Windows

Reset lost Windows passwords with Offline Registry Editor

Losing an administrator password to a Windows XP or Windows Vista workstation can cause huge amount of headaches. Erik Eckel shows how you can use a Linux-based freeware utility to reset any Windows password on a system

Misplaced passwords can render Windows systems useless. Minus a valid username and password, Windows boxes, and the data they contain, are essentially off limits.

The situation arises frequently. Users leave. Past consultants fail to document deployments. IT professionals quit.

Without documentation, accessing critical Windows systems and data becomes problematic. Despite numerous aspersions from the open source community, Microsoft’s NTFS file system delivers decent performance and security.

However, a free open source program often makes quick work of cracking Windows passwords. The Offline NT Password & Registry Editor presents a potential option for obtaining access to locked-out Windows NT-based systems. Here's how you can use it to recover lost passwords on your Windows systems.

The Offline NT Password & Registry Editor

Offline NT Password & Registry Editor is a free Linux-based utility, which as the name suggests, works offline. The code creates its own boot environment. Once you burn the ISO image to a CD-ROM, you'll have a tool at your disposal for resetting Windows NT, 2000, XP and Vista account passwords. You wont even have to know any of the current account user names or passwords on the system to make it work.

Instead, the utility detects user accounts and enables resetting the password to a value you decide. The application will even reset locked or disabled user accounts.

When you first boot the utility, you'll see the screen shown in Figure A.

Figure A

The Offline NT Password & Registry Editor presents this menu upon booting.

Recognize The Dangers

As the name suggests, the utility edits the Windows registry. Further, the application edits the registry in a completely unsupported and warranty- and Microsoft-support voiding way.

In other words, the password-cracking software is used at your own risk. The Offline NT Password & Registry Editor could easily render a system unbootable. The unauthorized program could also destroy existing data resident on a Windows system.

This is especially true if the Encrypting File System (EFS) has been used to protect sensitive data. In fact, if you use it to change the password on an account that’s used EFS to protect files, it’s unlikely those files can ever be recovered.

But, left to no other option, you may find the software is just what’s needed to break into a system for which passwords have been lost or misplaced.

Driver Issues

Using the Offline NT Password & Registry Editor requires that you place the CD in the system in question and reboot it. Once the utility starts, its initial boot screen will appear. Users should pay particular attention to the warning that appears stating, “This software comes with absolutely no warranties! The author can not be held responsible for any damage caused by the (mis) use of this software.” Again, the utility should only be used as a last resort.

But faced with using options of last resort is often where computer professionals find themselves. When such situations arise, and all other means of accessing the data (including removing the hard disk from the existing system and attempting to recover its data from another system) prove fruitless, the offline editor may well work.

In my experience, the most common issue I encounter is the lack of driver support for SATA controllers. The Offline NT Password & Registry Editor is frequently updated with bug fixes, and driver support is among the regular improvements the utility receives. That said, you may encounter situations where drivers need to be manually loaded as you can see in Figure B.

Figure B

The Offline NT Password & Registry Editor attempts to auto-load drivers based on information it discovers while booting.

When the program fails to locate active Windows installations, you can attempt to manually load disk drivers by entering m at the provided command prompt. Upon selecting M, you’ll be presented with an extensive menu of potential drivers, as shown in Figure C.

Figure C

You can select the drivers you need.

The password-resetting software doesn’t always recognize installed hard disks, as can be seen here. In this case, the utility doesn’t possess the necessary drivers to connect to a RAID installation. It’s for that reason that the software reports disk partitions don’t contain valid partition tables in this image.

Resetting Passwords

Once driver issues are resolved (in many cases the program’s auto-detection works without any trouble), you can connect to the system’s registry and make the necessary edits. With the proper drivers, the offline editor displays installed disks and resident disk partitions. You need to select the specific Windows installation you wish to edit by entering its partition number at the provided command prompt as shown in Figure D.

Figure D

Select the partition with Windows on it.

The offline editor breaks into several steps the process of resetting Windows passwords. Step One involves specifying the Windows installation and partition.

With the disk and partition selected, the utility then prompts users to specify the registry directory path to edit. The default is WINDOWS\system32\config. In most cases this default entry is correct. You need only press the [Enter] key to specify the default value.

Next users are prompted to enter the task they wish to perform, as shown in Figure E. The offline editor provides three options: Password reset, RecoveryConsole parameters, and Quit. To reset passwords, enter 1 at the command prompt.

Figure E

Administrators should enter 1, for password reset, when prompted.

