Windows

Video: Reset Windows passwords with the Offline NT Password and Registry Editor

Don't let lost or forgotten Windows account passwords frustrate your users. In this IT Dojo video, Bill Detwiler shows you how to quickly reset local account passwords, including Administrator, with the open-source Offline NT Password and Registry Editor.

Windows passwords are a necessary evil. They help protect our systems, but they can also be a real pain in the neck. Employees leave, IT workers quit, IT consultants fail to properly document deployments. Regardless of the cause, you're left with a locked account and perhaps a locked system.

In this IT Dojo video, I demonstrate how to quickly and easily reset local account passwords, including Administrator, on most Windows systems. The Offline NT Password and Registry Editor is a Linux-based utility that can reset passwords on Windows-NT based systems that use NTFS, including Windows NT, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista. The tool creates a boot environment through which you can reset passwords via a series of text menus. The Offline NT Password and Registry Editor isn't the most polished utility, but it is effective.

Cracker tool?

Before anyone starts flaming me in this post's discussion for sharing "Cracker advice", let me make the following point. It is possible for unscrupulous individuals to bypass security measures with tools such as this. But, there are also plenty of legitimate, work-related reasons to reset a Windows password. The Offline NT Password and Registry Editor is just another tool in the IT professional's arsenal.

Use the tool at your own risk!

There are also risks associated with using this tool. As it is editing the Windows registry, the Offline NT Password and Registry Editor could easily render a system unbootable and even destroy existing data. This is especially true of accounts that use the Encrypting File System (EFS).

For more information on using this tool, read Erik Eckel's article, "Reset lost Windows passwords with Offline Registry Editor." From the article page, you can print Mark's review, save it to your TechRepublic Workspace, e-mail it to a friend or colleague, and even Digg it.

For more password and security advice, check out the following TechRepublic Resources:

About

Bill Detwiler is Managing Editor of TechRepublic and Tech Pro Research and the host of Cracking Open, CNET and TechRepublic's popular online show. Prior to joining TechRepublic in 2000, Bill was an IT manager, database administrator, and desktop supp...

101 comments
jhudgel
jhudgel

i have a problem that maybe someone can help me with.... i tried to use this to reset my password but its telling me that it cant find any user accounts! ive been tryin to figure out what happen to my computer for about a week now and cant figure it out. here is what happen before i found it messed up.... i have windows xp home edition and it was working find with one account which was the administrator acc. my wife wanted to put this program on the comp for my 4 year old which would give him a log on and only let him play his games this program is called "kiddesktop" after doing this it worked fine he would log on his to play and when i needed the comp i would log on mine.... worked for about a week give or take...one morning i woke up tried to log on and it asked me for a password with my sons user name in the user name!! ive never had a password to get on my computer ever. i have tried everything including this program and i cant even find the exsitance of my user accounts ive tried to boot in safe mode to get to administrator acc still no accounts ive pressed ctrl + alt + del x2 and all it does is come up with the same log on with my sons name in the user name and needing a password. ive ran a repair of windows and pressed the shift+f10 and entered nusrmgr.cpl to get to the control panel and not users are there!? is it possible that my son deleted the accounts? maybe the program my wife put on for my son corrupted the accounts? any help would be nice i really dont want to run a full reinstall but its looking like i may have too. please email me at jhudgel@aol.com if u have any advice thnks....

another avg joe
another avg joe

You rock, the step by step saved my bacon when my wife screwed up the password, (no really...it was her:)) Now she still thinks I can do no wrong!

tomspalding
tomspalding

What is the correct link to get this tool? toms@glassi.com

Minion
Minion

recognized the screenshot. It worked great! Had to read the FAQ before i could get it to work fully. It can specify a password, but only if the password is blank to begin with. So just blank it out 1st. Also, didn't realize that to back out and save changes the command changes at one point to [!] and earlier in the program command is q for quit. -corey

roseray_22
roseray_22

Hola alguein tiene idea de como me puede traducir el. TechRepublic.. Por favor.. Gracias..!!!!!!!!!!!

arturo
arturo

This video is a saviour. One employee quit the next day after installing a new computer whitout leaving word of the password he used!!

