release them cause I will have to uninstall Windows 8.
Thanks,
Lance
Click to expand...
Click to collapse
Dude, you started MMC as Administrator (1:52-1:53)... you didn't bypass anything. :silly:
Since you allowed the program to run as Administrator it can access anything, for example: it also works when you start cmd as admin.
Yeah and in the video the kid gives his other account admin rights. To be secure you don't run as local admin... same in server / client environment. This isn't a hack.
Maybe you should watch from 1:50... No admin command prompt is loaded but say it was for argument sake. You couldn't view or edit the contents via Explorer but Security Template under the same account, it was accessible (couldn't view folder contents or perform any tasks in explorer).
So, if it was an admin account or in the admin user group, it shouldn't have been permitted either way as that's not how folder security is supposed to work or security in general. You have to provide explicit permission to the folder to let a specific user account (even with an account being in the Admin user group) have viewable access or any access, in this examples it plainly shows the flaw in that.
Donny1987 said:
Dude, you started MMC as Administrator (1:52-1:53)... you didn't bypass anything. :silly:
Since you allowed the program to run as Administrator it can access anything, for example: it also works when you start cmd as admin.
Click to expand...
Click to collapse
What part of the video was this done? Also they're not strictly local, they're associated with LIVE Accounts and logged in via remote desktop (not that that matters at all). This means, I use my LIVE password and email to login to the machine.
ROCOAFZ said:
Yeah and in the video the kid gives his other account admin rights. To be secure you don't run as local admin... same in server / client environment. This isn't a hack.
Click to expand...
Click to collapse
that was painful to watch
I see what your saying about folder access, if it doesn't work as admin in explorer then why should it on via the MMC.
but the simple fact remains, unless you have access to admin, you cant access MMC.
if you have access to admin then there is literally nothing I couldn't do to gain access to the correct folders anyway, that is very simple and ive yet to come across any folder I haven't been able to get in to AS ADMIN
Its not a major fail, a slight glitch at best, but only a fail if you the user allows access to your computer with admin rights.
as to accessing app isolated storage data, yes you could manipulate the app via the XMLs, we've been able to do that for years, theres no difference in that respect then analysing a process, and changing settings, memory calls or even injecting DLLs. So im not sure what the story is here, sorry.
lseidman said:
Maybe you should watch from 1:50... No admin command prompt is loaded but say it was for argument sake. You couldn't view or edit the contents via Explorer but Security Template under the same account, it was accessible (couldn't view folder contents or perform any tasks in explorer).
So, if it was an admin account or in the admin user group, it shouldn't have been permitted either way as that's not how folder security is supposed to work or security in general. You have to provide explicit permission to the folder to let a specific user account (even with an account being in the Admin user group) have viewable access or any access, in this examples it plainly shows the flaw in that.
Click to expand...
Click to collapse
I've watched the complete clip... you're just not getting it.
You logged on with an admin account, you allowed MMC to make changes to the computer by clicking on Yes.
Therefore you can expand the WindowsApps folder and browse.
When you start Windows Explorer, even when you are logged on with an admin account, it still requires your permission before you can change anything (Just like you clicked on Yes for MMC).
I have just created a new local user on my virtual Windows 8 machine without admin rights and opened MMC, it did not ask me to allow the program to make changes.
I then went to the Security Templates stuff like you did, and voila... I can't expand the folder.
It's not a 'hack' or 'flaw', this behavior is completely normal when you start a program as admin.
I've attached some screen shots so you hopefully understand.
Do me a favor then...
Load up a command prompt, but first you'll need to enable the Administrator account which is disabled on the system. To re-enable obviously go in to MMC and add the snap-in for user account management. Once the admin account is active (remember need to set a password).
Now, in the prompt please type:
%windir%\system32\runas.exe /noprofile /user:administrator "explorer.exe C:\"\Program Files"\WindowsApps"
Once you hit enter, the Windows Explorer will be loaded as "Administrator". Are you able to now view the folder contents logged in and under the authenticated Administrative account? No, unfortunately you can't, it requires you to go through the process with the security tab to provide full control. With MMC it bypassed that whole process, even as Admin (literally).
