How to Reset Windows Password in Linux Rescue

If you lost your windows user password, you can boot into Linux Live CD or Rescue CD and reset your Windows password as follows. Most VPS and dedicated server providers have the option to boot your server into rescue mode.

Install required packages

apt-get install chntpw ntfs-3g

Find the windows partition and mount it

mount -t ntfs /dev/nvme0n1p1 /mnt

If you get error while mounting, see NTFS The disk contains an unclean file system.

Go to the directory where Windows Password is stored

cd /mnt/Windows/System32/config

To list available users, run

chntpw -l SAM

To reset the password for a user, run

chntpw -u USER_NAME_HERE SAM

Select option 1

 1 - Clear (blank) user password

This will set the windows password for the user to blank.

Next select option 2.

 2 - Unlock and enable user account [probably locked now]

It will change to

(2 - Unlock and enable user account) [seems unlocked already]

Select option q to quit.

 q - Quit editing user, back to user select

It will ask you to save changes, press “y” to save.

root@vmi1255071:/mnt/Windows/System32/config# chntpw -u Administrator SAM
chntpw version 1.00 140201, (c) Petter N Hagen
Hive  name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c 
File size 262144 [40000] bytes, containing 7 pages (+ 1 headerpage)
Used for data: 298/26896 blocks/bytes, unused: 16/1552 blocks/bytes.

================= USER EDIT ====================

RID     : 0500 [01f4]
Username: Administrator
fullname: 
comment : Built-in account for administering the computer/domain
homedir : 

00000220 = Administrators (which has 1 members)

Account bits: 0x0010 =
[ ] Disabled        | [ ] Homedir req.    | [ ] Passwd not req. | 
[ ] Temp. duplicate | [X] Normal account  | [ ] NMS account     | 
[ ] Domain trust ac | [ ] Wks trust act.  | [ ] Srv trust act   | 
[ ] Pwd don't expir | [ ] Auto lockout    | [ ] (unknown 0x08)  | 
[ ] (unknown 0x10)  | [ ] (unknown 0x20)  | [ ] (unknown 0x40)  | 

Failed login count: 19, while max tries is: 0
Total  login count: 15
** No NT MD4 hash found. This user probably has a BLANK password!
** No LANMAN hash found either. Try login with no password!

- - - - User Edit Menu:
 1 - Clear (blank) user password
 2 - Unlock and enable user account [probably locked now]
 3 - Promote user (make user an administrator)
 4 - Add user to a group
 5 - Remove user from a group
 q - Quit editing user, back to user select
Select: [q] > 1
Password cleared!
================= USER EDIT ====================

RID     : 0500 [01f4]
Username: Administrator
fullname: 
comment : Built-in account for administering the computer/domain
homedir : 

00000220 = Administrators (which has 1 members)

Account bits: 0x0010 =
[ ] Disabled        | [ ] Homedir req.    | [ ] Passwd not req. | 
[ ] Temp. duplicate | [X] Normal account  | [ ] NMS account     | 
[ ] Domain trust ac | [ ] Wks trust act.  | [ ] Srv trust act   | 
[ ] Pwd don't expir | [ ] Auto lockout    | [ ] (unknown 0x08)  | 
[ ] (unknown 0x10)  | [ ] (unknown 0x20)  | [ ] (unknown 0x40)  | 

Failed login count: 19, while max tries is: 0
Total  login count: 15
** No NT MD4 hash found. This user probably has a BLANK password!
** No LANMAN hash found either. Try login with no password!

- - - - User Edit Menu:
 1 - Clear (blank) user password
 2 - Unlock and enable user account [probably locked now]
 3 - Promote user (make user an administrator)
 4 - Add user to a group
 5 - Remove user from a group
 q - Quit editing user, back to user select
Select: [q] > 2
Unlocked!
================= USER EDIT ====================

RID     : 0500 [01f4]
Username: Administrator
fullname: 
comment : Built-in account for administering the computer/domain
homedir : 

00000220 = Administrators (which has 1 members)

Account bits: 0x0210 =
[ ] Disabled        | [ ] Homedir req.    | [ ] Passwd not req. | 
[ ] Temp. duplicate | [X] Normal account  | [ ] NMS account     | 
[ ] Domain trust ac | [ ] Wks trust act.  | [ ] Srv trust act   | 
[X] Pwd don't expir | [ ] Auto lockout    | [ ] (unknown 0x08)  | 
[ ] (unknown 0x10)  | [ ] (unknown 0x20)  | [ ] (unknown 0x40)  | 

Failed login count: 0, while max tries is: 0
Total  login count: 15
** No NT MD4 hash found. This user probably has a BLANK password!
** No LANMAN hash found either. Try login with no password!

- - - - User Edit Menu:
 1 - Clear (blank) user password
(2 - Unlock and enable user account) [seems unlocked already]
 3 - Promote user (make user an administrator)
 4 - Add user to a group
 5 - Remove user from a group
 q - Quit editing user, back to user select
Select: [q] > q

Hives that have changed:
 #  Name
 0  
Write hive files? (y/n) [n] : y
 0   - OK
root@vmi1255071:/mnt/Windows/System32/config# 

Now you need to log in to the server using the console, it won’t ask for any password. Once logged in, you can set a password for the user. You can’t log in using RDP with a blank password.

After the password reset, “chntpw -l SAM” will look like the following

root@vmi1255071:/mnt/Windows/System32/config# chntpw -l SAM
chntpw version 1.00 140201, (c) Petter N Hagen
Hive  name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c 
File size 262144 [40000] bytes, containing 7 pages (+ 1 headerpage)
Used for data: 298/26896 blocks/bytes, unused: 16/1552 blocks/bytes.

| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrator                  | ADMIN  | *BLANK*  |
| 01f5 | Guest                          |        | dis/lock |
root@vmi1255071:/mnt/Windows/System32/config# 

Back to Windows

Need help with Linux Server or WordPress? We can help!

Leave a Reply

Your email address will not be published. Required fields are marked *