Using chntpw to reset Windows accounts
I recently had to reset the password on some old Netbooks which had been unused for a few years. In the end I used chntpw and a Ubuntu live USB to unlock the Administrator account. This post is quickly going to go over how to do this.
Note: this will only work if full disk encryption like BitLocker is not being used.
Booting into Ubuntu
The first thing to do is create a live USB, this can be done with tools like Rufus, or command line tools like dd. If you're not familiar with the process there is a step by step guide on tutorials.ubuntu.com. Once you've created a live USB and booted from it you should get a menu similar to the following:
From here you should be able to select the
Try Ubuntu without installing
option and boot into a desktop environment:
Booting in text only mode
Unfortunately the Netbook I was working with was struggling to boot the full graphical environment. To get around this I did the following:
- Press F6 and enabled
splashfrom the boot options, this isn't strictly require but makes it easier to see what's going on if something goes wrong.
systemd.unit=multi-user.targetto the end of the boot options.
- Press Enter to boot the system.
- Finally log in as the
ubuntuuser, the default password should be blank.
Once you have a bash prompt,
chntpw can be installed with the following
sudo apt-get update sudo apt-get install chntpw
Next you will want to mount the main Windows file system. This can be done with a command similar to the following:
sudo mount /dev/sda2 /mnt/
Note: make sure you mount the correct partition.
sudo fdisk -l can be used
to check the partition table on available disks.
After the file system is mounted, switch to the
directory, if the directory isn't there, make sure you mounted the correct
You can now run the following command to start up
sudo chntpw SAM
If everything goes well you should see a menu similar to the following:
lubuntu@lubuntu:/mnt/Windows/System32/config$ sudo chntpw SAM chntpw version 1.00 140201, (c) Petter N Hagen Hive <SAM> name (from header): <\SystemRoot\System32\Config\SAM> ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf> File size 262144  bytes, containing 5 pages (+ 1 headerpage) Used for data: 247/19480 blocks/bytes, unused: 7/840 blocks/bytes. ================= USER EDIT ==================== RID : 0500 [01f4] Username: Administrator fullname: comment : Built-in account for administering the computer/domain homedir : 00000220 = Administrators (which has 2 members) Account bits: 0x0211 = [X] Disabled | [ ] Homedir req. | [ ] Passwd not req. | [ ] Temp. duplicate | [X] Normal account | [ ] NMS account | [ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act | [X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) | [ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) | Failed login count: 0, while max tries is: 0 Total login count: 6 - - - - User Edit Menu: 1 - Clear (blank) user password 2 - Unlock and enable user account [probably locked now] 3 - Promote user (make user an administrator) 4 - Add user to a group 5 - Remove user from a group q - Quit editing user, back to user select Select: [q] >
To enable the
Administrator account, use the first option to clear the
password and the second option to unlock and enable the account:
Select: [q] > 1 Password cleared! ... Select: [q] > 2 Unlocked!
Finally quit using the
q option, make sure you save the changes to the hive
Select: [q] > q Hives that have changed: # Name 0 <SAM> Write hive files? (y/n) [n] : y 0 <SAM> - OK
Booting back into Windows
You should now be able to restart the system. Once it's booted you should be
able to login using the
Note: once you're in, make sure you update the Administrator account password to something that isn't blank!