Upon selecting the password reset option, you’ll then be prompted to specify the action to perform. The options are:

  • Edit user data and passwords
  • Syskey status & change
  • RecoveryConsole settings
  • Registry editor
  • Quit

To reset passwords, select 1 – Edit user data and passwords.

The utility will then display user information and password status. Specify the user account for which you wish to reset the password by typing the user account name and pressing Enter.

Once you specify the user the utility requests that you supply a new password as seen in Figure F. In my experience, supplying a blank password usually works best. The utility’s publisher also recommends blanking the password.To supply a blank password, type an asterisk (*) and press [Enter].

Figure F

The password-cracking utility prompts administrators to specify the user account and provide a new password.

Upon specifying the new password (or blanking it out), the program prompts you to confirm you wish to make the change. Type a [Y] and press [Enter] to confirm you wish to complete the edit.

At this point it’s tempting to reboot the system and attempt to log in to the user account with the new (or blanked out) password. However, one last step remains. You must instruct the Offline NT Password & Registry Editor to actually write the edits to the Windows system registry.

The process becomes less than intuitive here. To complete the process, you must enter the quit command. Typing an exclamation point [!] and pressing [Enter] quits the program. Previously in the process, [Q] is used to quit the process, so make note of the difference here.

After you do so, the utility will present a Main Interactive Menu. Several choices are presented:

  • Edit user data and passwords
  • Syskey status & change
  • RecoveryConsole settings
  • Registry editor
  • Quit

To complete the password reset operation, enter [Q] to quit.

The program then prompts you to complete step four, which involves writing the edits to the Windows registry. To complete the password reset registry edit, type [Y] and press [Enter]. The program will write the change to Windows SAM file and display an Edit Complete confirmation. At this point you can reboot the Windows system and, if the utility worked as designed, log into the user account using the password (or blanked password) you specified as part of step three.

Linux to the rescue

As you can see, if you don't have an administrator password for your system, all is not lost. The Offline NT Password & Registry Editor possesses the ability to penetrate locked out systems and restore access to user accounts and data. However, the utility can just as easily destroy a Windows system’s data. For that reason, the tool should only be used as a last resort (and only on systems for which you possess complete ownership and/or administrative authority).

About

Erik Eckel owns and operates two technology companies. As a managing partner with Louisville Geek, he works daily as an IT consultant to assist small businesses in overcoming technology challenges and maximizing IT investments. He is also president o...

150 comments
tomas bob
tomas bob

I have tried to use Offline NT Password & Registry Editor but it doesn't work with my domain controller. At last I used another program - PCUnlocker ( http://www.pcunlocker.com/ ), and it works like a charm.

serk`
serk`

So what if the Path is not the default. I'm using this on someone else's computer, so i don't know what their path is, and neither do that. What to do? I can't change the password because i can't get past this step (Step 2, figure D)

OMGN00B
OMGN00B

Well, my windows 7 machine's user password beings and finishes with an '@'. Due to the bugged functions, i cannot change the password in anyway and i cannot even make a password reset disk. This method should help me out of this.

ArrestLouis
ArrestLouis

I know Another Free Alternative with graphical user interface and wizard CD Builder: Lazesoft Recover My Password.

amateur_girl
amateur_girl

so i'm stuck on step 4 when i press enter it just ends up like this "#"

ron.dondelinger
ron.dondelinger

Would be interesting to hear from anyone who has used Ophcrack with the more powerful Rainbow tables ( note that Tables XP Free is utilized on website's demo @ http://www.objectif-securite.ch/en/products.php ). Granted, Tables XP Free is only good for cracking alphanumeric -- and is impressive at that, by the way. But the limited/restricted Ophcrack is easily defeated by short and dirty NON-alphanumeric strings like a musical note or math equation or text-based emoticon, e.g. B# 3+5 :-) . Or just punch a spacebar space in front of the alphanumeric string. Back on topic: As for Offline NT Password and Registry Editor, I too have found that blanking the Administrator password is the most expedient route. I have yet to perform a password reset that has worked successfully.

thyssens
thyssens

Why should I delete first my admin pwd, to use a new, if I can recover it with OPHcrack? My two cents.

shadymoon
shadymoon

I could have used this utility a few weeks ago when I could not get into windows nor in safe mode. Luckily I had the install disk so I booted from that. Then I restored the registery to an earlier time. This was a little time consuming.

