How to Reset Windows Password in Linux Rescue
If you lost your windows user password, you can boot into Linux Live CD or Rescue CD and reset your Windows password as follows. Most VPS and dedicated server providers have the option to boot your server into rescue mode.
Install required packages
|
1 |
apt-get install chntpw ntfs-3g |
Find the windows partition and mount it
|
1 |
mount -t ntfs /dev/nvme0n1p1 /mnt |
If you get error while mounting, see NTFS The disk contains an unclean file system.
Go to the directory where Windows Password is stored
|
1 |
cd /mnt/Windows/System32/config |
To list available users, run
|
1 |
chntpw -l SAM |
To reset the password for a user, run
|
1 |
chntpw -u USER_NAME_HERE SAM |
Select option 1
|
1 |
1 - Clear (blank) user password |
This will set the windows password for the user to blank.
Next select option 2.
|
1 |
2 - Unlock and enable user account [probably locked now] |
It will change to
|
1 |
(2 - Unlock and enable user account) [seems unlocked already] |
Select option q to quit.
|
1 |
q - Quit editing user, back to user select |
It will ask you to save changes, press “y” to save.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 |
root@vmi1255071:/mnt/Windows/System32/config# chntpw -u Administrator SAM chntpw version 1.00 140201, (c) Petter N Hagen Hive <SAM> name (from header): <\SystemRoot\System32\Config\SAM> ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf> File size 262144 [40000] bytes, containing 7 pages (+ 1 headerpage) Used for data: 298/26896 blocks/bytes, unused: 16/1552 blocks/bytes. ================= USER EDIT ==================== RID : 0500 [01f4] Username: Administrator fullname: comment : Built-in account for administering the computer/domain homedir : 00000220 = Administrators (which has 1 members) Account bits: 0x0010 = [ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. | [ ] Temp. duplicate | [X] Normal account | [ ] NMS account | [ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act | [ ] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) | [ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) | Failed login count: 19, while max tries is: 0 Total login count: 15 ** No NT MD4 hash found. This user probably has a BLANK password! ** No LANMAN hash found either. Try login with no password! - - - - User Edit Menu: 1 - Clear (blank) user password 2 - Unlock and enable user account [probably locked now] 3 - Promote user (make user an administrator) 4 - Add user to a group 5 - Remove user from a group q - Quit editing user, back to user select Select: [q] > 1 Password cleared! ================= USER EDIT ==================== RID : 0500 [01f4] Username: Administrator fullname: comment : Built-in account for administering the computer/domain homedir : 00000220 = Administrators (which has 1 members) Account bits: 0x0010 = [ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. | [ ] Temp. duplicate | [X] Normal account | [ ] NMS account | [ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act | [ ] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) | [ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) | Failed login count: 19, while max tries is: 0 Total login count: 15 ** No NT MD4 hash found. This user probably has a BLANK password! ** No LANMAN hash found either. Try login with no password! - - - - User Edit Menu: 1 - Clear (blank) user password 2 - Unlock and enable user account [probably locked now] 3 - Promote user (make user an administrator) 4 - Add user to a group 5 - Remove user from a group q - Quit editing user, back to user select Select: [q] > 2 Unlocked! ================= USER EDIT ==================== RID : 0500 [01f4] Username: Administrator fullname: comment : Built-in account for administering the computer/domain homedir : 00000220 = Administrators (which has 1 members) Account bits: 0x0210 = [ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. | [ ] Temp. duplicate | [X] Normal account | [ ] NMS account | [ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act | [X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) | [ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) | Failed login count: 0, while max tries is: 0 Total login count: 15 ** No NT MD4 hash found. This user probably has a BLANK password! ** No LANMAN hash found either. Try login with no password! - - - - User Edit Menu: 1 - Clear (blank) user password (2 - Unlock and enable user account) [seems unlocked already] 3 - Promote user (make user an administrator) 4 - Add user to a group 5 - Remove user from a group q - Quit editing user, back to user select Select: [q] > q Hives that have changed: # Name 0 <SAM> Write hive files? (y/n) [n] : y 0 <SAM> - OK root@vmi1255071:/mnt/Windows/System32/config# |
Now you need to log in to the server using the console, it won’t ask for any password. Once logged in, you can set a password for the user. You can’t log in using RDP with a blank password.
After the password reset, “chntpw -l SAM” will look like the following
|
1 2 3 4 5 6 7 8 9 10 11 |
root@vmi1255071:/mnt/Windows/System32/config# chntpw -l SAM chntpw version 1.00 140201, (c) Petter N Hagen Hive <SAM> name (from header): <\SystemRoot\System32\Config\SAM> ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf> File size 262144 [40000] bytes, containing 7 pages (+ 1 headerpage) Used for data: 298/26896 blocks/bytes, unused: 16/1552 blocks/bytes. | RID -|---------- Username ------------| Admin? |- Lock? --| | 01f4 | Administrator | ADMIN | *BLANK* | | 01f5 | Guest | | dis/lock | root@vmi1255071:/mnt/Windows/System32/config# |
Back to Windows