How to reset a Windows password with Ubuntu
July 30th, 2008
If you ever have forgotten your password for the only administrative account on Windows or know someone who has, you know the experience can be infuriating. All is not lost, though, if you have a live CD handy. This page is an adaption of Reset a Windows password with Knoppix for Ubuntu. It has also been tested for Windows XP, Windows Vista, and Windows 7.
This tutorial assumes you know how to obtain and boot a Ubuntu CD. If you don’t, go here first.
Start off by booting the Ubuntu CD.
Select your language of choice and then Try Ubuntu without any change to your computer.
Once the live session has loaded, go to System > Administration > Synaptic Package Manager.
Once Synaptic Package Manager is open, go to Settings > Repositories. This will open the Software Sources window.
Once the Software Sources windows appears, make sure you check (or tick) the box next to Software restricted by copyright or legal issues (multiverse). Then click Close. You should get a warning about how you’ll have to reload the repositories to have your changes take effect.
So click Reload in Synaptic Package Manager and wait for the new information on what’s available for installation be updated.
Click Search and search for chntpw.
Right-click on chntpw and mark it for installation.
Click Apply and in the Summary window, click Apply to confirm that you want to apply changes.
Wait for the changes to apply, then click Close and then quit Synaptic Package Manager.
That method for installing chntpw assumes you have a working internet connection on the computer in question. If you don’t (or regularly do, but not when you boot the Ubuntu CD), you can also download chntpw from one of these mirrors, transfer it to the computer in question (via USB stick), and then double-click the download file to install it.
To mount (or make available for use) your Windows drive, go to Places and select the appropriate drive. In this case, my drive is an 8.7 GB drive. Yours will probably be different.
Then, go to Applications > Accessories > Terminal to use the command-line.
In most cases, I think the first mounted drive will mount to the /media/disk directory, so pasting this command into the terminal should get you into the right directory.
If not, you can try the command df -h to see where your Windows drive mounted to and substitute that directory path for /media/disk in the above command.
Note for Windows 7: the word Windows is not in all capital letters, so it would actually be cd /media/disk/Windows/System32/config/
AppEvent.Evt SAM software system.LOG userdiff.LOG
default SAM.LOG software.LOG systemprofile
default.LOG SecEvent.Evt software.sav system.sav
default.sav SECURITY SysEvent.Evt TempKey.LOG
Internet.evt SECURITY.LOG system userdiff
If you paste in the command ls, you’ll see a list of files in the directory, and one of them should be called SAM.
Paste in the command sudo chntpw SAM to change the Administrator account password.
If, instead, you want to change a particular username’s password, use this command instead:
Either way, you should see a whole bunch of cryptic terminal output:
Hive’s name (from header):
ROOT KEY at offset: 0×001020 * Subkey indexing type is: 666c
Page at 0×7000 is not ‘hbin’, assuming file contains garbage at end
File size 262144 [40000] bytes, containing 6 pages (+ 1 headerpage)
Used for data: 243/19072 blocks/bytes, unused: 11/5312 blocks/bytes.
* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length : 0
Password history count : 0
RID: 01f4, Username:
RID: 03ec, Username:
RID: 01f5, Username: , *disabled or locked*
RID: 03e8, Username: , *disabled or locked*
RID: 03eb, Username:
RID: 03ea, Username: , *disabled or locked*
———————> SYSKEY CHECK Not Set (not installed, good!)
SAM Account\F : 1 -> key-in-registry
SECURITY PolSecretEncryptionKey: -1 -> Not Set (OK if this is NT4)
***************** SYSKEY IS ENABLED! **************
This installation very likely has the syskey passwordhash-obfuscator installed
It’s currently in mode = -1, Unknown-mode
SYSTEM (and possibly SECURITY) hives not loaded, unable to disable syskey!
Please start the program with at least SAM & SYSTEM-hive filenames as arguments!