Maybe my point is a little more clear now, I hope? It doesn't matter if you're authenticated as Administrator or given Administrator privilege in MMC. Explorer still prevents you from viewing the folder contents or edit the folder contents.
Donny1987 said:
I've watched the complete clip... you're just not getting it.
You logged on with an admin account, you allowed MMC to make changes to the computer by clicking on Yes.
Therefore you can expand the WindowsApps folder and browse.
When you start Windows Explorer, even when you are logged on with an admin account, it still requires your permission before you can change anything (Just like you clicked on Yes for MMC).
I have just created a new local user on my virtual Windows 8 machine without admin rights and opened MMC, it did not ask me to allow the program to make changes.
I then went to the Security Templates stuff like you did, and voila... I can't expand the folder.
It's not a 'hack' or 'flaw', this behavior is completely normal when you start a program as admin.
I've attached some screen shots so you hopefully understand.
Click to expand...
Click to collapse
ok, let me put this another way
get access to that folder without giving yourself any admin rights.
If you do that then its a security risk, if you cant then your just highlighting one of the biggest USER fails of all time, a fail that's so epic that it single handily helps turn 10,000s of computers in to bots and that is running their default desktop account as an admin.
lseidman said:
Do me a favor then...
Load up a command prompt, but first you'll need to enable the Administrator account which is disabled on the system. To re-enable obviously go in to MMC and add the snap-in for user account management. Once the admin account is active (remember need to set a password).
Now, in the prompt please type:
%windir%\system32\runas.exe /noprofile /user:administrator "explorer.exe C:\"\Program Files"\WindowsApps"
Once you hit enter, the Windows Explorer will be loaded as "Administrator". Are you able to now view the folder contents logged in and under the authenticated Administrative account? No, unfortunately you can't, it requires you to go through the process with the security tab to provide full control. With MMC it bypassed that whole process, even as Admin (literally).
Maybe my point is a little more clear now, I hope? It doesn't matter if you're authenticated as Administrator or given Administrator privilege in MMC. Explorer still prevents you from viewing the folder contents or edit the folder contents.
Click to expand...
Click to collapse
As far as I know you cannot start Explorer anymore as administrator, since Windows 7 (maybe even Vista, but I never used it).
In Windows XP when you started a command prompt as admin and then 'explorer.exe /separate' then the explorer was really started as admin, this is no longer working... gotta be new security that Microsoft is using since Vista/7
As dazza9075 said, do the same without being an admin on your machine and then we'll start to use the words 'LePorte hack'
Hello, I'm XDA News Writer mustangtim49 and I made the horrible mistake of installing windows8 on my little emachines mini lappie. I lost my normal home wifi and now I can't access my computer, every time I input my password, my computer says "your computer is offline, try the last password entered on this computer" I'm ready to throw it away, but do to a bad break up, this is all I have and it's really affecting my ability to do my job here at XDA. Thank you for reading this and any guidance would be greatly appreciated.
[email protected]
You can reset the admin password using various available tools. I haven't tried it with Win8, but below are instructions for Win7. It shouldn't be different. Worse comes to worst, just reformat it and re-install, since it's a new install anyway.
http://pcsupport.about.com/od/windows7/ht/reset-password-windows-7.htm
For more resources (beware of spam): http://google.com/search?q="windows+7"+password+reset
There were also some reports from the CP version of password length needing to be between 8-16 chars, else an "incorrect password" error occurs.
http://www.technize.net/windows-8-maximum-password-length-limitations/
It's not a new install, I've been running it since it became available. Also, I read the links you provided, thank you, they require a disc to be burned, my mini has no disc drive.
[email protected]
Let me get this straight... is it your windows password or your home wifi password you can't get to work. You said you lost your home wifi. That has nothing to do with your windows password except it trys to check the microsoft account 1st then it uses the local. If there is something wrong with the local, take it somewhere that has free internet like dunkin donuts does in states and try logging in. Then switch to a local account.
I am tethering my phone as wifi and I still can't get past the password. It's the stupid w8 password screen when you first start the computer. Is says offline after I put in my password and will not let me in.
[email protected]
Being offline has nothing to do with the Win8 local password to login. I've been working with Win8 R&D for the past year and have yet to see an error like that.
Is it the WiFi password that is not being accepted?
Colphonix. I agree. Seems like the WiFi password.
