July 28th, 2010
If you have forgotten your administrator password for Windows, you can use a Ubuntu Linux live CD or live USB to reset the password. This tutorial will show you how to do that, step by step.
If you run into any problems or have any questions, the folks at the Ubuntu Forums are very helpful and friendly.
I will not be answering any support questions posted as comments here.
Step 1: Boot up Ubuntu
With the Ubuntu CD in your optical drive or with the Ubuntu USB plugged into your computer, make sure your BIOS is set to boot from CD or USB before your hard drive. You can usually enter your BIOS settings by pressing F1, F2, F9, F10, F12, Esc, or Del during bootup, depending on the kind of computer you have.
Step 2: Install the password reset software
Installing software on Ubuntu is a bit different from installing software on Windows. Instead of going to a website to download setup files, you just tell the software package manager what you want installed, and it fetches it for you off some servers. It’s a lot like the iTunes App Store or Android Market.
This does assume that you have a working internet connection (wired preferred, but wireless can work, too). If, for some reason, your internet connection isn’t working on the computer you want to reset the password for, you can also download the chntpw .deb using another computer, transfer it over via USB, and then double-click it to install it.
Go to System > Administration > Software Sources
(Note: to those of you who have installed software in Ubuntu before, you actually do—at least as of Ubuntu 10.04—have to go to Synaptic to install chntpw. You can’t install it through Ubuntu Software Center).
(Note: you may be tempted to type chntpw into the search filter but it won’t show up there, since Synaptic hasn’t had time to rebuild the search index for quick filtering.)
Step 3: Mount your Windows drive
In order for you to reset your Windows password, you have to make the Ubuntu live session know that your Windows drive is available for use. This process is called “mounting.”
Step 4: Reset your password
chntpw is a terminal-based (not point-and-click) application, so to use it, we’ll have to open up a command-line terminal. Don’t be intimidated. I’ll walk you through the process.
I’m going to be offering a lot of explanation for those who aren’t experienced with the terminal and commands, but if you want to just skip over all that stuff, feel free to just pay attention to the terminal commands and ignore the explanations.
First, you’re going to cd (change directories) to the right Windows directory.
Start typing cd /media/ and then hit the Tab key, and it’ll autocomplete with the address of your mounted Windows drive.
Then type W and hit Tab again to get to either Windows (Windows 7) or WINDOWS (Windows XP). Yes, the terminal is case-sensitive, so upper- and lower-case matters!
Type S or s and hit Tab again to get System32 or system32 (again depending on whether it’s Windows 7 or Windows XP—I forget which it is for Windows Vista).
And do the same for config.
Tab completion makes things a lot simpler, so you don’t have to type every single word out. It also avoids the whole typo issue, in case you aren’t a good typist.
Once you’ve gotten to cd /media/name-of-your-windows-drive/Windows/System32/config or cd /media/name-of-your-windows-drive/WINDOWS/system32/config, hit Enter.
You should then type in sudo chntpw -u username SAM, where username is your actual username. For example, if your username is susan, it should be sudo chntpw -u susan SAM
After you type that in, hit Enter, and you’ll see a whole bunch of terminal output, most of which you can ignore:
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c
Page at 0x7000 is not ‘hbin’, assuming file contains garbage at end
File size 262144  bytes, containing 6 pages (+ 1 headerpage)
Used for data: 260/20240 blocks/bytes, unused: 9/4144 blocks/bytes.
* SAM policy limits:
Failed logins before lockout is: 10
Minimum password length : 4
Password history count : 4
| RID -|———- Username ————| Admin? |- Lock? –|
| 01f4 | Administrator | ADMIN | dis/lock |
| 01f5 | Guest | | dis/lock |
| 03e8 | susan | ADMIN | |
———————> SYSKEY CHECK <-----------------------
SYSTEM SecureBoot : -1 -> Not Set (not installed, good!)
SAM Account\F : 0 -> off
SECURITY PolSecretEncryptionKey: -1 -> Not Set (OK if this is NT4)
Syskey not installed!
RID : 1000 [03e8]
User is member of 1 groups:
00000220 = Administrators (which has 4 members)
Account bits: 0x0214 =
[ ] Disabled | [ ] Homedir req. | [X] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
[X] Pwd don’t expir | [ ] Auto lockout | [ ] (unknown 0x08) |
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |
Failed login count: 0, while max tries is: 10
Total login count: 100
This part is important, though:
1 – Clear (blank) user password
2 – Edit (set new) user password (careful with this on XP or Vista)
3 – Promote user (make user an administrator)
(4 – Unlock and enable user account) [seems unlocked already]
q – Quit editing user, back to user select
Select: [q] >
I would highly recommend typing 1 to blank the password instead of editing the password. After you type that, hit Enter, and you should see
Hives that have changed:
Write hive files? (y/n) [n] :
Type y and hit Enter to confirm the change. Once you see
then you’re done.
Now you can reboot, and you can log into your admin account with a blank password. Once you’re logged in, you can go to the Control Panel to change your password to something else—something you can remember.
If you’re curious, you can see an older version of this page.