RID : 0500 [01f4]
Username: Administrator
fullname:
comment : Built-in account for administering the computer/domain
homedir :
Account bits: 0×0210 =
[ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
[X] Pwd don’t expir | [ ] Auto lockout | [ ] (unknown 0×08) |
[ ] (unknown 0×10) | [ ] (unknown 0×20) | [ ] (unknown 0×40) |
Failed login count: 0, while max tries is: 0
Total login count: 0
** LANMAN password not set. User MAY have a blank password.
** Usually safe to continue
* = blank the password (This may work better than setting a new password!)
Enter nothing to leave it unchanged
At this point, you’ll be prompted to enter a new password, you should enter an asterisk to make it temporarily blank (you can always change the password to something else once you’re back in Windows.
Blanking password!
Do you really wish to change it? (y/n) [n] y
Changed!
Hives that have changed:
# Name
0
Write hive files? (y/n) [n] : y
0 – OK
Confirm the changes (with the letter y for yes) twice when prompted, and you should be done.
Now if you reboot into Windows XP, you can log into the Administrator account with an empty password.
August 1st, 2008 at 08:36
IT security people across the globe hate you now. But I love it.
August 1st, 2008 at 10:43
Well, I’m going to blog a bit more about security through obscurity in a bit – probably early next week.
This isn’t really intended for people trying to break into someone else’s box. It’s really for people who have forgotten their own passwords and want to reset it.
Information is information, though. I don’t know if malicious people will get a hold of this, but I suspect people who really are intent on compromising other people’s systems have the resources to figure it out themselves anyway.
August 1st, 2008 at 12:54
Even without blanking the admin password, the simple act of booting from a Live Linux CD (as demonstrated here) and mounting the Windows hard drive allows you to read/write anything on the hard drive. Thanks for letting me know about this particular tool though!
August 2nd, 2008 at 14:18
In response to the other comments, there’s two ways information like this can work if you’re talking about trying to break into another’s computer. the hacker is obviously going to gain a way to get the information they want, but it also makes the regular Joes more aware that this is possible, and then are more conscious of some problems
August 11th, 2008 at 12:17
genius, thanks.
August 11th, 2008 at 14:56
Or you can save about 20 minutes of you life and just download and burn the .iso image called ophcrack. When you boot from it, it automatically loads linux, and starts scanning for passwords for you. Depending on how many and how difficult the xp passwords are, it should only take about 5-10 minutes, and the person wanting the password doesn’t have to do anything except boot the disk.
August 11th, 2008 at 16:11
Resetting a Windows password with Ubuntu doesn’t take 20 minutes, but thanks for mentioning another option. Options are good.
August 22nd, 2008 at 09:19
Thank you very much. This is very handy.
September 6th, 2008 at 11:45
@Nick – Yes, thanks for the additional option but password cracking will take significantly longer than just resetting the password for any complex (non-dictionary) password. Of course, you can cut down the time with pre-generated rainbow tables. Either way, each option has it’s own advantages & disadvantages. The main advantage of cracking the password being that the user won’t on the system won’t know that anything at all was done. If you’re trying to be stealth, a password reset is kind of a dead giveaway.
To just dump the SAM table without having admin creds and crack on your own time without rebooting the Windows machine, I suggest that anyone interested look at USB Switchblade (Gonzor payload), here:
http://wiki.hak5.org/wiki/USB_Switchblade
There’s all sorts of other goodness in there such as installing VNC as a service, dumping stored Internet passwords, etc, all just by plugging in a USB drive without any user interaction.
September 6th, 2008 at 11:48
Thank you Ubuntucat for this great tutorial. It helped me shave some time off building my “hacker keychain”, loosely based on Larry Pesce’s, here:
http://pauldotcom.com/wiki/index.php/Episode115
October 7th, 2008 at 04:19
hi,
when i try this i get:
/media/Zin_/WINDOWS/system32/config$ sudo chntpw SAM
[sudo] password for xxx:
chntpw version 0.99.3 040818, (c) Petter N Hagen
openHive(SAM): File does not seem to be a registry hive!
