If you lost your windows user password, you can boot into Linux Live CD or Rescue CD and reset your Windows password as follows. Most VPS and dedicated server providers have the option to boot your server into rescue mode.
Install required packages
apt-get install chntpw ntfs-3gFind the Windows partition and mount it
mount -t ntfs /dev/nvme0n1p1 /mntIf you get error while mounting, see NTFS The disk contains an unclean file system.
Go to the directory where Windows Password is stored
cd /mnt/Windows/System32/configTo list available users, run
chntpw -l SAMTo reset the password for a user, run
chntpw -u USER_NAME_HERE SAMSelect option 1
1 - Clear (blank) user passwordThis will set the Windows password for the user to blank.
Next select option 2.
2 - Unlock and enable user account [probably locked now]It will change to
(2 - Unlock and enable user account) [seems unlocked already]Select option q to quit.
q - Quit editing user, back to user selectIt will ask you to save changes, press “y” to save.
root@vmi1255071:/mnt/Windows/System32/config# chntpw -u Administrator SAM
chntpw version 1.00 140201, (c) Petter N Hagen
Hive name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c
File size 262144 [40000] bytes, containing 7 pages (+ 1 headerpage)
Used for data: 298/26896 blocks/bytes, unused: 16/1552 blocks/bytes.
================= USER EDIT ====================
RID : 0500 [01f4]
Username: Administrator
fullname:
comment : Built-in account for administering the computer/domain
homedir :
00000220 = Administrators (which has 1 members)
Account bits: 0x0010 =
[ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
[ ] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) |
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |
Failed login count: 19, while max tries is: 0
Total login count: 15
** No NT MD4 hash found. This user probably has a BLANK password!
** No LANMAN hash found either. Try login with no password!
- - - - User Edit Menu:
1 - Clear (blank) user password
2 - Unlock and enable user account [probably locked now]
3 - Promote user (make user an administrator)
4 - Add user to a group
5 - Remove user from a group
q - Quit editing user, back to user select
Select: [q] > 1
Password cleared!
================= USER EDIT ====================
RID : 0500 [01f4]
Username: Administrator
fullname:
comment : Built-in account for administering the computer/domain
homedir :
00000220 = Administrators (which has 1 members)
Account bits: 0x0010 =
[ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
[ ] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) |
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |
Failed login count: 19, while max tries is: 0
Total login count: 15
** No NT MD4 hash found. This user probably has a BLANK password!
** No LANMAN hash found either. Try login with no password!
- - - - User Edit Menu:
1 - Clear (blank) user password
2 - Unlock and enable user account [probably locked now]
3 - Promote user (make user an administrator)
4 - Add user to a group
5 - Remove user from a group
q - Quit editing user, back to user select
Select: [q] > 2
Unlocked!
================= USER EDIT ====================
RID : 0500 [01f4]
Username: Administrator
fullname:
comment : Built-in account for administering the computer/domain
homedir :
00000220 = Administrators (which has 1 members)
Account bits: 0x0210 =
[ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
[X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) |
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |
Failed login count: 0, while max tries is: 0
Total login count: 15
** No NT MD4 hash found. This user probably has a BLANK password!
** No LANMAN hash found either. Try login with no password!
- - - - User Edit Menu:
1 - Clear (blank) user password
(2 - Unlock and enable user account) [seems unlocked already]
3 - Promote user (make user an administrator)
4 - Add user to a group
5 - Remove user from a group
q - Quit editing user, back to user select
Select: [q] > q
Hives that have changed:
# Name
0
Write hive files? (y/n) [n] : y
0 - OK
root@vmi1255071:/mnt/Windows/System32/config# Now you need to log in to the server using the console, it won’t ask for any password. Once logged in, you can set a password for the user. You can’t log in using RDP with a blank password.
After the password reset, “chntpw -l SAM” will look like the following
root@vmi1255071:/mnt/Windows/System32/config# chntpw -l SAM
chntpw version 1.00 140201, (c) Petter N Hagen
Hive name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c
File size 262144 [40000] bytes, containing 7 pages (+ 1 headerpage)
Used for data: 298/26896 blocks/bytes, unused: 16/1552 blocks/bytes.
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrator | ADMIN | *BLANK* |
| 01f5 | Guest | | dis/lock |
root@vmi1255071:/mnt/Windows/System32/config# Back to Windows
Leave a Reply