July 30th, 2008
If you ever have forgotten your password for the only administrative account on Windows or know someone who has, you know the experience can be infuriating. All is not lost, though, if you have a live CD handy. This page is an adaption of Reset a Windows password with Knoppix for Ubuntu. It has also been tested for Windows XP, Windows Vista, and Windows 7.
This tutorial assumes you know how to obtain and boot a Ubuntu CD. If you don’t, go here first.
Start off by booting the Ubuntu CD.
Once the Software Sources windows appears, make sure you check (or tick) the box next to Software restricted by copyright or legal issues (multiverse). Then click Close. You should get a warning about how you’ll have to reload the repositories to have your changes take effect.
That method for installing chntpw assumes you have a working internet connection on the computer in question. If you don’t (or regularly do, but not when you boot the Ubuntu CD), you can also download chntpw from one of these mirrors, transfer it to the computer in question (via USB stick), and then double-click the download file to install it.
In most cases, I think the first mounted drive will mount to the /media/disk directory, so pasting this command into the terminal should get you into the right directory.
If not, you can try the command df -h to see where your Windows drive mounted to and substitute that directory path for /media/disk in the above command.
Note for Windows 7: the word Windows is not in all capital letters, so it would actually be cd /media/disk/Windows/System32/config/
AppEvent.Evt SAM software system.LOG userdiff.LOG
default SAM.LOG software.LOG systemprofile
default.LOG SecEvent.Evt software.sav system.sav
default.sav SECURITY SysEvent.Evt TempKey.LOG
Internet.evt SECURITY.LOG system userdiff
If you paste in the command ls, you’ll see a list of files in the directory, and one of them should be called SAM.
Paste in the command sudo chntpw SAM to change the Administrator account password.
If, instead, you want to change a particular username’s password, use this command instead:
Either way, you should see a whole bunch of cryptic terminal output:
Hive’s name (from header):
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c
Page at 0x7000 is not ‘hbin’, assuming file contains garbage at end
File size 262144  bytes, containing 6 pages (+ 1 headerpage)
Used for data: 243/19072 blocks/bytes, unused: 11/5312 blocks/bytes.
* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length : 0
Password history count : 0
RID: 01f4, Username:
RID: 03ec, Username:
RID: 01f5, Username: , *disabled or locked*
RID: 03e8, Username: , *disabled or locked*
RID: 03eb, Username:
RID: 03ea, Username: , *disabled or locked*
———————> SYSKEY CHECK Not Set (not installed, good!)
SAM Account\F : 1 -> key-in-registry
SECURITY PolSecretEncryptionKey: -1 -> Not Set (OK if this is NT4)
***************** SYSKEY IS ENABLED! **************
This installation very likely has the syskey passwordhash-obfuscator installed
It’s currently in mode = -1, Unknown-mode
SYSTEM (and possibly SECURITY) hives not loaded, unable to disable syskey!
Please start the program with at least SAM & SYSTEM-hive filenames as arguments!
RID : 0500 [01f4]
comment : Built-in account for administering the computer/domain
Account bits: 0x0210 =
[ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
[X] Pwd don’t expir | [ ] Auto lockout | [ ] (unknown 0x08) |
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |
Failed login count: 0, while max tries is: 0
Total login count: 0
** LANMAN password not set. User MAY have a blank password.
** Usually safe to continue
* = blank the password (This may work better than setting a new password!)
Enter nothing to leave it unchanged
At this point, you’ll be prompted to enter a new password, you should enter an asterisk to make it temporarily blank (you can always change the password to something else once you’re back in Windows.
Do you really wish to change it? (y/n) [n] y
Hives that have changed:
Write hive files? (y/n) [n] : y
0 – OK
Confirm the changes (with the letter y for yes) twice when prompted, and you should be done.
Now if you reboot into Windows XP, you can log into the Administrator account with an empty password.