I would have just opened the case, yanked the hard drive, and read it from another computer; but this is much more elegant — Dana Epp's ramblings at the Sanctuary : Defeating the BOFH: Compromising A Windows System (via Scoble in Dana gets into a locked machine).
His methodology was to boot from a Knoppix CD and write over logon.scr with cmd.exe. Rebooting, Windows XP came to the login prompt; he waited; the login screensaver executed after about 15 minutes; this resulted in a command shell executing in the login screensaver's stead. Voila!
Much more elegant than yanking the hard drive.
Comments
Too many people run out of ideas long before they run out of words.