Linux

Reset Windows passwords with the help of Linux

One cost-effective and reliable way to reset a Windows password is to keep a copy of Linux with you and use the chntpw application.

You lose your Windows password(s) and cannot log in to your machine. If you have a rescue disk, you should be okay. If not, you might have to turn to Linux for help.

The method that I describe in this tutorial can work with a Windows machine that either dual boots with Linux or does not. If the machine in question does not dual boot, you will need to download a live edition of a Linux distribution (I prefer Ubuntu for the task) and burn that ISO image to a disk (you could also use a Linux distribution on a USB drive). Either way, you will need to boot in to Linux to recover your password.

Step 1: Boot in to Linux

Put the burned disk in the drive (or boot from USB) and boot in to the Live edition of Linux. You should use the standard Live session.

Step 2: Find the Windows partition

Open Nautilus (the GNOME file manager) and follow these steps:

  1. Hit the Ctrl-L key combination to open the Location bar (Figure A).
  2. Enter the string "computer:///" (no quotes).
  3. Locate the drive (or partition) that contains your Windows installation.
  4. Right-click the Windows drive icon and click Mount.
  5. Double-click the icon to open the Windows drive (or partition) and make note of where the drive is mounted (it will be listed in the location bar).

Figure A

The drive in question on my system is the far left icon. (Click the image to enlarge.)

Step 3: Get to the command line

It's time to open a terminal window and begin (or continue) your journey into the Linux command line. You must install the small tool called chntpw. To install this application, issue the command: sudo apt-get install chntpw. With that application installed, you are ready to go. Follow these steps to get the password changed:

  1. Change into the directory containing Windows with the command cd /PATH/TO/WINDOWS (PATH/TO/WINDOWS is the complete directory path to your Windows drive).
  2. Change into the Windows/System32/config directory.
  3. Issue the command sudo chntpw SAM.

You should now see the chntpw screen (Figure B). Here you have five options:
  • Clear user password
  • Edit user password
  • Promote user (make user an administrator)
  • Unlock and enable user account
  • Quit
Figure B

You do not want to make changes here, because this could wipe all users' passwords -- make sure you are working with a specific user. (Click the image to enlarge.)
Enter "q" for quit. We're going to make sure we are working with a specific user. To list out all users in the SAM file, issue the command sudo chntpw -l SAM. This will list out all of the users on the system. As you can see in Figure C, my name is listed as one of the users. Figure C

This listing will also tell you how many failed login attempts have been made. (Click the image to enlarge.)

To work with a specific user, issue the command sudo chntpw -u "USER NAME" SAM (USER NAME is the actual username). If the username is only one word, you will not need the quotes. If the username is a full name, place it within quotes or the command will not work. Once you are back in the edit screen, do the following:

  1. Type "2" (no quotes) to go into edit mode.
  2. Type the new user password.
  3. Hit the Enter key.
  4. Type "y" (no quotes) followed by Enter to write the file.

Your Windows User password should be changed. Reboot into Windows to make sure the edit worked. If it did not work, go through the steps once again and, this time, blank the password instead of editing it. To blank the password, do the following:

  1. Enter the edit screen for the specific user.
  2. Type "1" (no quotes).
  3. Hit Enter.
  4. Type "y" (no quotes).
  5. Hit Enter.

At this point the user account should have no password. You can reset the password once you successfully log in to Windows.

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

29 comments
astromandan
astromandan

I'm trying this with Windows 8 and I'm not finding windows/system32/config, Have they changed the location in Windows 8?

baldpatches
baldpatches

A concise and practical article for a common dilemna..........more like this please!

Bill_M.
Bill_M.

Nice article although for the non-computer savvy people like me the Offline NT/2000/XP/Vista/7 Password & Registry Editor which is similar would be easier to use as you don't need to issue commands from the Terminal. I wonder if these methods will still work on Windows 8.

frank.vansevers.ctr
frank.vansevers.ctr

Everthing works are advertized until#3 Issue the command sudo chntpw SAM, I get back can not find chntpw, what am I missing. I am booting from CD. thanks in advance /s/ Frank in Florida

Zeroangelmk1
Zeroangelmk1

I use Ophcrack as my first tool to reset passwords since it simply cracks the password and shows it to you in plain text (chntpw is my fallback method). Getting the existing password and using that (instead of overriding it with chntpw) ensures that files that are encrypted with EFS do not become unreadable. In my experience, Ophcrack using the 'free' tables that come with the LiveCD has about a 50% chance of cracking passwords -- often within 10 minutes. You can buy larger and more advanced tables that have a higher success rate, and its probably a good idea if you have to do a lot of password cracking/resetting. I, personally, use a linux distro loaded on a portable HDD with Ophcrack, chntpw, clonezilla, and a lot of other little recovery tools. Its fast (orders of magnitude faster than a flash drive) and versatile.

miken5678
miken5678

So even accounts that are encrypted, once the password is reset/removed, they can still be accessed? I ask as I won't encrypt the account if it is this easy to gain access to everything. I assumed the password was used as part of the encryption key in winxp

tolubalogun
tolubalogun

If asked explain Linux in a word. I'll say Freedom. This is totally cool Jack. Yatha!

cummingsc
cummingsc

I use a similar tool for resetting of passwords called Trinity rescue kit which uses a linux kernel. I find it quite useful and there is no need to use any command line tools. Just thought that I would share this with you.

voxel.jorz.xssi
voxel.jorz.xssi

I've been doing this trick for a while. I used to install Ubuntu in a flash drive and downloaded chntpw utility. I just install this utility after booting from Ubuntu. Ubuntu in flash drive can also be used to usb-bootable system to recover files in a corrupted windows system. Nice trick!

