If you have forgotten your administrator password for Windows, you can use a Ubuntu Linux live CD or live USB to reset the password. This tutorial will show you how to do that, step by step.
There are many ways to get Ubuntu Linux. You can find more details about that here.
If you run into any problems or have any questions, the folks at the Ubuntu Forums are very helpful and friendly.
I will not be answering any support questions posted as comments here.
Step 1: Boot up Ubuntu
With the Ubuntu CD in your optical drive or with the Ubuntu USB plugged into your computer, make sure your BIOS is set to boot from CD or USB before your hard drive. You can usually enter your BIOS settings by pressing F1, F2, F9, F10, F12, Esc, or Del during bootup, depending on the kind of computer you have.
After Ubuntu boots up, you’ll be asked if you want to try Ubuntu or install it. You definitely want to just try it at this point.
Step 2: Install the password reset software
Installing software on Ubuntu is a bit different from installing software on Windows. Instead of going to a website to download setup files, you just tell the software package manager what you want installed, and it fetches it for you off some servers. It’s a lot like the iTunes App Store or Android Market.
This does assume that you have a working internet connection (wired preferred, but wireless can work, too). If, for some reason, your internet connection isn’t working on the computer you want to reset the password for, you can also download the chntpw .deb using another computer, transfer it over via USB, and then double-click it to install it.
First we want to make sure we have the proper software sources enabled to install chntpw.
Go to System > Administration > Software Sources
Make sure both the Universe and Multiverse repositories are checked (or “ticked,” if you’re not American). Click Close and then, when prompted, click Reload.
Wait for the information about available software to reload.
Go to System > Administration > Synaptic Package Manager
(Note: to those of you who have installed software in Ubuntu before, you actually do—at least as of Ubuntu 10.04—have to go to Synaptic to install chntpw. You can’t install it through Ubuntu Software Center).
Press Control-F or click on the Search button to get the search dialogue up. Then search for chntpw.
(Note: you may be tempted to type chntpw into the search filter but it won’t show up there, since Synaptic hasn’t had time to rebuild the search index for quick filtering.)
Once chntpw pops up in the search results, right-click it and select Mark for Installation.
Click Apply, and then, when prompted, click Apply again.
Wait for the Synaptic to download and install chntpw.
Step 3: Mount your Windows drive
In order for you to reset your Windows password, you have to make the Ubuntu live session know that your Windows drive is available for use. This process is called “mounting.”
To mount Windows, just click on Places and then select your drive. It will be listed by the size of the drive (in this example, 80 GB).
Step 4: Reset your password
chntpw is a terminal-based (not point-and-click) application, so to use it, we’ll have to open up a command-line terminal. Don’t be intimidated. I’ll walk you through the process.
To open the terminal, go to Applications > Accessories > Terminal
I’m going to be offering a lot of explanation for those who aren’t experienced with the terminal and commands, but if you want to just skip over all that stuff, feel free to just pay attention to the terminal commands and ignore the explanations.
First, you’re going to cd (change directories) to the right Windows directory.
Start typing cd /media/ and then hit the Tab key, and it’ll autocomplete with the address of your mounted Windows drive.
Then type W and hit Tab again to get to either Windows (Windows 7) or WINDOWS (Windows XP). Yes, the terminal is case-sensitive, so upper- and lower-case matters!
Type S or s and hit Tab again to get System32 or system32 (again depending on whether it’s Windows 7 or Windows XP—I forget which it is for Windows Vista).
And do the same for config.
Tab completion makes things a lot simpler, so you don’t have to type every single word out. It also avoids the whole typo issue, in case you aren’t a good typist.
Once you’ve gotten to cd /media/name-of-your-windows-drive/Windows/System32/config or cd /media/name-of-your-windows-drive/WINDOWS/system32/config, hit Enter.
You should then type in sudo chntpw -u username SAM, where username is your actual username. For example, if your username is susan, it should be sudo chntpw -u susan SAM
After you type that in, hit Enter, and you’ll see a whole bunch of terminal output, most of which you can ignore:
Hive
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c
Page at 0x7000 is not ‘hbin’, assuming file contains garbage at end
File size 262144 [40000] bytes, containing 6 pages (+ 1 headerpage)
Used for data: 260/20240 blocks/bytes, unused: 9/4144 blocks/bytes.
* SAM policy limits:
Failed logins before lockout is: 10
Minimum password length : 4
Password history count : 4
| RID -|———- Username ————| Admin? |- Lock? –|
| 01f4 | Administrator | ADMIN | dis/lock |
| 01f5 | Guest | | dis/lock |
| 03e8 | susan | ADMIN | |
———————> SYSKEY CHECK <-----------------------
SYSTEM SecureBoot : -1 -> Not Set (not installed, good!)