AressIndia.com
AressIndia.com

Really this is very cool tool. This should be always needs to keep in the toolbox of any support person, along with emergency boot CD.

gdpklipp
gdpklipp

Excellent Video. I've been reading and following Bill D's articles, posts, tutorials, etc for many years now, as well as other Tech Republic greats. GREAT STUFF!!! Very helpful and educational for a IT Technician such as myself. Keep 'em coming!!! Geo

sudu.mlk
sudu.mlk

this is very nice tool.. thanks!!

rmohammed210
rmohammed210

If you have bios password and the cd rom not set as first boot devices as well as no removable devices set what then?

gelfling6
gelfling6

I've used the utility to unlock a few accidentally locked systems.. I did, however, run across one system it wouldn't work on... I can't remember the exact Dell model, but it has the "Hole" in the front of the case (making it look like an abstract Suitcase.) the Internal HD, was a SATA, and internally, it was some kind of USB host, using a USB-to-SATA adaptor. the utility could not find the drive.. Only way around, was removing the drive, and plugging it onto a dedicated SATA interface card on another machine. then, once reset, put back into the original machine. The utility is not 100% fool proof, as Bill says, You do run the risk of "Kentucky-frying" the registry. I obtained the utility from Sourceforge on their "Ultimate Boot CD" project. which comes in handy for people who lock their system, and suddenly develope amnesia, or their kids get the wild idea of overthrowing Mom & Dad's computer. (Don't laugh. I had someone call, because their 12-yr old son, decided revenge on them for grounding him, was to lock-up their family computer. (applying a password lock to EVERYONE, Including the father who needed to get business documents sent. He ended-up changing dad's password, Mom's password, and his brother's password.) A quick boot with the CD, reset the father's password to blank, reboot, let it do a integrigty check (You DO actually alter the registry, and it needs to confirm.) and Dad was back in business.. Son lost his privledges to the computer as well. I got called back when the other passwords were found invalid.

vuongt
vuongt

Bill, I enjoy and think your video presentation is very effective, i.e. clear and concise, especially for IT workers like myself who have little time to learn about simple/convenient tools such as this. Please continue the good work on IT DOJO! Thanks, PS - I'm a new reader/viewer of IT DOJO

sbostedor
sbostedor

If you're on a network and need to keep all of your passwords the same, you can use a tool like Bozteck VENM Console (http://www.vncscan.com). It can change the Administrator password remotely across all of your computers at once. Of course, it won't get you out of a bind where you lost the admin password like the one in the article will but it can help prevent the situation by keeping the passwords standard.

jozhall
jozhall

Why not just use Ophcrack?? Its allot more user friendly and it doesn't make any changes to the drive which means that there is limited risk involved. It uses rainbow tables to crack the passwords. http://ophcrack.sourceforge.net/

cjscullyca
cjscullyca

I've never had an issue with a system that was a member of one of our domains. Log in as domain admin or enterprise admin and change the passwords for local system accounts you need to change via the computer management snap in. I have been able to do this even when the system was disconnected from the domain using cached credentials for my domain admin account. Of course if the system is not part of a domain, this type of tool becomes a vital part of a network administrator's toolkit.

scottweible
scottweible

Great! Thanks! We forgot the password to an old system that we were trying to get rid of, but didn't want to give it away not knowing if we had really cleaned the drive well. So, this saved us having to take our computer to some "Geek" and pay them to do exactly this!

mgodinez
mgodinez

very good tutorial. however, i'm running into the following problem. here's a cut/paste from another forum that i posed the question to: I'm having a problem w/ UBCD 4.11. I'm using it to boot a windows vista home client. The user has locked out his admin. account. I'm trying to reset this password (or clear it) from the UBCD utilities. I'm able to load and launch the NT Password reset utility. It discovers the volumes w/ the following warning/error: Mounting from /dev/sda1, with file system type NTFS. NTFS volume version 3.1. NTFS - fs warning (device sda1): load_system_files ( ): Unsupported volume flags set. Mounting read-only. Run chkdsk and mount in windows. MOUNT NTFS FOR WRITING FAILED! If disk is dirty or has ? flags (see error messages above) Pls. reboot windows into safe mode & shut down properly twice. Then come back here and try again. I've rebooted into safemode and shut down properly twice, to no avail. Is there a way to run chkdsk and mount the volume using the UBCD v. 4.11? Thanks in advanced for any help... Any ideas? Regards, Mike G. Seattle, wa

robert
robert

Thanks Bill -- just so happened you posted this just when I needed it, and I definitely would have been stymied by the very end!