Minion
Minion

recognized the screenshot. It worked great ona Win2k box where no one knew what the local admin password was. We had taken it off the domain to troubleshoot then couldn't log in anymore... Had to read the FAQ before i could get it to work fully. It can specify a password, but only if the password is blank to begin with. So just blank it out 1st. Also, didn't realize that to back out and save changes the command changes at one point to [!] and earlier in the program command is q for quit, which was covered in the blog post. -corey

steve
steve

I've successfully unlocked and reset all passwords for all accounts by using this tool on the SAM registry hive. However, these accounts can still not login. Is SAM the correct registry hive?

kwilson
kwilson

My company's testbed computers are totally apart from our network. These testbed computers allow our trainers and field installers to train, practice and test. Occasionally someone will change a password for whatever reason, or do it as a joke to foil the next person. When the next person comes along the only recourse previously was to either re-image the drive or to blow out the partition and reinstall Windows. Now we just use this utility to blank the password and go on. It has definitely saved time. The only time we re-image the drive now is when we need to test something on a virgin install.

Neon Samurai
Neon Samurai

I'm sure most of the TR staff are tech heads but the few business only managers must be happy as all heck with the page hits and add display statistics on this one. I know I'd be having to go change my suit if I was a marketing/add guy.

JBNForeman
JBNForeman

Don't forget the passwords recovery utilities on http://www.nirsoft.net/ especially two that are particularly useful for network administrators. Given who reads these blogs, I assume we can take it granted that we all know the lost passwords recovery methods documented in the MKB. That guy who said we're helping black hats by sharing good tips to cope with lost passwords has his head up his ass; any hacker who is at all dangerous already knows how to hack past basic password protections.

gerardhalloy
gerardhalloy

not a bad tool for a hacker, a better one for a moron that can't keep his password memorized, even better for the idiot that hires people in IT and does not monitor what they doing, a real miracle for the one that has alzheimer. What a man has to do to earn a living!

kokophone
kokophone

very very nice one but i wanna know how can i reset my password for vista can I???

Jacky Howe
Jacky Howe

Correct me if I am wrong but it seems to me that Thumbs was trying to point out the fact, that we as TR Members have decided that we would not respond to PASSWORD requests. Here is a senior TR Member offering detailed advice on how to reset passwords. Catch 22 Sort of makes us look like DICKHEADS dosn't it. One poster has already pointed out that they posted a request for help on a stuck in BIOS lost password and was told that TR doesn't support Hacking Passwords. All of those efforts by TR Members to try and tidy up the site to present a Professional image have gone down the gurgler. I can see no other reason for this post other than to attract revenue. If this is a revenue raiser for TR Management I suppose it will work. It will draw a lot of people to the site so that the adds can be displayed. I suppose when we get password requests from now on we can send them here. If they have any problems with the software they can contact Mark. http://blogs.techrepublic.com.com/window-on-windows/?p=639

Doug Vitale
Doug Vitale

At this step (the one if Figure D) you just hit 'Enter' to accept the default choice of Windows/System32/Config. If this isn't right, I have no idea why your friend's SAM file would be in a different location.

Neon Samurai
Neon Samurai

The Ophcrack liveCD is limited to it's short tables. Grab or generate your own longer complex character tables and it'll eat more complex passwords alive. The only limitation is the tables available to run with. With the NT Password diskette, blanking is the best way to go unless it's a work machine where you just login to the AD admin account and change the local that way.

seanferd
seanferd

to reset a password that to wait for it to be cracked via rainbow tables. And the app is smaller. If, for some reason, you absolutely need to keep the original password, Ophcrack is a good option.

nusyaputera
nusyaputera

Hi Steve, actually, I have try this out. I've download the ISO files, burn that out, and succesfully reset all account password into blank!! mmffhh.. Have you save (write-SAM) before quit?

Ethical_Loner
Ethical_Loner

I wonder how far fetched it would be to play "black ops" and have a TR person actually write something inflammatory like this and get the old ad ball rolling? Or do you suppose there are actually ethical marketing people out there? Just a thought.

Dumphrey
Dumphrey

Grrrrr......! Im stuck in the office in this dern Panda Costume... Makes it hard to type. JK But I think you said it very clearly. This forum title would get some decent hits.

Endoscopy
Endoscopy

The need for this goes beyond your examples. You leave out other reasons that passwords are not available. The following has happened. IT person angry with the company leaves after he changes the admin passwords on the servers. IT person changes passwords and has an accident on the way home and is dead. Hacker gets into system and changes passwords. Now what do you do. Wipe them out and start over?

