How to Reset Windows Password in Linux Rescue
If you lost your windows user password, you can boot into Linux Live CD or Rescue CD and reset your Windows password as follows. Most VPS and dedicated server providers have the option to boot your server into rescue mode.
Install required packages
apt-get install chntpw ntfs-3g
Find the windows partition and mount it
mount -t ntfs /dev/nvme0n1p1 /mnt
If you get error while mounting, see NTFS The disk contains an unclean file system.
Go to the directory where Windows Password is stored
cd /mnt/Windows/System32/config
To list available users, run
chntpw -l SAM
To reset the password for a user, run
chntpw -u USER_NAME_HERE SAM
Select option 1
1 - Clear (blank) user password
This will set the windows password for the user to blank.
Next select option 2.
2 - Unlock and enable user account [probably locked now]
It will change to
(2 - Unlock and enable user account) [seems unlocked already]
Select option q to quit.
q - Quit editing user, back to user select
It will ask you to save changes, press “y” to save.
root@vmi1255071:/mnt/Windows/System32/config# chntpw -u Administrator SAM chntpw version 1.00 140201, (c) Petter N Hagen Hivename (from header): <\SystemRoot\System32\Config\SAM> ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c File size 262144 [40000] bytes, containing 7 pages (+ 1 headerpage) Used for data: 298/26896 blocks/bytes, unused: 16/1552 blocks/bytes. ================= USER EDIT ==================== RID : 0500 [01f4] Username: Administrator fullname: comment : Built-in account for administering the computer/domain homedir : 00000220 = Administrators (which has 1 members) Account bits: 0x0010 = [ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. | [ ] Temp. duplicate | [X] Normal account | [ ] NMS account | [ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act | [ ] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) | [ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) | Failed login count: 19, while max tries is: 0 Total login count: 15 ** No NT MD4 hash found. This user probably has a BLANK password! ** No LANMAN hash found either. Try login with no password! - - - - User Edit Menu: 1 - Clear (blank) user password 2 - Unlock and enable user account [probably locked now] 3 - Promote user (make user an administrator) 4 - Add user to a group 5 - Remove user from a group q - Quit editing user, back to user select Select: [q] > 1 Password cleared! ================= USER EDIT ==================== RID : 0500 [01f4] Username: Administrator fullname: comment : Built-in account for administering the computer/domain homedir : 00000220 = Administrators (which has 1 members) Account bits: 0x0010 = [ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. | [ ] Temp. duplicate | [X] Normal account | [ ] NMS account | [ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act | [ ] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) | [ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) | Failed login count: 19, while max tries is: 0 Total login count: 15 ** No NT MD4 hash found. This user probably has a BLANK password! ** No LANMAN hash found either. Try login with no password! - - - - User Edit Menu: 1 - Clear (blank) user password 2 - Unlock and enable user account [probably locked now] 3 - Promote user (make user an administrator) 4 - Add user to a group 5 - Remove user from a group q - Quit editing user, back to user select Select: [q] > 2 Unlocked! ================= USER EDIT ==================== RID : 0500 [01f4] Username: Administrator fullname: comment : Built-in account for administering the computer/domain homedir : 00000220 = Administrators (which has 1 members) Account bits: 0x0210 = [ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. | [ ] Temp. duplicate | [X] Normal account | [ ] NMS account | [ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act | [X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) | [ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) | Failed login count: 0, while max tries is: 0 Total login count: 15 ** No NT MD4 hash found. This user probably has a BLANK password! ** No LANMAN hash found either. Try login with no password! - - - - User Edit Menu: 1 - Clear (blank) user password (2 - Unlock and enable user account) [seems unlocked already] 3 - Promote user (make user an administrator) 4 - Add user to a group 5 - Remove user from a group q - Quit editing user, back to user select Select: [q] > q Hives that have changed: # Name 0 Write hive files? (y/n) [n] : y 0 - OK root@vmi1255071:/mnt/Windows/System32/config#
Now you need to log in to the server using the console, it won’t ask for any password. Once logged in, you can set a password for the user. You can’t log in using RDP with a blank password.
After the password reset, “chntpw -l SAM” will look like the following
root@vmi1255071:/mnt/Windows/System32/config# chntpw -l SAM chntpw version 1.00 140201, (c) Petter N Hagen Hivename (from header): <\SystemRoot\System32\Config\SAM> ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c File size 262144 [40000] bytes, containing 7 pages (+ 1 headerpage) Used for data: 298/26896 blocks/bytes, unused: 16/1552 blocks/bytes. | RID -|---------- Username ------------| Admin? |- Lock? --| | 01f4 | Administrator | ADMIN | *BLANK* | | 01f5 | Guest | | dis/lock | root@vmi1255071:/mnt/Windows/System32/config#
Back to Windows