SAM Account\F : 0 -> off
SECURITY PolSecretEncryptionKey: -1 -> Not Set (OK if this is NT4)
Syskey not installed!
RID : 1000 [03e8]
Username: susan
fullname:
comment :
homedir :
User is member of 1 groups:
00000220 = Administrators (which has 4 members)
Account bits: 0x0214 =
[ ] Disabled | [ ] Homedir req. | [X] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
[X] Pwd don’t expir | [ ] Auto lockout | [ ] (unknown 0x08) |
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |
Failed login count: 0, while max tries is: 10
Total login count: 100
This part is important, though:
1 – Clear (blank) user password
2 – Edit (set new) user password (careful with this on XP or Vista)
3 – Promote user (make user an administrator)
(4 – Unlock and enable user account) [seems unlocked already]
q – Quit editing user, back to user select
Select: [q] >
I would highly recommend typing 1 to blank the password instead of editing the password. After you type that, hit Enter, and you should see
Hives that have changed:
# Name
0
Write hive files? (y/n) [n] :
Type y and hit Enter to confirm the change. Once you see
then you’re done.
Now you can reboot, and you can log into your admin account with a blank password. Once you’re logged in, you can go to the Control Panel to change your password to something else—something you can remember.
If you’re curious, you can see an older version of this page.
Fantastic tutorial. I knew there was a simpler solution, with all of these Linux CDs I have lying around.
you took your time to give a detailed explanation, even a computer dummy can do this, i’ve spent 3 days now on the internet downloading several softwares that never worked or that wanted my credit card until i landed on this page.
NOTE: windows 7 users, i had to use ‘sam’ NOT ‘SAM’ before it gave way and there i was in authority and without mercy or compassion, i cleared the goddam password
I cannot find system32 in my cd /media/Vista
Scrap that last comment, I cannot do ‘sudo chntpw -u username SAM’ without it saying openHive failed: No such file or Directory, trying read-only. openHive in fallback RO-mode failed: no such file or directory.
Right… I’ve completed the whole process, but when I try to log into my account on vista (32x) a blank password doesn’t log me in; the hint has gone, and I did select clear password. Can anybody help me?
Awesome instructions, worked perfectly. might have to use lower case letters for sam
LOWERCASE sam fixed my problem. KEEP THIS IN MIND IF IT’S NOT FINDING YOUR SAM FILE.
hello , sorry , l not speak English very well so, i use chtnpw version 0.99.6.2 on Ubuntu 10.10 but it not clear my password window.
The error is :the parameter 1 no give nothing results ;then parameter 1 give tutorial “password clearest” please help me
Thanks soo much man. I really appreciated your tutorial.
Thanks a ton for the detailed explanation and the snapshots. My life is back to normal because of you mate.
I used Ubuntu 12.04 and things were a little different here but was able to manage.
Thanks to ‘john stapleton’ for hinting that the Dell requires double boot up.
This did NOT work for me. Please help.
When I try to logon to Windows Server 2003, I get this error:
“The system could not log you on. Make sure your User name and domain are correct, then type your password again. Letters in passwords must be typed using the correct case.”
What I see in Ubuntu 12.04:
$ sudo chntpw SAM
chntpw version 0.99.6 080526 (sixtyfour), (c) Petter N Hagen
Hive name (from header):
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c
Page at 0xa000 is not ‘hbin’, assuming file contains garbage at end
File size 262144 [40000] bytes, containing 9 pages (+ 1 headerpage)
Used for data: 364/31768 blocks/bytes, unused: 6/4808 blocks/bytes.
* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length : 7
Password history count : 7
| RID -|———- Username ————| Admin? |- Lock? –|
| 01f4 | Administrator | | dis/lock |
| 03ee | ARRNET | | |
| 03f7 | District | | dis/lock |
| 01f5 | Guest | | *BLANK* |
| 03f2 | ABC_SNGL-DVM | | |
| 03eb | DEF_SNGL-DVM | | |
| 03ec | XYZ_SNGL-DVM | | |
| 03f0 | ProSys | | |
| 03e9 | SUPPORT_xyz | | |
———————> SYSKEY CHECK Not Set (not installed, good!)
SAM Account\F : 1 -> key-in-registry
SECURITY PolSecretEncryptionKey: -1 -> Not Set (OK if this is NT4)
***************** SYSKEY IS ENABLED! **************
This installation very likely has the syskey passwordhash-obfuscator installed
It’s currently in mode = -1, Unknown-mode
SYSTEM (and possibly SECURITY) hives not loaded, unable to disable syskey!
Please start the program with at least SAM & SYSTEM-hive filenames as arguments!