Neon Samurai
Neon Samurai

We as visitors have decided that in the forums we will not respond to requests for how to break into computers since ownership of the machine can not be verified. What TR staff do is between them and there management. Yeah, some of the forum visitors are staff but are we all not visitors under Beth's area of responsability?

thyssens
thyssens

but when you are in a network, you nead to renew all policies...

Neon Samurai
Neon Samurai

Ophcrack is going to have the local admin password in ten minutes or so given the default rainbow tables that ship with it and length. If your nine characters or more though OPH's ntlm fast tables may not have the length for it. (Cain reads the same tables and does it in 7 char chunks if longer than 7 char). A password reset isn't going to care about the length or complexity of the previous password since it's replacing it but your futzing in the active registry. My personal approach is to start with OPH as it's less intrusive. If that fails I move on through other tools. Of course, all you need do is toss Truecrypt on the system and both tools are of no use. Now, if this is a business machine then the right thing to do would be to simply go in through the domain admin account and reset the local admin password like any other user.

bruce.chynoweth
bruce.chynoweth

Tried this but cannot get changes to save. The program actually warns me when it starts that it will not be able to save the changes....not sure why this is

Neon Samurai
Neon Samurai

And, I am sure it happens depending on the site. TR probalby not so much. CNet.. well, the overuse of flash adds drove me away (and into the TR sub-site ironically).

Dumphrey
Dumphrey

out there, as well as sales people with ethics. The question is, what ARE their ethics? (if you are a universal truth believer of ethics, please just overlook this, I would prefer to not have that argument)

paul53103
paul53103

I work at a multinational company where equipment gets transfered between plants on occasion. Try to find out what contry the equipment came from, never mind who set it up and what they set the password to. The computers are burried inside production equipment and the designers thought they would never fail so there was no need to be able to remove hard drives etc. The company is also going through bankrupcy so spending money on recovery software is out of the question. My Microsoft tech support has been cancelled. Now does anyone know how to do this on a system running OS2 and shipped from England?

michaelsaltmarsh
michaelsaltmarsh

Tested negative, popup alert no go go nothing like so much security that you get the "privilege" of viewing the internet line by line :P

Jacky Howe
Jacky Howe

wont beat the powers that be. We will just have to shut up and put up with it. That Blog has opened a Pandoras Box. It's the fact that we have been made to look like dickheads is what worries me.

bobp
bobp

Hiren's v.9.9 works great. Version 10 won't work at all - boots up but keeps giving error messages when trying to run AV or anti-spyware programs from mini XP. It is from about a month ago 12/10/09 or so. May be fixed by now.

seanferd
seanferd

It's come up as a repair tool used in the Questions forum on several occasions. I'd almost forgotten about all of Hiren's tools & whatnot before someone mentioned that he had the boot cd available when we were trying to troubleshoot the system. There always something useful from Hiren. I've never messed around with Truecrypt, but encryption like that is bound to stymie most people trying to crack a password. :D

Neon Samurai
Neon Samurai

I have some select Sysinternals utilities as standard tools myself but I'm really itching to look at Hiren's boot disk. The program list on the website alone justifies a look. A boot disk with something like five AV programs along with the rest of it. Same problem that my other disk utilities have though; Truecrypt stops them dead in there tracks. I actually have a machine with an old Flash v6 ActiveX file that I can't delete since I can't boot a liveCD and wipe it out. File Assasin; no go. Move On Boot; nope. Safe Mode; nope. Delete as administrator; nada. Searched the registry for it's activation; no such luck. Installed later versions of flash; the browser uses them but the older file is still locked in place. I've even had a run at it with my list of malware scanners but it really is the flash plugin.

seanferd
seanferd

Especially on the corporate domain scenario. I do love my Winternals disk for dealing with XP, though. ;)

curso9d
curso9d

because if ur log file is incomplete, it says it will not be able to save the changes. if u normally shut down ur comp. the program saves the changes. the same happened to me this program works

Neon Samurai
Neon Samurai

"download our popup program and we'll pay you for letting our advertising run on your machine" Some people did it in res when I was in University and yup, the proram that fooled it into thinking you where browsing as usually installed along side it. I don't remember anyone being inventive enough to put it on other machines under there name though.

Dumphrey
Dumphrey

they kicked out a kid for running all over campus and installing a little program that would click on his web page adds to increase his income. Did no need admin privs as best as I could tell. Google bombing also is very real. Merly starting a controversial or hot topic titled post is barely in the realms of conspiracy. I am a firm believer in the "if it can make some one money, it is..."

