If you ever have forgotten your password for the only administrative account on Windows or know someone who has, you know the experience can be infuriating. All is not lost, though, if you have a live CD handy. This page is an adaption of Reset a Windows password with Knoppix for Ubuntu. It has also been tested for Windows XP, Windows Vista, and Windows 7.
This tutorial assumes you know how to obtain and boot a Ubuntu CD. If you don’t, go here first.
Start off by booting the Ubuntu CD.
Select your language of choice and then Try Ubuntu without any change to your computer.
Once the live session has loaded, go to System > Administration > Synaptic Package Manager.
Once Synaptic Package Manager is open, go to Settings > Repositories. This will open the Software Sources window.
Once the Software Sources windows appears, make sure you check (or tick) the box next to Software restricted by copyright or legal issues (multiverse). Then click Close. You should get a warning about how you’ll have to reload the repositories to have your changes take effect.
So click Reload in Synaptic Package Manager and wait for the new information on what’s available for installation be updated.
Click Search and search for chntpw.
Right-click on chntpw and mark it for installation.
Click Apply and in the Summary window, click Apply to confirm that you want to apply changes.
Wait for the changes to apply, then click Close and then quit Synaptic Package Manager.
That method for installing chntpw assumes you have a working internet connection on the computer in question. If you don’t (or regularly do, but not when you boot the Ubuntu CD), you can also download chntpw from one of these mirrors, transfer it to the computer in question (via USB stick), and then double-click the download file to install it.
To mount (or make available for use) your Windows drive, go to Places and select the appropriate drive. In this case, my drive is an 8.7 GB drive. Yours will probably be different.
Then, go to Applications > Accessories > Terminal to use the command-line.
In most cases, I think the first mounted drive will mount to the /media/disk directory, so pasting this command into the terminal should get you into the right directory.
If not, you can try the command df -h to see where your Windows drive mounted to and substitute that directory path for /media/disk in the above command.
Note for Windows 7: the word Windows is not in all capital letters, so it would actually be cd /media/disk/Windows/System32/config/
AppEvent.Evt SAM software system.LOG userdiff.LOG
default SAM.LOG software.LOG systemprofile
default.LOG SecEvent.Evt software.sav system.sav
default.sav SECURITY SysEvent.Evt TempKey.LOG
Internet.evt SECURITY.LOG system userdiff
If you paste in the command ls, you’ll see a list of files in the directory, and one of them should be called SAM.
Paste in the command sudo chntpw SAM to change the Administrator account password.
If, instead, you want to change a particular username’s password, use this command instead:
Either way, you should see a whole bunch of cryptic terminal output:
Hive’s name (from header):
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c
Page at 0x7000 is not ‘hbin’, assuming file contains garbage at end
File size 262144 [40000] bytes, containing 6 pages (+ 1 headerpage)
Used for data: 243/19072 blocks/bytes, unused: 11/5312 blocks/bytes.
* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length : 0
Password history count : 0
RID: 01f4, Username:
RID: 03ec, Username:
RID: 01f5, Username: , *disabled or locked*
RID: 03e8, Username: , *disabled or locked*
RID: 03eb, Username:
RID: 03ea, Username: , *disabled or locked*
———————> SYSKEY CHECK Not Set (not installed, good!)
SAM Account\F : 1 -> key-in-registry
SECURITY PolSecretEncryptionKey: -1 -> Not Set (OK if this is NT4)
***************** SYSKEY IS ENABLED! **************
This installation very likely has the syskey passwordhash-obfuscator installed
It’s currently in mode = -1, Unknown-mode
SYSTEM (and possibly SECURITY) hives not loaded, unable to disable syskey!
Please start the program with at least SAM & SYSTEM-hive filenames as arguments!
RID : 0500 [01f4]
Username: Administrator
fullname:
comment : Built-in account for administering the computer/domain
homedir :
Account bits: 0x0210 =
[ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
[X] Pwd don’t expir | [ ] Auto lockout | [ ] (unknown 0x08) |
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |
Failed login count: 0, while max tries is: 0
Total login count: 0
** LANMAN password not set. User MAY have a blank password.
** Usually safe to continue
* = blank the password (This may work better than setting a new password!)
Enter nothing to leave it unchanged
At this point, you’ll be prompted to enter a new password, you should enter an asterisk to make it temporarily blank (you can always change the password to something else once you’re back in Windows.
Blanking password!
Do you really wish to change it? (y/n) [n] y
Changed!
Hives that have changed:
# Name
0
Write hive files? (y/n) [n] : y
0 – OK
Confirm the changes (with the letter y for yes) twice when prompted, and you should be done.
