Resetting a Windows XP/7/8 password, the Linux way
What happens if a Windows user loses his or her password? No problem, Windows was never meant to be secure. Only appear as if it was.
There are several automatic tools out there. I preferred running my Fedora-based LiveUSB and fix it while actually seeing what I’m doing. The whole thing is about modifying the SAM file used on authentication.
Note that the flow shown below failed. What did work, eventually, was unlocking the Administrator account, which doesn’t have any password to begin with. Why I failed to reset a user’s password is beyond me. Maybe because it had administrator’s privileges? Maybe because it was Windows 8?
Anyhow, first I installed chntpw. It’s an offline registry editor it says somewhere, but I never checked that.
# yum install chntpw
Following this guide, mount the partition and change directory to where the SAM file is (Windows/System32/config, like any NT machine). Note the capital letters in Windows and System32.
Then go (possibly as root)
$ chntpw SAM chntpw version 0.99.6 080526 (sixtyfour), (c) Petter N Hagen Hive <SAM> name (from header): <\SystemRoot\System32\Config\SAM> ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf> Page at 0x6000 is not 'hbin', assuming file contains garbage at end File size 262144 [40000] bytes, containing 5 pages (+ 1 headerpage) Used for data: 222/17400 blocks/bytes, unused: 14/2920 blocks/bytes. * SAM policy limits: Failed logins before lockout is: 0 Minimum password length : 0 Password history count : 0 | RID -|---------- Username ------------| Admin? |- Lock? --| | 01f4 | Administrator | ADMIN | dis/lock | | 01f5 | Guest | | dis/lock | | 03e9 | myself | ADMIN | dis/lock | ---------------------> SYSKEY CHECK <----------------------- SYSTEM SecureBoot : -1 -> Not Set (not installed, good!) SAM Account\F : 0 -> off SECURITY PolSecretEncryptionKey: -1 -> Not Set (OK if this is NT4) Syskey not installed! RID : 0500 [01f4] Username: Administrator fullname: comment : Built-in account for administering the computer/domain homedir : User is member of 1 groups: 00000220 = Administrators (which has 2 members) Account bits: 0x0211 = [X] Disabled | [ ] Homedir req. | [ ] Passwd not req. | [ ] Temp. duplicate | [X] Normal account | [ ] NMS account | [ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act | [X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) | [ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) | Failed login count: 0, while max tries is: 0 Total login count: 10 - - - - User Edit Menu: 1 - Clear (blank) user password 2 - Edit (set new) user password (careful with this on XP or Vista) 3 - Promote user (make user an administrator) 4 - Unlock and enable user account [probably locked now] q - Quit editing user, back to user select Select: [q] > q
This shows a lot of info, including the list of users. The point is to reset a specific user. Changes made like this will affect all users.
To get just the list of users,
$ chntpw -l SAM chntpw version 0.99.6 080526 (sixtyfour), (c) Petter N Hagen Hive <SAM> name (from header): <\SystemRoot\System32\Config\SAM> ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf> Page at 0x6000 is not 'hbin', assuming file contains garbage at end File size 262144 [40000] bytes, containing 5 pages (+ 1 headerpage) Used for data: 222/17400 blocks/bytes, unused: 14/2920 blocks/bytes. * SAM policy limits: Failed logins before lockout is: 0 Minimum password length : 0 Password history count : 0 | RID -|---------- Username ------------| Admin? |- Lock? --| | 01f4 | Administrator | ADMIN | dis/lock | | 01f5 | Guest | | dis/lock | | 03e9 | myself | ADMIN | dis/lock |
And now let’s modify only one user in the list
$ chntpw -u 'myself' SAM chntpw version 0.99.6 080526 (sixtyfour), (c) Petter N Hagen Hive <SAM> name (from header): <\SystemRoot\System32\Config\SAM> ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf> Page at 0x6000 is not 'hbin', assuming file contains garbage at end File size 262144 [40000] bytes, containing 5 pages (+ 1 headerpage) Used for data: 222/17400 blocks/bytes, unused: 14/2920 blocks/bytes. * SAM policy limits: Failed logins before lockout is: 0 Minimum password length : 0 Password history count : 0 | RID -|---------- Username ------------| Admin? |- Lock? --| | 01f4 | Administrator | ADMIN | dis/lock | | 01f5 | Guest | | dis/lock | | 03e9 | myself | ADMIN | dis/lock | ---------------------> SYSKEY CHECK <----------------------- SYSTEM SecureBoot : -1 -> Not Set (not installed, good!) SAM Account\F : 0 -> off SECURITY PolSecretEncryptionKey: -1 -> Not Set (OK if this is NT4) Syskey not installed! RID : 1001 [03e9] Username: myself fullname: comment : homedir : User is member of 1 groups: 00000220 = Administrators (which has 2 members) Account bits: 0x0214 = [ ] Disabled | [ ] Homedir req. | [X] Passwd not req. | [ ] Temp. duplicate | [X] Normal account | [ ] NMS account | [ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act | [X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) | [ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) | Failed login count: 2, while max tries is: 0 Total login count: 1 - - - - User Edit Menu: 1 - Clear (blank) user password 2 - Edit (set new) user password (careful with this on XP or Vista) 3 - Promote user (make user an administrator) 4 - Unlock and enable user account [probably locked now] q - Quit editing user, back to user select Select: [q] > 1 Hives that have changed: # Name 0 <SAM> Write hive files? (y/n) [n] : y 0 <SAM> - OK
In this case it clears the password (the choice of “1″). In fact, it appears like the password was already cleared when I captured this log, but it did no good.
As mentioned above, the password was still required after this, so the operation failed. I also failed to change the password for this user.
Reader Comments
chntpw doesn’t work with Win8
Yes it works with windows 8, I just tested with admin acount
Works well when added to ubuntu stick as a tool to provide admin access to windows laptops with a locked user or a forgotten password.
Procedure work with chntpw installed via Ubuntu repositories (14.04), runned on Windows 8.1. Setting a new password (option 2) did’nt work, but setting a blank one did the trick !
Setting a new password was not an option. Option 2 was “Unload or Enable a User’s account (seems already unlocked”.
I’m stumped. when I know go into windows 7 I have problems with trying to put any passwords in for user