Altered pwdump2 version seeked

[foobar]

I'm looking for an altered pwdump2 variant which enables everyone, i.e. not just administrators, to retrieve the SAMs hash data under a W2k Pro (>=SP2) german system.
I got a former variant that didn't work but on international Windows systems because of some incompatibility in reg'keys.
I intend to help out a friend who cheaply acquired a used notebook with w2k on it, but unknown administrator account.
The phoenix BIOS is password-locked, so the boot sequence can't be changed to floppy drive > hdd ..., unfortunately.
My friend doesn't like the idea of sending in the notebook to the manufacturer in order to reset the bios password; i guess there is no guarantee any more.
Any ideas, tricks, or web links (code) dealing with my problem?

[AudioPro]

I've been doing lots of research into this very problem lately, and unfortunately I don't have a solution for you at this time.

It's not as easy as simple changes in the pwdump2 code. I'm pretty familiar with this source code, so read on for some technical details... the code needs to open the lsass.exe process, for which it needs SeDebugPrivilege privilege. However, under a normal user account, this privilege is not even in the process token. This means that you can't enable it. Todd Sabin's pwdump2 source doesn't correctly error check the AdjustProcessToken call that it makes, so you don't realize the reason it fails w/o admin access. And it's not as simple as ENABLING the SeDebug privilege, because the token doesn't contain that priv to begin with.

If I'm confusing anyone, here's a summary. The methodology that pwdump2 uses requires a special privilege that can be had only by an administrative account. I haven't found a simple way around that yet, but still doing a lot of research.

You might want to check out an NT rootkit. _http://www.rootkit.com. Possible answer to your problem here, but it's not going to be a simple point-click installation.

[foobar]

Originally posted by AudioPro
You might want to check out an NT rootkit. _http://www.rootkit.com. Possible answer to your problem here, but it's not going to be a simple point-click installation.

But you have to be Admin in order to install the NT rootkit, so it wouldn't get me further.
I don't know much of Sabin's source, unfortunately.
Perhaps there's someone else reading this, who could contribute any info?