I did a search for this and didnt find it anywhere, and It took me a while to figure our where the SAM file even was and - well, it all seemed slightly confusing. Anyways a friend of mine got a laptop for christmas that came with Vista on it. She was simply personalizing her machine and changed the admin password, but somehow immediately forgot it. So, she called me.

I figured if she executed the "restore to an earlier date" function she can log in using the old password again. (she didn't turn the machine off since the passwd change)

And well, that worked. But I wondered about machines that were rebooted. People have asked me that question in the past and I never had experience with anything like this.

I was playing around with BT3 and found in the /pentest/password/ directory chntpw and ran it. The output told me you can list passwords if you had access to the SAM file!
1. mkdir /mnt/sam && mount /dev/<windows partition> /mnt/sam && cd /mnt/sam && ls.

2. You should see your windows files from the windows partitions. I was using Windows XP. then cd into /WINDOWS/system32/config and list whats there. In Windows XP it was "SAM"

3. cp SAM /pentest/password/chntpw/ && cd /pentest/password/chntpw && ./chntpw -l SAM
You should see something like this:
http://www.zombie.el.cx/images/SAM-chntpw.png

Mine was left blank because this box is just used for pentesting purposes. But if you run chntpw --help You can see all the great stuff you can do with that application:

trevelyn@celeritas:/mnt/usb/chntpw$ ./chntpw --help
chntpw version 0.99.5 070923 (decade), (c) Petter N Hagen
./chntpw: invalid option -- -
chntpw: change password of a user in a NT/2k/XP/2k3/Vista SAM file, or invoke registry editor.
chntpw [OPTIONS] <samfile> [systemfile] [securityfile] [otherreghive] [...]
-h This message
-u <user> Username to change, Administrator is default
-l list all users in SAM file
-i Interactive. List users (as -l) then ask for username to change
-e Registry editor. Now with full write support!
-d Enter buffer debugger instead (hex editor),
-t Trace. Show hexdump of structs/segments. (deprecated debug function)
-v Be a little more verbose (for debuging)
-L Write names of changed files to /tmp/changed
-N No allocation mode. Only (old style) same length overwrites possible
See readme file on how to get to the registry files, and what they are.
Source/binary freely distributable under GPL v2 license. See README for details.
NOTE: This program is somewhat hackish! You are on your own!
Hope this does good, Im sure I will reference it a few times more. If you get a chance to use this on a Vista machine please let me know where the SAM file was.