Simple registry editor. ? for help.
get_abs_path: Not a ‘nk’ node!
[0] > q
any idea why??? thx
October 7th, 2008 at 15:26
I have no idea what’s going on there. I did a Google search on that error message, and only two results came up, both of which seem to be the source code for the chntpw program.
November 4th, 2008 at 17:03
@thomas
I have the same problem. On a lark I copied one of the files to my girlfriend’s Ubuntu system (same version, same updates) and was able to edit it there.
The difference? My computer is 64 bit, hers is not.
I filed a bug, please add whatever information you can:
https://bugs.launchpad.net/ubuntu/+source/chntpw/+bug/293809
November 8th, 2008 at 00:23
i follow all the procedure, on ubuntu screen tells me password has changed or blanked. But i still can not log in to my windows, I even use other computers to try, 3 of my computer wouldn’t let me… please help!
November 8th, 2008 at 11:46
I think this may be a little beyond me. You should post a thread on the Ubuntu Forums
March 3rd, 2009 at 19:39
does this work with windows vista????
March 3rd, 2009 at 20:23
Yes, it works for Vista, too.
More details here:
http://home.eunet.no/pnordahl/ntpasswd/
April 29th, 2009 at 13:36
I can confirm it does work with Vista, as I just used it a few minutes ago to reset a password in a partition that would not be mounted with pnordahl’s boot CD.
April 30th, 2009 at 14:01
hey …. thanks for the tips … works like a charm.
chntpw is only 120kb as so you dont have to download 450mb of ophcrack. i mean everybody has a ubuntu live cd handy right?
May 4th, 2009 at 02:29
There is a cavet here.
Perhaps you should try running ‘SAM’ in small case.
sudo chntpw sam
Or else you will end up with errors like this
# chntpw SAM
chntpw version 0.99.5 070923 (decade), (c) Petter N Hagen
openHive(SAM) failed: No such file or directory, trying read-only
openHive(SAM) in fallback RO-mode failed: No such file or directory
closing hive SAM
Unable to open/read a hive, exiting..
May 4th, 2009 at 11:08
SAM is definitely in uppercase. I’ve executed this tutorial exactly as written. I have also double-checked booted into Windows that C:\WINDOWS\system32\config\SAM is an uppercase directory.
May 5th, 2009 at 03:00
Great article mate. it helped me to get out of the mess.
May 6th, 2009 at 08:01
what to do when it’s xp 64 i get the same ‘not a hive’ error ?
May 6th, 2009 at 13:34
When I do a Google search for that error message, I get only 12 results (including this blog entry), so I don’t think there’s a solution to it.
June 6th, 2009 at 18:10
confirmed that chntpw doesnt work on x86_64,
use the static version from
http://home.eunet.no/pnordahl/ntpasswd/
August 3rd, 2009 at 12:27
wah !!!why wan use this method???so complex!!!
why dont use the eays way ??
August 11th, 2009 at 14:43
I just tested it on Windows 7, and it works. WINDOWS isn’t all caps, though.
September 16th, 2009 at 13:11
It worked like a charm!!! thanks a lot!!!
Daniele
October 3rd, 2009 at 08:28
This helped me a lot! Thanks.
Minor tip: On non-english winxp installs, you need to explicitly mention the adminstrator username, because it may have a different spelling.
For me
sudo chntpw -u Administrateur SAM
worked. [note the case, and the French username]
The best way it to try
sudo chntpw SAM
in a graphical terminal. If it fails, scroll up and see the list of users it spits out. That might give you an idea.
Hope it helps someone :)
cheers,
-A
October 21st, 2009 at 04:58
Hi, great tutorial!
Can I translate and publish it on mi site, also linking the source informations?
Thanks!!
