For "Truly" Tech

The scratchpad of Sherlock


Meet PassPass (Bypass the Password), a nifty Grub4DOS batch script to disable/re-enable Windows logon password validation. Credit (as well as dis-credit) is to be equally shared between Wonko the Sane a.k.a. jaclaz and Holmes.Sherlock for the idea and coding respectively. We appreciate any success/failure report mentioning the following:

  • Windows version (e.g. XP, Vista, 7)
  • Service pack, if any
  • Architecture (e.g. 32-bit/64-bit)
  • msv1_0.dll version (e.g. 6.1.7600.16525) along with MD5 checksum, if possible

Technical details: The script tries to locate all existing Windows installations and corresponding Windows editions as well. Thereafter, it replaces the CMP instruction responsible for password verification with a ‘benign’ sequence of bytes. For reverting back the changes, the process is just the opposite. The whole idea is derived from WindowsGate and Astr0baby’s tutorial.


  1. Install Grub4DOS. You may prefer using RMPrepUSB. Script tested with Grub4DOS v0.4.5c-2013-03-03.
  2. Download grubutils and copy WENV binary on the root of the boot media. Script tested with grubutils-2011-06-27.
  3. Copy PassPass, PassPass.bak and menu.lst on the root of the boot volume.
  4. Boot
  5. Ideally ‘Autodetect’ mode should be able to list out all existing Windows installation. For buggy BIOS-es, try appropriate <Disk#> and <Partition#> to ‘Forcedetect’ Windows installations.
  6. Choose either ‘Patch’ or ‘Unpatch’ respectively for disabling/re-enabling password verification.
  7. Reboot and boot into target Windows.


  • Wonko the sane – For ideas, code snippets, information. The script embeds his DLL version detection script.
  • Ectomorph a.k.a. Damian Bakowski – For his ‘unannounced’ patch for 32-bit version of msv1_0.dll.
  • Astr0baby – For his reversing tutorial
  • Steve Si – For including support for PassPass in his wonderful tool Easy2Boot.


PassPass v1.0
PassPass v1.0
Version: 1.0
2.3 KiB

PassPass v1.1
PassPass v1.1
Version: 1.1
147.0 KiB



18 Responses so far

Nice job! You can now add PassPass to your Easy2Boot Mult-Boot USB drive – I have provided the required files in Tutorial 72a on my site.

Thanks Steve, Credits section updated with a link to the Download section of the relevant page.

results of test on my PC with 3 partitions containing
W-XP – W-7 (x32), W-8 (x64)
Testing PassPass

hashes SHA-1 using HashTab

XP SP3 original DLL
5.1.2600.5876 (xpsp_sp3_gdr.090909-1234)

W 7 SP1 x32 original DLL
6.1.7601.17514 (win7sp1_rtm.101119-1850)

W 8 x64 original DLL
6.2.9200.16384 (win8_rtm.120725-1247)

xp SP3 patched dll

W 7 SP1 x32 patched dll

W 8 x64 patched dll ??

XP SP3 unpatched dll

W 7 SP1 x32 unpatched dll

patch did not work on Win 8 Pro (x64)
(password still required and no change in hash

unpatch worked for W-XP and W-7 SP1 (x32)
Hash returned to same as original version

grub4dos 0.45c 2013-05-16


Hi Michael,

Your observations are as expected. We have already noticed that Win 8 requires a special treatment. Allow us to take some time to incorporate patch for Win 8. I’ll revert back.

Hi Michael,

Can you please give a try to the latest version of the script and menu.lst ( for Win 8 Pro (64 bit) ?

Hi Thank you for the update

Windows 8 Pro (x64) (upgrade version)

original MD5

unpatched by passpass 1.1 MD5

patched by passpass 1.1 MD5

The Patch worked and unpatch restored file to original state

One suggestion can you show path to msv1-0.dll when selecting which Windows to patch
eg MiniNT or Windows if you have both on one drive you do not know which one to patch ( I tried both)
(I have Windows XP and BartPE on same partition, both are recognised as Windows XP)

Hi Michael,

Thank for the feedback. What’s the version of the DLL for Win 8 Pro(64)?