The Scummy One
The Scummy One

:D Yuppers, you are... Adding the NT In the post itself, making us all open it up to find out nothing was there... You sure are!!! :^0

DNSB
DNSB

What I've getting the largest chuckle out of is the Sponsored Links segment at the bottom of the messages. At this point, it seems to have 7 links to sites about changing/resetting passwords.

The Scummy One
The Scummy One

I only really read the title, and it didnt look bad. However, I just went and read the entire post, and I must agree that it was written very poorly and had much included hate.

The Scummy One
The Scummy One

Reset lost Windows passwords with Offline Registry Editor as the title. If it was marked something like Edit registry with offline reg editor or fix system problems with offline reg editor or something else that didnt specify in the title the ability to break into a system... Ok, small rant over. When I first saw the article, my initial thought was much like T-up's, I saw T-up's post and moved along. The next day I ran into it again and saw all of the neg. responses, that is when I started replying a bit in this thread. Most responders that I saw yesterday were slamming T-up just for questioning the blog. Personally, I have no problem with the article, except the title. This kind of information Should be here, however it shouldnt be listed where it can easily be interpreted as cracking into a system. Each IT pro will read the title in different ways. Until a few years ago I would have read it as 'oh good, a review on a good util for deskside', now I see it as 'ah man, they are posting cracks'

Neon Samurai
Neon Samurai

Is still the blatant idea that hacking has anything to do with criminal intent or actions. This is like saying that every gear head is a get away car driving, hit and run commiting threat to society while ignoring the many people who tinker away happily with there kit car or drive resonsably at the the local quarter mile track on a saturday. My response was just as emotionally charged too so I'm really not the one to judge. His questioning TR as too why the article was posted is perfectly valid and he's obviously entitled to his own opinions. He could have expressed them in a far less heated way though. Other posts have managed to ask the same question without damning TR or those computer enthusiasts that delite so much in exploring what there owned technology can really do beyond manufacturor's user manuals. We all have free will and an article should not change how we've each personally chosen to response to such questions. This article was just not enough for such a paradigm shift.

Neon Samurai
Neon Samurai

I think I'm having one now.. wait.. no.. it passed :D

The Scummy One
The Scummy One

as I stated before, keep it business as usual or dont bother answering. If the OP's asking these questions understood how to search or google it, then they wouldnt be asking, right? If we do not provide links to these utils, then that is fine. If the OP's google it, it is easily available already, so should not be our concern. But it does (no matter what Beth says) make us look like a-holes, we are reminded of it periodically when long time posters question our posts not to help! So, what to do -- ignore/flame/mislead/have fun -- it all depends on what each of us decide on. But if we do not provide the help/links then, we, the individuals on TR, have a clear conscience, correct? I still dont think T-Up is wrong in the original post, especially for the amount of negative responses received.

Neon Samurai
Neon Samurai

We can choose to continue not making it easy for unverified requesters asking for help breaking into a system. We can also choose not to direct them to this forum leaving them to find this or any other website source for the information on there own. It may not have been the best move on TR's part and the other's who posted specific tool names and links are on there own to defend there replies but this all doesn't mean we have to give it up for the first person asking for help. I personally plan to continue not answering "how to I break into my friend's 'puter? It'll be funny" type questions in a productive and helpful way. If they find the information on there own than there's nothing I can do about it and I hope very much that it's for productive and legal intentions. "now remember, the screwdriver has to be exacly six inches from the top of the monitor and two inches left of centre.. " ;) I also was not aware of the potential harm this tool may cause to a system so I'm rather happy they did choose to run the article for that addition to my own knowledge.

Beth Blakely
Beth Blakely

There's a huge difference between people who read TR on a regular basis and people who swoop in and ask hacker/cracker questions. It doesn't make you guys look like anything. If thieves aren't smart enough to Google, that's pathetic, but a good thing. You telling them that YOU won't answer them is still a valid and professional response. This is NOT a game changing piece of content. I could point you to six others that have existed on the site for years.

w2ktechman
w2ktechman

That was good. It is proof positive, I am a d1ckhead!!! :^0

w2ktechman
w2ktechman

in principle at least :D However, being off topic, nobody would find it after the first few hours, so newcomers wouldnt know who us d1ckheads were.. :^0 Hey, I got post 69 :D

Jacky Howe
Jacky Howe

noticed that Thumbs reply has been marked as Spam. I read Beth's reply, she has her hands tied. I certainly wouldn't like to be in her position. Smack between a rock and a hard place. It certainly is a sad state of affairs. Maybe we could start a Dickheads club. :)

w2ktechman
w2ktechman

she had no control in this area. And since she has booted people that started over this same topic, seems to put us all in a sad state.