Now if you reboot into Windows XP, you can log into the Administrator account with an empty password.
IT security people across the globe hate you now. But I love it.
Well, I’m going to blog a bit more about security through obscurity in a bit – probably early next week.
This isn’t really intended for people trying to break into someone else’s box. It’s really for people who have forgotten their own passwords and want to reset it.
Information is information, though. I don’t know if malicious people will get a hold of this, but I suspect people who really are intent on compromising other people’s systems have the resources to figure it out themselves anyway.
Even without blanking the admin password, the simple act of booting from a Live Linux CD (as demonstrated here) and mounting the Windows hard drive allows you to read/write anything on the hard drive. Thanks for letting me know about this particular tool though!
In response to the other comments, there’s two ways information like this can work if you’re talking about trying to break into another’s computer. the hacker is obviously going to gain a way to get the information they want, but it also makes the regular Joes more aware that this is possible, and then are more conscious of some problems
genius, thanks.
Or you can save about 20 minutes of you life and just download and burn the .iso image called ophcrack. When you boot from it, it automatically loads linux, and starts scanning for passwords for you. Depending on how many and how difficult the xp passwords are, it should only take about 5-10 minutes, and the person wanting the password doesn’t have to do anything except boot the disk.
Resetting a Windows password with Ubuntu doesn’t take 20 minutes, but thanks for mentioning another option. Options are good.
Thank you very much. This is very handy.
@Nick – Yes, thanks for the additional option but password cracking will take significantly longer than just resetting the password for any complex (non-dictionary) password. Of course, you can cut down the time with pre-generated rainbow tables. Either way, each option has it’s own advantages & disadvantages. The main advantage of cracking the password being that the user won’t on the system won’t know that anything at all was done. If you’re trying to be stealth, a password reset is kind of a dead giveaway.
To just dump the SAM table without having admin creds and crack on your own time without rebooting the Windows machine, I suggest that anyone interested look at USB Switchblade (Gonzor payload), here:
http://wiki.hak5.org/wiki/USB_Switchblade
There’s all sorts of other goodness in there such as installing VNC as a service, dumping stored Internet passwords, etc, all just by plugging in a USB drive without any user interaction.
Thank you Ubuntucat for this great tutorial. It helped me shave some time off building my “hacker keychain”, loosely based on Larry Pesce’s, here:
http://pauldotcom.com/wiki/index.php/Episode115
hi,
when i try this i get:
/media/Zin_/WINDOWS/system32/config$ sudo chntpw SAM
[sudo] password for xxx:
chntpw version 0.99.3 040818, (c) Petter N Hagen
openHive(SAM): File does not seem to be a registry hive!
Simple registry editor. ? for help.
get_abs_path: Not a ‘nk’ node!
[0] > q
any idea why??? thx
I have no idea what’s going on there. I did a Google search on that error message, and only two results came up, both of which seem to be the source code for the chntpw program.
@thomas
I have the same problem. On a lark I copied one of the files to my girlfriend’s Ubuntu system (same version, same updates) and was able to edit it there.
The difference? My computer is 64 bit, hers is not.
I filed a bug, please add whatever information you can:
https://bugs.launchpad.net/ubuntu/+source/chntpw/+bug/293809
i follow all the procedure, on ubuntu screen tells me password has changed or blanked. But i still can not log in to my windows, I even use other computers to try, 3 of my computer wouldn’t let me… please help!
I think this may be a little beyond me. You should post a thread on the Ubuntu Forums
does this work with windows vista????
Yes, it works for Vista, too.
More details here:
http://home.eunet.no/pnordahl/ntpasswd/
I can confirm it does work with Vista, as I just used it a few minutes ago to reset a password in a partition that would not be mounted with pnordahl’s boot CD.
hey …. thanks for the tips … works like a charm.
chntpw is only 120kb as so you dont have to download 450mb of ophcrack. i mean everybody has a ubuntu live cd handy right?
There is a cavet here.
Perhaps you should try running ‘SAM’ in small case.
sudo chntpw sam
Or else you will end up with errors like this
# chntpw SAM
chntpw version 0.99.5 070923 (decade), (c) Petter N Hagen
openHive(SAM) failed: No such file or directory, trying read-only
openHive(SAM) in fallback RO-mode failed: No such file or directory
closing hive SAM
Unable to open/read a hive, exiting..
SAM is definitely in uppercase. I’ve executed this tutorial exactly as written. I have also double-checked booted into Windows that C:\WINDOWS\system32\config\SAM is an uppercase directory.