November 16th, 2009 at 12:00
Tested on Windows7. It work when I set the blank passwd for Administrator. Non-empty passwd not work however it’s powerful enough ;). Great
November 24th, 2009 at 10:10
Thank you. A lot.
November 24th, 2009 at 13:55
Did the procedure on xp, deleting the administrator password. All seemed to work well, but some recent patch on xp will not allow a administrator account to not have a password. It ends the process during login and puts me back to the login screen. I then tried to go back in, and give the account a know password. The hard disk is no longer mounting, and I do not see the device. advise?
November 25th, 2009 at 01:26
I got in to chntpw and tried to readd the password. It is now blank so it seems I can not readd the password. please advise…
December 18th, 2009 at 04:51
This is really superb thing,
thank you very much.
January 6th, 2010 at 01:30
Hey. Brand newbie. Just downloaded Ubuntu, because a friend told me I could do this. But I can’t find chntpw. I tried searching for it, but nothing is around. Help! Computer fubar at the moment! Need this to work!
January 6th, 2010 at 02:46
Ok, fixed. User error, as normal. Got all the way to the use of the chntpw. it gives me 5 options, and the first says to blank the password. I chose 1. then accepted all the prompts, and backed out. When I reloaded XP, it still said my password was in effect. it didn’t work. I’ve tried it three times now and I can’t get it to work. It doesnt look the same as what you have pictured, but it still tried to implement. not sure what I’m doing wrong, but I am a lowly Windows user, not a linux ninja, and all I can do is look around and beg help.
February 3rd, 2010 at 01:06
I just tried this procedure with an old (at this point in time) Ubuntu 8.10 live disc. When I tried to install chntpw using Synaptic, no results were returned from the search. My newer (permanent) Ubuntu system’s package manager was able to find chntpw, however.
I tried a couple of other searches, and was about to manually edit the repository list files when it occurred to me to try apt-get. I opened a terminal window and entered
sudo apt-get install chntpw
and it was able to locate and install the program. (Apparently chntpw was there but had been deselected). When I mounted my XP partition and ran chntpw to blank out my own account’s password it worked like a charm.
So, if Synaptic doesn’t find the package, try going into a terminal and using apt-get (you’re going to need to open a terminal window anyway).
Thanks!
February 11th, 2010 at 15:14
As soon as I type “sudo chntpw SAM” I get this:
ubuntu@ubuntu:~$ sudo chntpw SAM
chntpw version 0.99.5 070923 (decade), (c) Petter N Hagen
openHive(SAM) failed: No such file or directory, trying read-only
openHive(SAM) in fallback RO-mode failed: No such file or directory
closing hive SAM
Unable to open/read a hive, exiting..
ubuntu@ubuntu:~$
Can someone help me?
February 20th, 2010 at 18:08
Hey download the sourcecode and use chntpw.static if you are on xp x64. Cheers.
March 5th, 2010 at 06:53
Worked a treat for me booting from a USB stick running crunchbang linux. I couldnt use the sudo chntpw SAM option but i was able to use the sudo chntpw -u SAM. I tried setting the password which didnt work, but choosing the option to blank the password worked perfectly
Thanks Ubuntucat!
March 14th, 2010 at 16:49
For those with issues on x64 systems,
Try using the ubuntu-x.xx-desktop-i386.iso to reset passwords. It worked for me.
July 9th, 2010 at 11:45
When i click reload i get a message that they cannot be found…. (for some reason this computer will connect to the wireless network by using a password but will not get on the internet and i suppose because of permissions it’s not visible on the other computers.) I’m using Ubuntu to accomplish this. Ubuntu is not installed it’s live. How do i get the thing on the internet. Again it’s connected to the wireless network and has a very good connection
July 21st, 2010 at 15:43
For those of you who are having issues with the x64 architecture, I recommend installing the NEWEST version of the software and following the directions from the ntpasswd website here:
http://pogostick.net/~pnh/ntpasswd/README.txt
Good luck and happy hacking.