RID : 0500 [01f4]
Username: Administrator
fullname:
comment : Built-in account for administering the computer/domain
homedir :
Account bits: 0x0210 =
[ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
[X] Pwd don’t expir | [ ] Auto lockout | [ ] (unknown 0x08) |
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |
Failed login count: 2, while max tries is: 0
Total login count: 5
– – – – User Edit Menu:
1 – Clear (blank) user password
2 – Edit (set new) user password (careful with this on XP or Vista)
3 – Promote user (make user an administrator)
4 – Unlock and enable user account [probably locked now]
q – Quit editing user, back to user select
Select: [q] > 1
Hives that have changed:
# Name
0
Write hive files? (y/n) [n] : y
0 – OK
Thank you ! chntpw is a very good utility. I used & get 100% result.
my file was “sam” lowercase
I am trying to find the password to my windows account by using this. Or just reset the password. i think my computer is running Windows Vista. However, the Terminal is not autocompleting…how can i fix this? Or how can i find the address of my harddrive? Thanks
Hey, Courtney. When you’re in the terminal, try typing df -h to see the address of the hard drive.
Also, keep in mind that the paths to folders are case-sensitive. So if it’s an uppercase and you’re typing lowercase, it won’t autocomplete.
I hope that helps.
after enter
“sudo chntpw -u Angel-Pc SAM”
it give me message
[sudo] password for angel:
and when i enter any character from keyboard it’s didn’t wrote on screen
i have windows 8 not windows 7
Hi ubuntucat,
I had the same problem as the user lifestyle, because chntpw cannot disable syskey! What can I do?
hello all today i planed to buy “windows password key protection” but when i seen your tutorial it quite nice and i tried it by god sake all is well thanks for an nice stuff and all the best.!!
Really thanks, you save my day.
I own you a beer!
when i am typing cd /media/ and hit tab it not completing the line pls help i want to crack windows8 password
how i get windows name if i cracking windows 8 password
hi there, thanks for the tutorial.
on my windows 7 machine, the path I find is
/media/70***************/Windows/system
I can’t find a /system32/ or a config after that.
can you tell me where else that config file could be? or where else /system32 directory could be?
Thanks!
Jesse
Dude! Thanks! Saved my bacon! I needed that self-installer package link since I was running Ubuntu off the CD drive only!
Tiens je pensais rédiցer un ρetit article semblable à celui-ci
Good tutorial.Good program. Got problem… and reason was that SAM was in lower case. After that,done. Thnks
please somebody help its very urgent the mount is unsuccessful telling windows is hibernated and access is denied ??
windows 8
Thank you very much for this tutorial.
Thought I would leave my experiences on here in case its of any use as I had a few barriers not covered here:
I downloaded from http://www.ubuntu.com/download the ios file and saved it to usb stick, restarted laptop(kept missing the chance to boot using usb) quickly pressing esc (windows 7 laptop), boot options F9 (suddenly my computer does not need shift button for F keys, wasted 10 mins because of this) and picked Try Ubuntu option as I do not yet want to install Ubuntu. No probs with laptop as only one account and this was just test run. Because I had not installed, the universe part was done through “Software and Updates” and the synatic devices step was replaced by opening the terminal and typing “sudo apt-get update” Enter “sudo apt-get install chntpw” Enter “cd /media/ubuntu/name-of-your-windows-drive/Windows/System32/config” (note the ubuntu part) Enter “sudo chntpw -u Andrew SAM”
I was tasked with resetting admin password on computer used in my flats building, multiple accounts. Main issue was that I needed cd /media/ubuntu/Windows7/Windows/System32/config AFTER right clicking both system and window7 in SYSTEM and clicking mount for both. Another issue is space in username “Digital Co-ordinator”, solved by escape character “\ ” instead of ” ” and for some reason this time round I needed “sam” instead of “SAM”
I was careful not to be root or have command line starting # as I do not yet fully understand this stuff to minimise any risks.
This is still the best tutorial for ubuntu for this task though
It works like a charm! Thank you so much!
Right-clicked chntpw but “Mark for installation” is faded and unable to be clicked.
Not first problem this “guide” has thrown up.
Awesome, saved me loads of grief, worked for Server2003 had to add the full path of the mounted drive but it wasn’t difficult.
Thanks.
Thank You
Does this work with Windows 8 and Windows 10? If not, is there a solution?
It may not:
http://www.windowspasswordsreset.com/reset-forgot-windows-password/how-to-reset-windows-10-password-without-disk.html#solutin3
Actually, I just tested it on Windows 10, and it works fine.
Thank you so much bro I have been trying for two days and I done (I mean we) it.
this my first comment in any website be glad :D