giantgene
giantgene

hey bill,i can never watch your videos as its all ways jumpy,which really suxs

janduine
janduine

Is this program also useful in the event that for some kind of reason suddenly my Windows (XP Home) logon program tries to logon to a domain with the same name as my local PC. In vain, because there is no and never was, such domain. So I have to change the logon program in such a way that it tries again to logon to a local computer.

dave
dave

I've also been using this tool for a few years and it rocks. While I partly agree with the collusion/CYA theory mentioned above, I think more likely that this reaction is a result of ignorance rather than profiteering. This whole stage of our technological advancement is still in it's infancy. It's like we skipped ahead and now we don't know what to do with what we've created. If only Gary Kildall were still around.

Lee Tampkins
Lee Tampkins

Yet another tool in the bevy of password breaking utilities. Very similar to Active Password Changer (http://www.password-changer.com) which we have used with great success. I'm not so fast to say that the days of the password as a front-door security measure are fading away (it still keeps most would-be black hats away). However, It it clear that a biometric, encryption key, or similar method is ripe for mass deployment.

No User
No User

First, Great tool!!! Good job Bill. My point is how anal security regulations have become and if you don't follow some organization's policies and best practices then you are viewed as inept and irresponsible. I'm all for security and a definitive best practices guide just not the anal enforcement and blind following of it. This truly backs my position that no matter what you do if it's turned on it can be hacked and all the hubbub is merely a gigantic profit making political BS. It's intent is to shield you from law suits not make your network impenetrable not to mention all the folks that cash in on this stuff. We need guaranteed security which can be done but would take a radical across the board re-write. That would make an operating system just that software that operates hardware and stands in the middle between hardware and applications and not a monstrosity that is designed to choke the life out of an industry while creating the most gigantic monopoly the world has ever seen. All the while making a handful of people filthy rich. It would be great to take the best practices from all the big dog organizations and pair them up with tools like this just to show what a farce it really is. The intent is clearly not for air tight security it's to profit and to do so by threat of legal action one way or the other.

marvinator2003
marvinator2003

I work in the IT dept handing several hundred laptops and desktops statewide. I've been using this utility for several years and recommend it often. It's perfect for when some user has locked themselves out, or forgotten a password, or any number of other reasons that you cannot easily get into the system. It should be used, as stated, with care and by a tech who knows what they are doing, but it has yet to let me down.

jdclyde
jdclyde

You mentioned Sata, how about Raid controllers? Have been seeing quite a few motherboards that have raid built into the SATA, on-board.

nberlanga_cvg
nberlanga_cvg

I prefer Ophcrack 2.0, it actually recovers the password.

TexasJetter
TexasJetter

As I recall this technique will work only for local accounts on a machine. It will not work on accounts authenticated via a domain controller. Of course if you have a domain controller and can get to it you can always reset the password for a given account in Active Directory. But what can you do if you do not know the administrator account password for AD? I had a friend the other day that was in desperate need to log on to their Domain Controller, but the consultant that setup the machine was out of town, and he never told them the admin password.

emerem2tor
emerem2tor

... by removing the battery for a few minutes, or by using jumpers for CMOS Clear. Once the password is gone set the CDROM to boot before the HDD. It doesn't need to be the "first boot device", as you said, just one before the HDD.

Neon Samurai
Neon Samurai

If that's the case, booo.. I was hoping they'd leave it with the rest of the Sysinternals tools. Meh, I have other tools though I hope they are soon updated for Vista.

emerem2tor
emerem2tor

?but it doesn?t work the same on all machines. For example on my multi-boot machine (XP and 2003) cannot crack SAM for the domain controller and it gets confused about other partitions, too; it can see them, but not crack. On Vista (there is other ophcrack special for Vista) didn?t work, either. I guess it might be with security settings. I also tried to use it on a laptop with SafeGuard Easy 4.11 and it didn?t see the disk at all. I think SafeGuard encrypts the MBR, or just BR, or MAT (master allocation table), or all together and I am afraid that if I try to repair MBR I?ll screw up everything. ? No need to mention that the user who uses the laptop forgot the password for SafeGuard 

emerem2tor
emerem2tor

The tool everybody is talking about is ONLY for local user accounts, not for the domain users. The domain SAM is located on DC. Only a domain admin, or a delegated person with such rights can logon onto DC. ??I have been able to do this even when the system was disconnected from the domain using cached credentials for my domain admin account?? Yes, it works, only if the domain admin has previously logged on to that machine at the time it was connected to the domain. If the domain admin did never logon to that machine, it won?t be possible to log on to it and run the utility if the machine is disconnected from the domain.

ivybean19
ivybean19

Mike: I am having the same problem you described in this post. Did you figure out how to solve the issue? Any help is greatly appreciated. Thanks!

