How to reset a Windows password with Ubuntu

If you ever have forgotten your password for the only administrative account on Windows or know someone who has, you know the experience can be infuriating. All is not lost, though, if you have a live CD handy. This page is an adaption of Reset a Windows password with Knoppix for Ubuntu. It has also been tested for Windows XP, Windows Vista, and Windows 7.

This tutorial assumes you know how to obtain and boot a Ubuntu CD. If you don’t, go here first.

Start off by booting the Ubuntu CD.

Select your language of choice and then Try Ubuntu without any change to your computer.

Once the live session has loaded, go to System > Administration > Synaptic Package Manager.

Once Synaptic Package Manager is open, go to Settings > Repositories. This will open the Software Sources window.

Once the Software Sources windows appears, make sure you check (or tick) the box next to Software restricted by copyright or legal issues (multiverse). Then click Close. You should get a warning about how you’ll have to reload the repositories to have your changes take effect.

So click Reload in Synaptic Package Manager and wait for the new information on what’s available for installation be updated.

Click Search and search for chntpw.

Right-click on chntpw and mark it for installation.

Click Apply and in the Summary window, click Apply to confirm that you want to apply changes.

Wait for the changes to apply, then click Close and then quit Synaptic Package Manager.

That method for installing chntpw assumes you have a working internet connection on the computer in question. If you don’t (or regularly do, but not when you boot the Ubuntu CD), you can also download chntpw from one of these mirrors, transfer it to the computer in question (via USB stick), and then double-click the download file to install it.

To mount (or make available for use) your Windows drive, go to Places and select the appropriate drive. In this case, my drive is an 8.7 GB drive. Yours will probably be different.

Then, go to Applications > Accessories > Terminal to use the command-line.

cd /media/disk/WINDOWS/system32/config/

In most cases, I think the first mounted drive will mount to the /media/disk directory, so pasting this command into the terminal should get you into the right directory.

If not, you can try the command df -h to see where your Windows drive mounted to and substitute that directory path for /media/disk in the above command.

Note for Windows 7: the word Windows is not in all capital letters, so it would actually be cd /media/disk/Windows/System32/config/

AppEvent.Evt SAM software system.LOG userdiff.LOG
default SAM.LOG software.LOG systemprofile
default.LOG SecEvent.Evt software.sav system.sav
default.sav SECURITY SysEvent.Evt TempKey.LOG
Internet.evt SECURITY.LOG system userdiff

If you paste in the command ls, you’ll see a list of files in the directory, and one of them should be called SAM.

sudo chntpw SAM

Paste in the command sudo chntpw SAM to change the Administrator account password.

If, instead, you want to change a particular username’s password, use this command instead:

sudo chntpw -u username SAM

Either way, you should see a whole bunch of cryptic terminal output:

chntpw version 0.99.3 040818, (c) Petter N Hagen
Hive’s name (from header):
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c
Page at 0x7000 is not ‘hbin’, assuming file contains garbage at end
File size 262144 [40000] bytes, containing 6 pages (+ 1 headerpage)
Used for data: 243/19072 blocks/bytes, unused: 11/5312 blocks/bytes.

* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length : 0
Password history count : 0
RID: 01f4, Username:
RID: 03ec, Username:
RID: 01f5, Username: , *disabled or locked*
RID: 03e8, Username: , *disabled or locked*
RID: 03eb, Username:
RID: 03ea, Username: , *disabled or locked*

———————> SYSKEY CHECK Not Set (not installed, good!)
SAM Account\F : 1 -> key-in-registry
SECURITY PolSecretEncryptionKey: -1 -> Not Set (OK if this is NT4)

***************** SYSKEY IS ENABLED! **************
This installation very likely has the syskey passwordhash-obfuscator installed
It’s currently in mode = -1, Unknown-mode

SYSTEM (and possibly SECURITY) hives not loaded, unable to disable syskey!
Please start the program with at least SAM & SYSTEM-hive filenames as arguments!

RID : 0500 [01f4]
Username: Administrator
comment : Built-in account for administering the computer/domain
homedir :

Account bits: 0x0210 =
[ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
[X] Pwd don’t expir | [ ] Auto lockout | [ ] (unknown 0x08) |
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |

Failed login count: 0, while max tries is: 0
Total login count: 0
** LANMAN password not set. User MAY have a blank password.
** Usually safe to continue

* = blank the password (This may work better than setting a new password!)
Enter nothing to leave it unchanged

At this point, you’ll be prompted to enter a new password, you should enter an asterisk to make it temporarily blank (you can always change the password to something else once you’re back in Windows.

Please enter new password: *
Blanking password!

Do you really wish to change it? (y/n) [n] y

Hives that have changed:
# Name
Write hive files? (y/n) [n] : y
0 – OK

Confirm the changes (with the letter y for yes) twice when prompted, and you should be done.

Now if you reboot into Windows XP, you can log into the Administrator account with an empty password.