Sent from my PI39100 using XDA Windows Phone 7 App
Also, if you switched to a Microsoft account to login, the password for that account is the one you need to login, not the one you created for the local account.
I hope that helps
-cp
While I was writing and testing a WP 8 web app, I had it connected via wifi to Fiddler2. When I plugged my Dev Unlocked HTC 8x into my computer, the phone "dialed out" to h ttps://developerservices.windowsphone.com/Services/WindowsPhoneRegistration.svc/01/2010/DeviceStatus?deviceId=deviceid&fulldDeviceId=fulldeviceid The response is an XML packet that tells the phone how many days are left of being DeveloperUnlocked as well as the number of apps that are allowed!
this request/response sequence happens EVERY time I plug my developer unlocked Windows Phone 8 into the USB port of my Dev PC and PIN unlock it.
Keep in mind I installed the root cert that Fiddler generated for my PC a while back, so it can decrypt HTTPS traffic to/from my phone.
If anyone knows what the integer equivalent of "that magic DWORD value" is, I will craft a custom response packet and see if it changes anything.
Please see the attached screenshot for proof!
Edit:
So I did try GoodDayToDie's xaps and it looks like increasing the value from 10 to 2147483647 (I think its the integer equivalent to 0x7FFFFFFF) didn't have any effect that I could see. The InteropCapNoOem xap fails to deploy with error code 0x81030120. This error code normally means you are NOT interop unlocked back in the WP7 days. The OemCapsNoInterop.xap file generates an error telling me to "fix the Capabilities in [the] WMAppMAnifest.xml file.
I wonder if I can sideload more than 10 apps now though?
Maybe we can figure out what app is generating this "call home" and see if there are any other funky things we can stick in the xml tree?
Whoa. I could have sworn they were using cert pinning for that. I'll investigate, though...
EDIT: Couldn't get that connection request even showing up on my work computer. Will try from home.
Here is the service operations page:
https://developerservices.windowsphone.com/Services/WindowsPhoneRegistration.svc/help and (according to API) DeviceStatus call don't have fullDeviceId={FULLDEVICEID} parameter.
BTW, compu829, what is the fullDeviceId parameter, how it looks like?
Wait... You could change the value on the phone? That's a huge improvement. I'm stuck with only 3 apps (stupid dreamspark) and desperately need more!
This is a great find! I, unfortunately have never seen this happen though. Do you happen to know if you had the WP Device Registration program or the Application Deployment program running at the time?
EDIT: I've been debugging multiple apps with Fiddler up and proxy on my phone and I haven't noticed this. I see it now. I feel stupid lol Time to play around
EDIT 2: Microsoft does NOT like when you have fiddler intercepting on Registration. It returns a success result, but the developer registration tool gives an error indicating that it cannot connect to the phone. Grrr and after I went through the work of changing the response value for the number of apps that can be sideloaded. I bet this is a timing thing... I'll see what I can do.
I don't think it's timing. Even if I left the request completely unmodified and just ran it through the proxy to watch the process, the tool said that there was a problem, and the phone did not get unlocked. They're either testing for the presence of a proxy somehow, or there's some side channel that *is* using cert pinning, and is therefore unable to connect through Fiddler.
Also, editing the a:AppsAllowed element doesn't seem to work. The phone doesn't complain or anything, but the registry value doesn't change.
On my phone, I noticed it AFTER I had developer unlocked it. More concrete steps on what I did to reproduce:
1. On test PC, Installed Fiddler.
2. On test PC, exported trusted root certificate that Fiddler installed.
3. Emailed certificate to my phone and installed it.
4. Now enable the proxy on the phone. Things like email, Windows Phone Updates, etc will now work normally!
5. Plug phone in to Visual Studio Development PC, and wait for the PC to detect the device.
6. You will see the phone "dial out".
Without installing the fiddler trusted root certificate, you will see the handshake, but the phone doesn't know what do do with the packet because the certificate generated by fiddler is untrusted.
Using this same technique, you can have some serious fun with Windows Updates
GoodDayToDie said:
Also, editing the a:AppsAllowed element doesn't seem to work. The phone doesn't complain or anything, but the registry value doesn't change.
Click to expand...
