Home Microsoft Windows How To Reset Windows Password With Chntpw And Linux Live CD

How To Reset Windows Password With Chntpw And Linux Live CD

Recover Forgotten Windows Administrator Password Using Chntpw And Linux Bootable CD Or USB

By sk
Published: Last Updated on 3.4k views

This step by step guide explains what is Chntpw utility and how to reset Windows password using Chntpw with a Linux Live CD.

Introduction

Let us say you're System admin who work in a mixed-OS environment where you are managing both Linux and Windows systems. There are chances that you may need to recover the forgotten password of an user account at some point.

If it is a Linux or Unix user account, you can simply boot into the rescue or emergency mode, and reset the forgotten password of the user account. We have documented the steps to reset forgotten Root password in Linux and Unix operating systems. Check the following links for more details.

In my opinion, resetting a Linux user password is quite easy! We boot into the single user mode from the Grub boot menu, mount the filesystem in read/write mode and use the passwd command to change the root or any normal user password. If the Grub menu is password-protected, you can boot via a Linux cd and follow the same procedure to reset the Linux user accounts password.

Recovering forgotten Windows administrator password can also be done via a Linux live CD or any other Linux-based rescue CDs, for example SystemRescue or ClonezIlla.

In this guide, I am going to show you how to reset a Windows user password using Chntpw utility and Ubuntu live cd. Not just ubuntu live CD, you can use any other Linux live CD or System rescue CD or Hiren's BootCD.

I tested this guide on Windows 8 and Windows 10 platforms. In both platforms, I can able to successfully change the Windows user password with Chntpw utility.

Before getting started, let me give a brief introduction to Chntpw utility.

What is Chntpw?

Chntpw is a utility to view some information and reset user passwords in a Windows NT/2000 SAM user database file used by Microsoft Windows Operating System, specifically in NT3.x and later versions.

The SAM user database file is usually located at \WINDOWS\system32\config\SAM on the Windows file system.

In addition, Chntpw contains a simple registry editor and a hex-editor with which the information contained in a registry file can be browsed and modified.

The Chntpw utility comes with all Linux ISO images. Simply connect to Internet and install Chntpw utlity. If you use Clonezilla or SystemRescue CD, they have included Chntpw by default, so you don't have to bother with manual installation.

Chntpw supports the following options:

  • -h : View Summary of options
  • -u username : Username or User ID to change. The default user is 'Administrator'.
  • -l : List all users in the SAM database.
  • -i : Open interactive menu system.
  • -e : Open Registry editor.
  • -d : Open hex-editor
  • -E : Enable Safe mode.
  • -v : Print verbose information. Useful when debugging.

Reset Windows User Account Password with Chtntpw and Linux Live CD

Step 1 - Boot your Windows System with Linux Live CD

Boot your Windows system with any available Linux live cd images. For the purpose of this guide, I will be using Ubuntu live cd.

Ubuntu Live CD
Ubuntu Live CD

Step 2 - Install Chntpw Utility

After booting into the live environment, make sure you're connected to the Internet and install Chntpw program.

In Ubuntu-based systems, enable [Universe] repository and install Chntpw utility using the following command:

$ sudo apt install chntpw

If you boot into RPM-based systems, like Fedora, you can install Chntpw using the following command:

$ sudo dnf install chntpw

Step 3 - Find the Windows Installation Partition

Now, we need to find out on which partition Windows OS is installed. To find Windows installation partition, you can use any disk management CLI utilities like fdisk or sfdisk.

$ sudo sfdisk -l

Sample Output:

[...]
Device     Boot   Start       End   Sectors  Size Id Type
/dev/sda1  *       2048   1026047   1024000  500M  7 HPFS/NTFS/exFAT
/dev/sda2       1026048 104855551 103829504 49.5G  7 HPFS/NTFS/exFAT
[...]
List Disk Partitions
List Disk Partitions

As you see in the above output, my Windows 10 OS is installed in /dev/sda2 partition. In other words, /dev/sda2 is the C:\ drive. And the /dev/sda1 is the system partition which contains important hardware-specific files that are needed to load Windows.

Step 4 - Mount Windows Partition

After finding the right partition where the Windows OS is installed, you need to mount it in your Linux platform.

Let me create a mountpoint named winmount in my $HOME directory.

$ mkdir ~/winmount

Mount the Windows partition (i.e. /dev/sda2 in my case) in the newly created mountpoint ~/winmount using mount command:

$ sudo mount /dev/sda2 ~/winmount
Mount Windows Partition
Mount Windows Partition

Heads Up: In the above example, I have used 'sudo' command while mounting the partition. If you mount the windows partition in $HOME directory, you don't need to use 'sudo'. I have included 'sudo' just for sake of clarity, because some users may try to mount the partition in directories (E.g. /mnt/) that requires 'sudo' rights.

Step 5 - Remove Windows User Password

We have mounted the Windows partition in ~/winmount directory.

Change to /Windows/System32/config/ directory:

$ cd ~/winmount/Windows/System32/config/

Now, edit the SAM database using chntpw utility by running the following command:

$ sudo chntpw -i SAM

it will open the chntpw interactive main wizard. Type 1 to choose "Edit user data and passwords" option and hit ENTER.

chntpw version 1.00 140201, (c) Petter N Hagen
Hive <SAM> name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c <lh>
File size 65536 [10000] bytes, containing 5 pages (+ 1 headerpage)
Used for data: 289/25456 blocks/bytes, unused: 26/7152 blocks/bytes.

