Reset lost Windows passwords with Offline Registry Editor

Losing an administrator password to a Windows XP or Windows Vista workstation can cause huge amount of headaches. Erik Eckel shows how you can use a Linux-based freeware utility to reset any Windows password on a system

Misplaced passwords can render Windows systems useless. Minus a valid username and password, Windows boxes, and the data they contain, are essentially off limits.

The situation arises frequently. Users leave. Past consultants fail to document deployments. IT professionals quit.

Without documentation, accessing critical Windows systems and data becomes problematic. Despite numerous aspersions from the open source community, Microsoft’s NTFS file system delivers decent performance and security.

However, a free open source program often makes quick work of cracking Windows passwords. The Offline NT Password & Registry Editor presents a potential option for obtaining access to locked-out Windows NT-based systems. Here's how you can use it to recover lost passwords on your Windows systems.

The Offline NT Password & Registry Editor

Offline NT Password & Registry Editor is a free Linux-based utility, which as the name suggests, works offline. The code creates its own boot environment. Once you burn the ISO image to a CD-ROM, you'll have a tool at your disposal for resetting Windows NT, 2000, XP and Vista account passwords. You wont even have to know any of the current account user names or passwords on the system to make it work.

Instead, the utility detects user accounts and enables resetting the password to a value you decide. The application will even reset locked or disabled user accounts.

When you first boot the utility, you'll see the screen shown in Figure A.

Figure A

The Offline NT Password & Registry Editor presents this menu upon booting.

Recognize The Dangers

As the name suggests, the utility edits the Windows registry. Further, the application edits the registry in a completely unsupported and warranty- and Microsoft-support voiding way.

In other words, the password-cracking software is used at your own risk. The Offline NT Password & Registry Editor could easily render a system unbootable. The unauthorized program could also destroy existing data resident on a Windows system.

This is especially true if the Encrypting File System (EFS) has been used to protect sensitive data. In fact, if you use it to change the password on an account that’s used EFS to protect files, it’s unlikely those files can ever be recovered.

But, left to no other option, you may find the software is just what’s needed to break into a system for which passwords have been lost or misplaced.

Driver Issues

Using the Offline NT Password & Registry Editor requires that you place the CD in the system in question and reboot it. Once the utility starts, its initial boot screen will appear. Users should pay particular attention to the warning that appears stating, “This software comes with absolutely no warranties! The author can not be held responsible for any damage caused by the (mis) use of this software.” Again, the utility should only be used as a last resort.

But faced with using options of last resort is often where computer professionals find themselves. When such situations arise, and all other means of accessing the data (including removing the hard disk from the existing system and attempting to recover its data from another system) prove fruitless, the offline editor may well work.

In my experience, the most common issue I encounter is the lack of driver support for SATA controllers. The Offline NT Password & Registry Editor is frequently updated with bug fixes, and driver support is among the regular improvements the utility receives. That said, you may encounter situations where drivers need to be manually loaded as you can see in Figure B.

Figure B

The Offline NT Password & Registry Editor attempts to auto-load drivers based on information it discovers while booting.

When the program fails to locate active Windows installations, you can attempt to manually load disk drivers by entering m at the provided command prompt. Upon selecting M, you’ll be presented with an extensive menu of potential drivers, as shown in Figure C.

Figure C

You can select the drivers you need.

The password-resetting software doesn’t always recognize installed hard disks, as can be seen here. In this case, the utility doesn’t possess the necessary drivers to connect to a RAID installation. It’s for that reason that the software reports disk partitions don’t contain valid partition tables in this image.

Resetting Passwords

Once driver issues are resolved (in many cases the program’s auto-detection works without any trouble), you can connect to the system’s registry and make the necessary edits. With the proper drivers, the offline editor displays installed disks and resident disk partitions. You need to select the specific Windows installation you wish to edit by entering its partition number at the provided command prompt as shown in Figure D.

Figure D

Select the partition with Windows on it.

The offline editor breaks into several steps the process of resetting Windows passwords. Step One involves specifying the Windows installation and partition.

With the disk and partition selected, the utility then prompts users to specify the registry directory path to edit. The default is WINDOWS\system32\config. In most cases this default entry is correct. You need only press the [Enter] key to specify the default value.

Next users are prompted to enter the task they wish to perform, as shown in Figure E. The offline editor provides three options: Password reset, RecoveryConsole parameters, and Quit. To reset passwords, enter 1 at the command prompt.

Figure E

Administrators should enter 1, for password reset, when prompted.

Upon selecting the password reset option, you’ll then be prompted to specify the action to perform. The options are:

  • Edit user data and passwords
  • Syskey status & change
  • RecoveryConsole settings
  • Registry editor
  • Quit

To reset passwords, select 1 – Edit user data and passwords.

The utility will then display user information and password status. Specify the user account for which you wish to reset the password by typing the user account name and pressing Enter.

Once you specify the user the utility requests that you supply a new password as seen in Figure F. In my experience, supplying a blank password usually works best. The utility’s publisher also recommends blanking the password.To supply a blank password, type an asterisk (*) and press [Enter].

Figure F

The password-cracking utility prompts administrators to specify the user account and provide a new password.

Upon specifying the new password (or blanking it out), the program prompts you to confirm you wish to make the change. Type a [Y] and press [Enter] to confirm you wish to complete the edit.

At this point it’s tempting to reboot the system and attempt to log in to the user account with the new (or blanked out) password. However, one last step remains. You must instruct the Offline NT Password & Registry Editor to actually write the edits to the Windows system registry.

The process becomes less than intuitive here. To complete the process, you must enter the quit command. Typing an exclamation point [!] and pressing [Enter] quits the program. Previously in the process, [Q] is used to quit the process, so make note of the difference here.

After you do so, the utility will present a Main Interactive Menu. Several choices are presented:

  • Edit user data and passwords
  • Syskey status & change
  • RecoveryConsole settings
  • Registry editor
  • Quit

To complete the password reset operation, enter [Q] to quit.

The program then prompts you to complete step four, which involves writing the edits to the Windows registry. To complete the password reset registry edit, type [Y] and press [Enter]. The program will write the change to Windows SAM file and display an Edit Complete confirmation. At this point you can reboot the Windows system and, if the utility worked as designed, log into the user account using the password (or blanked password) you specified as part of step three.

Linux to the rescue

As you can see, if you don't have an administrator password for your system, all is not lost. The Offline NT Password & Registry Editor possesses the ability to penetrate locked out systems and restore access to user accounts and data. However, the utility can just as easily destroy a Windows system’s data. For that reason, the tool should only be used as a last resort (and only on systems for which you possess complete ownership and/or administrative authority).

By Erik Eckel

Erik Eckel owns and operates two technology companies. As a managing partner with Louisville Geek, he works daily as an IT consultant to assist small businesses in overcoming technology challenges and maximizing IT investments. He is also president o...