Great article mate. it helped me to get out of the mess.
what to do when it’s xp 64 i get the same ‘not a hive’ error ?
When I do a Google search for that error message, I get only 12 results (including this blog entry), so I don’t think there’s a solution to it.
confirmed that chntpw doesnt work on x86_64,
use the static version from
http://home.eunet.no/pnordahl/ntpasswd/
wah !!!why wan use this method???so complex!!!
why dont use the eays way ??
I just tested it on Windows 7, and it works. WINDOWS isn’t all caps, though.
It worked like a charm!!! thanks a lot!!!
Daniele
This helped me a lot! Thanks.
Minor tip: On non-english winxp installs, you need to explicitly mention the adminstrator username, because it may have a different spelling.
For me
sudo chntpw -u Administrateur SAM
worked. [note the case, and the French username]
The best way it to try
sudo chntpw SAM
in a graphical terminal. If it fails, scroll up and see the list of users it spits out. That might give you an idea.
Hope it helps someone :)
cheers,
-A
Hi, great tutorial!
Can I translate and publish it on mi site, also linking the source informations?
Thanks!!
Tested on Windows7. It work when I set the blank passwd for Administrator. Non-empty passwd not work however it’s powerful enough ;). Great
Thank you. A lot.
Did the procedure on xp, deleting the administrator password. All seemed to work well, but some recent patch on xp will not allow a administrator account to not have a password. It ends the process during login and puts me back to the login screen. I then tried to go back in, and give the account a know password. The hard disk is no longer mounting, and I do not see the device. advise?
I got in to chntpw and tried to readd the password. It is now blank so it seems I can not readd the password. please advise…
This is really superb thing,
thank you very much.
Hey. Brand newbie. Just downloaded Ubuntu, because a friend told me I could do this. But I can’t find chntpw. I tried searching for it, but nothing is around. Help! Computer fubar at the moment! Need this to work!
Ok, fixed. User error, as normal. Got all the way to the use of the chntpw. it gives me 5 options, and the first says to blank the password. I chose 1. then accepted all the prompts, and backed out. When I reloaded XP, it still said my password was in effect. it didn’t work. I’ve tried it three times now and I can’t get it to work. It doesnt look the same as what you have pictured, but it still tried to implement. not sure what I’m doing wrong, but I am a lowly Windows user, not a linux ninja, and all I can do is look around and beg help.
I just tried this procedure with an old (at this point in time) Ubuntu 8.10 live disc. When I tried to install chntpw using Synaptic, no results were returned from the search. My newer (permanent) Ubuntu system’s package manager was able to find chntpw, however.
I tried a couple of other searches, and was about to manually edit the repository list files when it occurred to me to try apt-get. I opened a terminal window and entered
sudo apt-get install chntpw
and it was able to locate and install the program. (Apparently chntpw was there but had been deselected). When I mounted my XP partition and ran chntpw to blank out my own account’s password it worked like a charm.
So, if Synaptic doesn’t find the package, try going into a terminal and using apt-get (you’re going to need to open a terminal window anyway).
Thanks!
As soon as I type “sudo chntpw SAM” I get this:
ubuntu@ubuntu:~$ sudo chntpw SAM
chntpw version 0.99.5 070923 (decade), (c) Petter N Hagen
openHive(SAM) failed: No such file or directory, trying read-only
openHive(SAM) in fallback RO-mode failed: No such file or directory
closing hive SAM
Unable to open/read a hive, exiting..
ubuntu@ubuntu:~$
Can someone help me?
Hey download the sourcecode and use chntpw.static if you are on xp x64. Cheers.
Worked a treat for me booting from a USB stick running crunchbang linux. I couldnt use the sudo chntpw SAM option but i was able to use the sudo chntpw -u SAM. I tried setting the password which didnt work, but choosing the option to blank the password worked perfectly
Thanks Ubuntucat!
For those with issues on x64 systems,
Try using the ubuntu-x.xx-desktop-i386.iso to reset passwords. It worked for me.
When i click reload i get a message that they cannot be found…. (for some reason this computer will connect to the wireless network by using a password but will not get on the internet and i suppose because of permissions it’s not visible on the other computers.) I’m using Ubuntu to accomplish this. Ubuntu is not installed it’s live. How do i get the thing on the internet. Again it’s connected to the wireless network and has a very good connection
For those of you who are having issues with the x64 architecture, I recommend installing the NEWEST version of the software and following the directions from the ntpasswd website here:
http://pogostick.net/~pnh/ntpasswd/README.txt
Good luck and happy hacking.