<>========<> chntpw Main Interactive Menu <>========<>

Loaded hives: <SAM>

  1 - Edit user data and passwords
  2 - List groups
      - - -
  9 - Registry editor, now with full write support!
  q - Quit (you will be asked if there is something to save)


What to do? [1] -> 1
[...]
Edit user data and passwords with chntpw
Edit user data and passwords with chntpw

Enter user number (RID). In my case, I am going to reset the password of user called "Senthilkumar", so I entered his RID i.e. 3e9.

[...]
===== chntpw Edit User Info & Passwords ====

| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrator                  | ADMIN  | dis/lock |
| 01f7 | DefaultAccount                 |        | dis/lock |
| 01f5 | Guest                          |        | dis/lock |
| 03e9 | Senthilkumar                   | ADMIN  |          |

Please enter user number (RID) or 0 to exit: [3e9] 3e9
[...]
Enter User Number (RID)
Enter User Number (RID)

Enter 1 to clear user password and hit ENTER.

[...]
================= USER EDIT ====================

RID     : 1001 [03e9]
Username: Senthilkumar
fullname: 
comment : 
homedir : 

00000220 = Administrators (which has 2 members)

Account bits: 0x0214 =
[ ] Disabled        | [ ] Homedir req.    | [X] Passwd not req. | 
[ ] Temp. duplicate | [X] Normal account  | [ ] NMS account     | 
[ ] Domain trust ac | [ ] Wks trust act.  | [ ] Srv trust act   | 
[X] Pwd don't expir | [ ] Auto lockout    | [ ] (unknown 0x08)  | 
[ ] (unknown 0x10)  | [ ] (unknown 0x20)  | [ ] (unknown 0x40)  | 

Failed login count: 0, while max tries is: 0
Total  login count: 9

- - - - User Edit Menu:
 1 - Clear (blank) user password
(2 - Unlock and enable user account) [seems unlocked already]
 3 - Promote user (make user an administrator)
 4 - Add user to a group
 5 - Remove user from a group
 q - Quit editing user, back to user select
Select: [q] > 1
[...]
Clear User Password with Chntpw
Clear User Password with Chntpw

Next type q and hit ENTER to quit editing user and g back to the previous menu.

[...]
- - - - User Edit Menu:
 1 - Clear (blank) user password
(2 - Unlock and enable user account) [seems unlocked already]
 3 - Promote user (make user an administrator)
 4 - Add user to a group
 5 - Remove user from a group
 q - Quit editing user, back to user select
Select: [q] > q
[...]
Quit Editing User
Quit Editing User

Again, type q to quit chntpw interactive menu:

[...]
<>========<> chntpw Main Interactive Menu <>========<>

Loaded hives: <SAM>

  1 - Edit user data and passwords
  2 - List groups
      - - -
  9 - Registry editor, now with full write support!
  q - Quit (you will be asked if there is something to save)


What to do? [1] -> q
[...]
Quit chntpw Main Interactive Menu
Quit chntpw Main Interactive Menu

You will be prompted to save the changes. Type y and hit ENTER to save the chnages and exit chntpw interactive menu.

[...]
Hives that have changed:
 #  Name
 0  <SAM>
Write hive files? (y/n) [n] : y
Save Changes and Exit chntpw
Save Changes and Exit chntpw

That's it. The Windows user password has been reset!!

Remove your Ubuntu live cd and reboot your system. Now you won't see the user password prompt at Windows login screen.

The following screenshot shows the Windows password prompt before removing the user password in Windows 10.

Windows 10 Login Password Prompt
Windows 10 Login Password Prompt

After removing the user password in Windows 10, the user is logged in automatically.

Windows 10 Login Screen
Windows 10 Login Screen

This procedure is same for resetting Windows 8 user password. As I stated already, you can use any Linux live CD or System Rescue CDs to reset Windows user password.

Frequently Asked Questions

Is it possible to reset user password if Windows partition is encrypted?

No. If the Windows partition is encrypted, you can't mount it. Hence it is not possible to reset Windows password in encrypted drives with Chntpw.

Should I install Chntpw?

It depends on the Linux CD you use. If you use System rescue cds such as Clonezilla, SystemRescue or PartedMagic, Chntpw is already included by default. So you don't have to install Chntpw in System rescue CDs. In normal live CDs, such as Ubuntu live cd or Fedora live cd, you may need to install Chntpw.

I always recommend you to keep at least one System rescue CD ready. It will definitely comes in handy when things goes side-ways.

After the password is reset, will the user still be connected to the Domain?

No. Once the password is cleared, the user will be disconnected from the Domain controller. You may need to re-authenticate it. Or contact your Domain administrator.

Conclusion

In this tutorial, we learned how to reset forgotten Windows user account password with Chntpw utility. As you can see, the steps to reset Windows password using Chntpw with Linux live CD is easy!

You May Also Like

2 comments

Dale November 15, 2022 - 6:14 pm

Let me get this straight… I’m supposed to turn off fastboot IN windows, that I can not log into, in order to reset password in Linux.
If I can log into windows, why would I need to reset password?

Reply
sk November 15, 2022 - 7:36 pm

You are totally right. I never thought of it when I wrote this guide. I removed the “Disabling Fast Startup” section now. I will find a workaround and update the guide as soon as possible. My sincere apologies for being so dumb.

Reply

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. By using this site, we will assume that you're OK with it. Accept Read More