Hack 75 Reset Lost NT Passwords

If you forget a password for your user on your Windows system (especially if the user is administrator), your computer immediately becomes a paperweight. It's like being locked out of your car without a spare set of keys and without a way to contact a locksmith. Use Knoppix as your locksmith to reset the password to a new value or even completely erase it.

User accounts have an interesting history in Windows. The Windows 9x series did offer usernames and passwords, but every user could overwrite every other user's files, and the system did not offer any real security. If you forget your password in Windows 9x, resetting it is as simple as deleting a .pwd file with a DOS disk. With Windows NT, 2000, and XP, Microsoft has increased its user security by creating different user accounts on the same system and passwords that protect them. However, unlike in Windows 9x, if you forget your Administrator password, your only recourse is to purchase a tool to reset your Windows password or to reinstall Windows to create a new administrator account. If you have a Knoppix disc, you can download and use the chntpw tool, which is a small program that lets you reset the local passwords on a Windows system, and return to your system.

7.6.1 Get chntpw

The chntpw tool is part of the ntpasswd package, which can be downloaded in boot floppy form from its web site at http://home.eunet.no/~pnordahl/ntpasswd/. However, this gives you a floppy image and requires that you mount multiple loopback entries to extract the utility from the floppy image to use under Knoppix. While you can simply create an ntpasswd boot floppy, this means yet another rescue disk to carry with you, and the beauty of Knoppix is that you have access to all of your recovery tools in a single disc. Luckily, the chntpw tool is now part of Debian unstable, which means that you can grab it directly from Debian's repository.

You could use the apt-get wrapper, which is included for Knoppix, to download chntpw. However, to be certain you retrieve the latest version of chntpw, you must run the apt-get update, which downloads about 10 times as much data per repository as the 85-KB chntpw package. It saves bandwidth and time to download the package directly.

You can get the latest chntpw package from http://packages.debian.org/unstable/admin/chntpw. Download the .deb to your /home/knoppix directory. Most of the Knoppix system is read-only, so you can't directly install this package. Instead, you must convert it to a tar file, and then extract out the chntpw utility. Open up a terminal, and run the following commands:

knoppix@ttyp1[config]$ alien --to-tgz chntpw_0.99.2-1_i386 .deb

knoppix@ttyp1[config]$ tar xvzf chntpw-0.99.2 .tgz ./usr/sbin/chntpw

knoppix@ttyp1[config]$ mv ./usr/sbin/chntpw ./

Change the .deb and .tgz filenames to match the version of chntpw that you downloaded. This command makes use of the alien utility, which has the ability to convert files between .rpm, .deb, and .tgz. This conversion is necessary to extract only the chntpw executable file. Once you are finished with these commands, the chntpw utility is in /home/knoppix and ready to use.

7.6.2 Reset the Password

To reset the password, you must have write permissions on the Windows partition. If you have a FAT or FAT32 Windows partition, click on the drive on the desktop to mount it, then right-click on the hard-drive icon and choose ActionsChange read/write mode, or on the command line, type:

knoppix@ttyp1[config]$ sudo mount -o rw /dev/hda1

 /mnt/hda1

Replace hda1 with your Windows partition. If you have an NTFS partition, follow the steps in [Hack #73] to mount the NTFS partition with write permissions.

Once the partition is mounted, you must locate the directory containing the SAM file. For Windows 2000 and XP systems, this directory should be located under windows/system32/config or winnt/system32/config. In this example, navigate to the /mnt/hda1/windows/system32/config directory, and notice a number of files, including ones called SAM, SYSTEM, and SECURITY, that may or may not be in all caps. Once you have navigated to this directory on the command line, reset the Windows Administrator password by running:

knoppix@ttyp1[config]$ /home/knoppix/chntpw SAM

Remember that SAM is the name of the SAM file in the directory, and may or may not be all in caps. The default for this utility is to edit the Administrator password, so there is no need to specify an account. While you have the option to change the password to a different value, it is recommended to just reset the password and then change it when you get back into Windows. You can reset the password by typing * instead of a password when prompted.

knoppix@ttyp1[config]$ /home/knoppix/chntpw SAM

chntpw version 0.99.2 040105, (c) Petter N Hagen

openHive(sam) failed: Read-only file system, trying read-only

Hive's name (from header): <\SystemRoot\System32\Config\SAM>

ROOT KEY at offset: 0x001020

...output supressed...



* = blank the password (This may work better than setting a new password!)

Enter nothing to leave it unchanged

Please enter new password: *

If you want to reset the password for a user other than Administrator, list the users in the SAM file with the -l option:

knoppix@ttyp1[config]$ /home/knoppix/chntpw -l SAM

chntpw version 0.99.2 040105, (c) Petter N Hagen

Hive's name (from header): <\SystemRoot\System32\Config\SAM>

ROOT KEY at offset: 0x001020

Page at 0x6000 is not 'hbin', assuming file contains garbage at end

File size 262144 [40000] bytes, containing 5 pages (+ 1 headerpage)

Used for data: 218/16928 blocks/bytes, unused: 4/3392 blocks/bytes.



* SAM policy limits:

Failed logins before lockout is: 0

Minimum password length        : 0

Password history count         : 0

RID: 01f4, Username: <Administrator>, *BLANK password*

RID: 01f5, Username: <Guest>, *disabled or locked*

RID: 03e8, Username: <HelpAssistant>

RID: 03ea, Username: <SUPPORT_388945a0>, *disabled or locked*



Hives that have changed:

 #  Name

None!

This example has four users: Administrator, Guest, HelpAssistant, and SUPPORT_388945a0. Pick the user you want to edit, and then run chntpw with the -u option:

knoppix@ttyp1[config]$ /home/knoppix/chntpw -u username

 SAM

Once you change the password and save your changes, unmount the filesystem and reboot:

knoppix@ttyp1[config]$ cd

knoppix@ttyp1[knoppix]$ sudo umount /mnt/hda1

When you boot back to Windows, the password should be blank, so you can log in and change the password with the regular Windows tools.