Click to collapse
see last post Are you guys installing the trusted root certificate on your phone?
compu829 said:
see last post Are you guys installing the trusted root certificate on your phone?
Click to expand...
Click to collapse
It would be nice if Fiddler's cert was trusted :/. I'm able to see all HTTPS requests, etc but it just hates it when dev unlocking the phone. Which other trust root cert are you speaking about?
more detailed instructions
snickler said:
It would be nice if Fiddler's cert was trusted :/. I'm able to see all HTTPS requests, etc but it just hates it when dev unlocking the phone. Which other trust root cert are you speaking about?
Click to expand...
Click to collapse
this is what I did:
On Development PC:
1. Click Start, click Start Search, type mmc, and then press ENTER.
2. On the File menu, click Add/Remove Snap-in.
3. Under Available snap-ins, click Certificates, click Add, select current user, and then click Finish.
4. click ok to close the add/remove snap-in dialog
5. In the left-hand pane navigate to "Trusted Root Certification Authorities" --> "Certificates"
6. in the right-hand pane, look for the certificates labeled "DO_NOT_TRUST_FiddlerRoot" (I have two for some reason, you may only have 1)
7. Right-click on the certificate and go to "All Tasks" --> "Export".
8. Run through the certificate export wizard, leaving everything as the defaults.
9. Once you have exported your certificates, email them as attachments to your Windows phone.
10. Open the email on your WIndows Phone. Click on the certificate file and wait for it to process. Then when prompted, install it.
11. After that, any https traffic that you intercept/edit will go through as trusted to your Windows phone, provided that the application isn't expecting a specific certificate.
Things this made work:
1. all App communications over https
2. Windows Updates
3. all email accounts.
4. App Store communications (except for actually downloading apps, IIRC).
Things that didn't work:
1. Anything that requires certificate pinning as the certificate is embedded within the app. Therefore it doesn't make a call into the trusted root certificate store. I believe this includes running the actual "Developer Unlock" app.
if you place the following code in the "OnBeforeResponse" section of the CustomRules.js file, you should be able to install more than 3 or 10 apps, provided the program that is "phoning home" isn't using certificate pinning.
Code:
oSession.utilDecodeResponse();
oSession.utilReplaceInResponse("AppsAllowed>10</","AppsAllowed>400</");
... These are steps that have already been taken. You actually did even more steps then necessary. All you have to do is point to your computer's IP address and port that Fiddler is running on within IE Mobile (Make sure Remote IP access in Fiddler is enabled), click on the certificate and it will install on the phone. You'll be able to see the requests from the phone. Everything you listed above is what I've been able to do. Nothing different from what I was saying .
@compu829: Yes, of course I am. If I weren't, it wouldn't be possible to edit that value at all; I wouldn't even see it because the TLS handshake would fail... (FWIW, I work with proxies all the time, usually Burp Suite not Fiddler, but in any case I'm quite familiar with setting up the MitM certs). I do wonder whether there's something changed here (GDR2 change, maybe?) because I could have sworn that intercepting the phone's traffic during unlock didn't work at all before (presumably due to cert pinning). I may be mistaken, though.
In any case, it still doesn't *actually* work. I guess I could try invisible proxying - use ARP spoofing or a custom routing rule on the router to send the data through my PC, and capture/modify it there, without revealing the presence of a proxy - but I don't know if that's the issue or if it's something else entirely.
EDIT: Your steps are way more complex than needed. For example, you can export the root cert from Fiddler by going to Tools menu (in Fiddler) -> Fiddler Options -> HTTPS.
whoops lol. Oh well. I didn't realize it was so easy to export/Import!
Anyways, All I know is that I could pretty much do nothing on my phone when I connected it to the proxy until I emailed myself the root cert. Once I did that, email started flowing, apps started working, and WIndows Updates stopped erroring out.
It is entirely possible that whatever is generating the call is silently rejecting the response packet. I was just shocked when I plugged my phone in to see that packet show up.
I know that Windows Updates lets me modify the requests and responses without complaining, so maybe that is another way in? I assume that must be running elevated lol. Maybe we can get it to launch a background app that is already on the phone.
The way I see it, this will only work temporarily. Next time phone dials home without you running the Fiddler it will reset the AppsAllowed value. Am I right?