Bill Detwiler
Bill Detwiler

I apologize for the jumpy video. I experience the same problem on high-traffic days (Tuesday, Wednesday, and Thursday). We've spoken with our engineers about the issue. I'm sincerely hopeful that we'll soon have an improved player and more video bandwidth.

giantgene
giantgene

i can never watch any of your vids as its so off and on its unbesrable,jumpy video

john.light
john.light

So you think local logons/passwords are a "best practice" on nt/2k/xp/vista? With very little effort and not much $ you can find and implement best practices at your organization and not make a handful of people filthy rich. I find comments such as your's that basically say "people who take security seriously are anal because there is always a way around it" as coming from someone who is either stupid, ignorant, or has bad intents.

Neon Samurai
Neon Samurai

I've seen too many companies where the policy is outdated or completely removed from the currently understood best practices for improving security. My system security is too keep systems from being breached or minimize the effects when (not if) they are rather than to appease any minimum standards avoiding lawsuits. I agree in part with what your saying, the big companies that do the bare minimum to appear responsible through false security while still hemorrhaging client data and hardware are no better than the companies that leave themselves wide open through apathy.

Bill Detwiler
Bill Detwiler

Unfortunately, I don't have a first-hand answer. I have never used the tool on a machine that uses a RAID configuration. If I get a chance, I see if I can find a test machine running a RAID configuration to test the tool on.

chawly
chawly

Might have been a super idea to ask the said consultant. As a consultant myself, I often find that there is just no way to pass the information on. Quite often I find that the lads of the village have gone home before the end of my day. Even more often, I find that there is no place to leave the doc. - I leave knowing that they don't have the information to continue. This leaves a bad taste in my mouth.

richardp
richardp

To reset the admin password on the domain, you'll need to access the Active Directory / Domain Controller machine. You should be able to run the password reset as a local user on that machine to regain access. (Of course, the domain will be down while working on it..) Next time: *Have a back door such as another user with admin access. *Create password recovery disk(s). *Pray for wisdom that this doesn't happen again (I know a case where the only admin knowing the password went into a coma in a car wreck; that was no help..). p.s. Physical access is key to security, but identity validation becomes an increasing concern as remote access becomes ever more available and beneficial.

jdclyde
jdclyde

about handing off projects to people outside the company and not staying up on what they are doing. The day the controller was setup, someone in the IT department should have been working WITH the consultant instead of waiting for the job to be finished.

No User
No User

"people who take security seriously are anal because there is always a way around it"as coming from someone who is either stupid, ignorant, or has bad intents." You are so far off it's impossible to point you in the right direction!!! Yet another clueless, sarcastic screw driver wielding PC Tech. Go back to your stool and turn some screws. Thinking is above your pay grade.

No User
No User

To have an outside resource verify your IT policies/plans and perform both penetration and vulnerability scans both internal and external. Which of course you need to do every quarter with a major Risk Assessment every other year which is now up from once every three years. So you need all the policies and plans like Information Security Incident Response Plan, Disaster Recovery / Business Continuity Plan, Business Impact Analysis, Information Security Policy, Internet Policy, Pandemic Response Plan, Network & Internet Usage Policy and any Regulatory Policies and Plans, the list goes on and never ends. All these need reviewed and approved by a qualified/certified outside interest and then board approved and then audit approved and were applicable regulatory approved. The latter two are done annually and also with the Risk Assessment every two years. This doesn't take into account all of the security products and training for those products and any additional service and support like annual maintenance plan renewals. Nor does it include anything outside of IT like social engineering and so on. Oh yes and you need all of your Switch, Router and Security products (like Firewall, IPS/IDS, Proxy etc...) configurations reviewed and approved as well every 3 months. We are a small concern and we have dropped about half a mil in the last year and more yet to come in the next year and of course it's the gift that keeps on giving just like venereal disease. Did I mention that I find it all to be a bit overrated and a profiteering enterprise!!!