Isn’t HD partition and directory being shown presently in OS selection list? e.g.(hd1, 2)/WINDOWS

the version of msv1-0.dll is 6.2.9200.16384 (win8_rtm.120725-1247)
(same Windows 8 x64 as previously mentioned)

Menu entry created on my PC

Windows XP at (hd1,0)
Windows XP at (hd1,0)
Windows 7 or Server 2008R2 at (hd1,1)
Windows 8 or server 2012 at (hd2,2)

the first 2 entries are the same
one is real Windows XP in C:\Windows
the other is BartPE in C:\MiniNT

most users will not have so many operating systems
thanks for a very usefull utility

I would have used P.Nordahl’s Offline PassWord Editor when doing a PC repair without the users password

Hi Michael,

From the menu you have posted, I understood the problem. Don’t worry. In the next version, Windows directory will also be added to help distinguish multiple installations on the same partition.

Hi Michael,

Does the latest version address your concern?

Menu now shows

Windows XP at (hd1,0)minint
Windows XP at (hd1,0)Windows
Windows 7 or Server 2008R2 at (hd1,1)Windows
Windows 8 or server 2012 at (hd2,2)Windows

So I know to ignore first entry for BartPE in minint

this deals with my request
thank you

sorry menu.lst is always error

i tried several time and combinations.. but I got always this message:

Error 8: Kernel must be loaded before booting

This tool is cool.
I installed version 1.4 to pendrive.
Runs good in Win 7 x32 Ult/Premium , Win 7 Premium x64.
And I’m sure i used in Vista Premium x64.
But ,incredibly, in a Vista Basic x32 OEM PC – say that msv1-0.dll is already patched.Of course, I used other tool to bypass password.
But ,this can be an isolated case?
Thanks for take some time .


Can you boot into Grub4DOS command line? Are you using the version of G4D I linked in the original post?

I made the USB pendrive with RMPrepUSB latest version, use E2B and use PassPass 1.4 from RMPrepUSB page(not v1.1 and not the paspass special version for E2B).

This 1.4 version comes with the wenv file.
Maybe I mixed somnething.But for Win 7 x32/x64 and Vista x64/Vista Premium x32 worked fine.
Just curious why this PC OEM with Vista Basic x32 said that msv1-0.dll is already patched.
And ,thanks for your response.

@Elfern Rivers

PassPass searches for known binary pattern(s) representing CMP instruction comparing MsvpPasswordValidate() method’s output. This method, as you might be knowning, is contained in msv1_0.dll, MS authentication library. The “other tool” (as you mentioned in your first post) which you have used to bypass the password for Vista Basic x32 OEM PC may have used the same trick. If PassPass fails to find the known pattern for specific DLL version, it infers that the DLL is already patched.

Also, I’d like to ask you whether original PassPass v1.1 (NOT the one forked by Steve, i.e. PassPass v14 as listed on Steve’s webpage (72a)) also displays the same message? I checked that I uploaded PassPass v1.1 on July 6, 2013 where as Steve’s version is there on his page since December 10, 2013. He may have some other modifications which I am not aware of.

I just used the December 1.4 version.
Use RMPrepUSB.E2B,then copy passpass 1.4.
I works at a little computer repair center.This pendrive I did in early January . And works good until this one case.
The computer was picked up.
Concerning your 1.1 version, I tested in 7 x64(Premium)-7 x32(Ult), Vista x64(Premium) and woks good.
If I had a change ,and another pendrive,I will retest your version with some computers.
This tools makes dealing with passswords , so easy.


If possible, please re-test PassPass v1.1 on Vista Basic x32 and let me know.

Leave a comment