@amaric: If you'd actually read the thread, you'd see that it doesn't appear to work at all...
But yes, it would probably reset itself too. We don't have the ability (right now) to edit the registry keys which control that phone-home behavior. However, it might be / have been possible to do that if we had interop-unlock...
on the phone there is the file "PhoneReg.exe", which works with this data, and it check certificate Common Name (must be Microsoft...) and Thumbprint to hardcoded data
Didn't the ChevronWP7 work exactly like this until MS fixed the bug in NoDo?
@snickler, @GoodDayToDie
There is something I can't get out of my head...after the Ativ S devices are interop unlocked, they'd "reset" after a while until we made them stop phoning home...This means that somehow Microsoft is associating the phone's device ID with your interop level...is this something done purely server side, or is there a way to maybe send this info TO Microsoft's servers so they can send the info back to our phones? Just a thought....
That's an interesting research question; we can set the URLs which are used to make those "phone home" checks to a site we control, possibly use HTTP instead of HTTPS, and see if they work. Worst case, cert pinning will cause the connection attempt to fail and we're right where we are now; best case, it's... umm, well it's interesting, but I don't see any likelihood of actually getting *additional* permissions out of this. Still, I've been wrong about things like that before. Somebody want to set up a transparent HTTP -> HTTPS proxy to listen for the request, forward it, record the response and forward it?
hi guys
i have a big probleme
my sister forget the password of " Asus Vivotab Smart ",can i have a tuto to do a hard reset ???
when it power on it want password
naayja said:
hi guys
i have a big probleme
my sister forget the password of " Asus Vivotab Smart ",can i have atuto to do a hard reset ???
Click to expand...
Click to collapse
Did you use a microsoft account or where you/her illogical in using a local account?
If you did the sensible thing and used the microsoft account you can reset your password from another PC as long as the tablet does have a wifi connection. When you login on windows 8 if you have an internet connection it will actually connect to the internet to see if your microsoft account password has changed, enables you to use the same password across multiple machines and changing password on 1 machine updates all, also helps if you forget your password
https://account.live.com/ResetPassword.aspx
Otherwise. If its a local account. Its your own blooming fault if you forget your own password.
SixSixSevenSeven said:
Did you use a microsoft account or where you/her illogical in using a local account?
If you did the sensible thing and used the microsoft account you can reset your password from another PC as long as the tablet does have a wifi connection. When you login on windows 8 if you have an internet connection it will actually connect to the internet to see if your microsoft account password has changed, enables you to use the same password across multiple machines and changing password on 1 machine updates all, also helps if you forget your password
https://account.live.com/ResetPassword.aspx
Otherwise. If its a local account. Its your own blooming fault if you forget your own password.
Click to expand...
Click to collapse
no no i mean the system password when it start...
naayja said:
no no i mean the system password when it start...
Click to expand...
Click to collapse
That's what I mean aswell. The password you log into the computer with. When you get a windows 8 device it asks very clearly if you want to use/create a microsoft account to log in with, or if you want to make an account on that device only. And it heavily biases towards using the microsoft account (there is next to 0 reason to use local for a consumer).
If you or your sister ignored the big full screen page asking which to use, well sorry, your either gonna just have to try the password reset I linked to and hope you did select to use a microsoft account or accept that forgetting the password is a bad idea (infact I cant even work out for the life of me how one even does that). If it is the latter option, its fixable. I dont know how though. I guess booting into recovery and resetting the entire device that way would work, would restore the tablet to the state it came from the factory in so you will have to set it up and install all your software from scratch, in which case USE A MICROSOFT ACCOUNT SO THIS CANT HAPPEN AGAIN. You cant even use the app store properly with a local account, I think it lets you buy stuff but if you lose that account you lose your purchases. Whereas I have both my desktop and laptop configured with microsoft accounts, went on laptop (newer of the 2), went on store, it has all my apps listed already. The app I bought on my laptop is now installed on the desktop too without having to buy it again.
EDIT:
If you set a BIOS password as GoodDayToDie suggested, yeah, you better hope you remember that password because its not resettable and its not covered by manufacturers warranty, home or gadget insurance probably wont even be coerced into paying out for that.
He might have set a BIOS password... in that case, you're SOL.
Also, fix your damn thread subject.