Neon Samurai
Neon Samurai

Today, everybody is entitled to my opinion! :) I believe the raid controller in SATA motherboards operates in the hardware layers. You should be good as long as you use something that supports SATA and hardware raid. That may rule out this specific tool but other's updated more regularily have already been named. I'd too would be curious to hear what you find when you get a chance to test though.

emerem2tor
emerem2tor

The software everybody is talking about here is to unlock a computer using the local administrator account by hacking into the registry using a bootable CD under a Linux-like environment. It has nothing to do with AD, domain administrator, or even a domain user on the local machine. All this info is stored in SAM in DC. A DC machine only accepts for logging on users, which are domain administrators, or delegated users with such rights (logon to the DC). However, if the domain administrator has previously logged on to that machine, his credentials are cached under his profile on \Application Data\Microsoft\Credentials folder. That info can be further hacked using other software (I?m not going to tell you which one!) to find out the domain administrator password. But, if the admin has meantime changed his password, which is a good practice to do, the info in Credentials folder is obsolete by now.

richardp
richardp

Thanks for the reference. Can't look at it now (using IE), but look forward to it... Appreciate the responses everybody. p.s. some sort of backup is what's important (temporarily giving another person the sole admin pw counts). You're all right about level of risk management --> The rule to consider... what results and what recourse does the company have if you suddenly become unavailable.

TexasJetter
TexasJetter

Thanks for the link, I will put it in my bag of tricks. I took the time to read through his page, even his rants at the bottom. They are hilarious! Little gems like "If you send a question and it falls into the 'brain-dead' category, you will not be answered .. or lost with out a mouse." make for a good read.

emerem2tor
emerem2tor

As per my knowledge, you cannot logon to the domain controller as a local user, only as domain administrator, or delegated person with such rights.

Neon Samurai
Neon Samurai

One account with admin rights is too many already but it's the minimum you can get a usable machine out of. Get the admin credentials from the third party consultant rather than assuming they'll be there to hold your hand all the time. A professional consultant should have handed off the Admin account info to the applicable level of IT or the business owner if it's that small a business. The consultant could also have provided a backup contact while they where away. A professional IT staffer should have been watching the consultant to understand what they where setting up and asked for the admin info if it wasn't offered. (It's my machine, I'm sure as heck going know the account info. Especially if it's the system at the core of my network.)

No User
No User

"And this makes you feel inadequate?" Once again You are so far off it's impossible to point you in the right direction!!! Yet another clueless, sarcastic screw driver wielding PC Tech. Go back to your stool and turn some screws. Thinking is above your pay grade. You have been a member since 2/06 and have made four cheesy posts two of which have sarcastically been directed at me. That is the mark of a TROLL. Congratulations troll.

john.light
john.light

And this makes you feel inadequate?

JCitizen
JCitizen

FireFox on Windows works just fine loading that web-page.

Neon Samurai
Neon Samurai

I'd have the classification of emergency validate getting the admin credentials from the vault or IT backup guy but security is my thing and one does need to realize the different between irrational levels of policy and acceptable risk for there own situation. Changing the admin password regularily may also allow you to hand out an admin password for temporary access without opening a new account.

Manitobamike
Manitobamike

You could drop in the account as needed but in the event of illness, cell phone problems, etc. you cannot always contact the one with the authority to create the second account so then what? My whole purpose of the second account is to have an emergency admin account. If I were really overly concerned with internal security I suppose it could be deleted and recreated weekly. I guess it all boils down to what level of risk is acceptable verses the amount of downtime that could occur.

Neon Samurai
Neon Samurai

It just gives me the willies leaving a second root account on the system. Can you reverse your aproach and drop a second admin account in only when needed? I do the same for guest users even at home. I was away with family house sitting so adduser and whammo, a guest account that can make all it's own cosmetic UI changes, make use of the installed software but not break anything.

Manitobamike
Manitobamike

Having 2 admin accounts is not a big risk. In small companies having a backup access is almost a necessity. Always good to have an account that can be given to someone in an emergency then removed/reset after they are done. If you are on holiday and outside help is brought in for an emergency they can be given the credentials for the backup account and then you can delete it and recreate when you get back.