1st of all IT'S YOUR PURPOSE LEGAL? YOU USE IT ON YOUR OWN PC? IF NO IS THE ANSWER, WE CAN'T HELP YOU!, GET THE H**L(sry moderators) OUT OF HERE, but if your answer is "YES, it's legal" than I will help you:
You can do this from the windows box too, but we're talking about Backtrack:
>>all the instruction are done from shell, in /tmp folder<<
Boot in backtrack and make sure your windows harddrive is mounted:
suppose the windows hdd is "/dev/hda1"
First you must to "extract" the key of the system which is in the "system" file located on the windows hddCode:mount /dev/hda1 /mnt/hda1
Now we must dump the SAM file using samdump2:Code:bkhive /mnt/sda1/WINDOWS/system32/config/SAM saved-systemkey
And in the end we use the well known john the ripper:Code:samdump2 saved-systemkey passwordhashfile
Keep in mind, if you use BT4b you will need SSE2 capable CPU to use john( I just found out now when I tested the given instructions to be sure just in case )Code:john -i passwordhashfile
BUT, if you have installed windows xp as default and you don't typed a administrator password in installer than it's much easier to boot in safe mode( pressing F8 before windows boots) and login in the "Administrator" account and just remove the password from control panel>user accounts>[your account].
Like my DSA teacher always says: "K.I.S.S.--keep it simple,stupid--"
THIS IS FOR EDUCATIONAL PURPOSES ONLY AND YOU ARE RESPONSIBLE FOR YOUR OWN ACTIONS