Dragonner
Dragonner

I actually removed the hard drive and used it as a back-up drive then removed key elements in the file sections which are used to house the password keys. Once they are deleted there is no more password block-out.

hazmoid43
hazmoid43

This CD boots linux and will work with most versions of Windows. Created by Peter Nordahl-Hagen.

hmf1860
hmf1860

Useful and interesting.

RechTepublic
RechTepublic

Good article Jack! I have used l0phtcrack for password recovery but I can't afford to upgrade to a newer version so I am looking for alternatives. To those viewing this post: Please DO NOT respond any further to this thread. (he he)

HAL 9000
HAL 9000

Knoppix but that's just me. Col ;)

wizard57m-cnet
wizard57m-cnet

"TR members do not assist in password recovery or removal. Do not respond to this thread. We, the members of TechRepublic - A Resource for IT Professionals, will not assist anyone in the recovery/removal of lost passwords. You may have a legitimate reason to recover/remove a password. However, we cannot verify your motives and will therefore not assist anyone in what may be an attempt at gaining unauthorized access to a computer system. Due to the open nature of this forum, any assistance given to help circumvent security measures, even for legitimate purposes, would be available for unscrupulous individuals to use for illegitimate purposes. This is a risk that we, the members of TechRepublic, will not take. Please do not ask questions of this nature on TechRepublic. If you have a legitimate need to circumvent a password scheme, please contact the vendor for the software / hardware and request their assistance. E.g. Windows XP password recovery/removal issues should be taken up with Microsoft's technical support, Phoenix BIOS password recovery/removal issues should be taken up with Phoenix Technologies, hard drive password recovery/removal should be taken up with the manufacturer of the hard drive, etc... To those viewing this post: Please DO NOT respond any further to this thread. This template has been released under the GNU public license and you are encouraged to use it as a standard reply for questions of similar nature, provided that you make any modifications available to other users."

wizard57m-cnet
wizard57m-cnet

chntpw is one of the modules in the Slax repositories, I would think other distributions have it. Might try searching for it using whatever internet search engine you prefer (Bigpoint, Google, Bing, Ask, etc.)

voxel.jorz.xssi
voxel.jorz.xssi

I used to download chntpw and install it from live cd

Neon Samurai
Neon Samurai

As pgit suggests, this tool should not work with full disk encryption. It relies on being able to see and mount the Windows partition to see/read/modify applicable files. If you encrypt the hard drive then boot a liveCD it'll report that there is a hard drive physically installed but without any readable partitions detected on it. You could additionally password protect the BIOS and disable booting from CD and removable media. All three mitigate the risk of someone using a boot tool to reset your password but I say "additionally" because only disk encryption protects against simply popping the drive out and copying the password database to take home and crack. (edit): Pgit mentions seporate encrypted user accounts. Just for clarity, encryption needs to include your c:\windows directory tree which contains your password database (SAM). It doesn't matter if your indavidual user areas are encrypted since the passwords would be outside of that protection.

pgit
pgit

I don't think this works with encrypted partitions/accounts. I may be mistaken but I've always assumed the password is part of the hash, and losing it means losing whatever is encrypted.

wizard57m-cnet
wizard57m-cnet

even gets rid of those nasty Adobe hidden directories and files!! ;)

Neon Samurai
Neon Samurai

If this is regarding TR's decision to post the information then I would suggest that it does not apply. The bad guys already know this stuff; it's no benefit to them. This simply gives the good guys who don't already know it a chance to catch up to the infosec nerds and criminals. If this is regarding the expected inflow of "hep me break password" posts then endorsed fully.

pgit
pgit

Hands down it's the thinnest, fastest, most compatible live system I've found. It also defaults to 'absolute-dictator' level permissions, you are the God of the machine you're running Slax on.

CharlieSpencer
CharlieSpencer

primarily because that's what we've switched to at work. It makes it easier on my feeble brain cells if use the same tool across the board.

wizard57m-cnet
wizard57m-cnet

In Windows, I still use ZDNet's Password Pro...I've had if forever it seems, but it still works quite well. I've still got the old 16 bit Windows 3.1 version, hehe! On my newer XP and 7 machines I use the 32 bit version. I don't have a 64 bit system, yet, so not sure if Password Pro 32 works with those.

Neon Samurai
Neon Samurai

It's the obvious choice probably but it's also the liveCD/USB I usually have handy.

Editor's Picks