Have you forgotten your Windows user password? No problem! This step by step guide explains what is Chntpw utility and how to reset Windows password using Chntpw with a Linux Live CD.
Table of Contents
Introduction
Let us say you're System admin who work in a mixed-OS environment where you are managing both Linux and Windows systems. There are chances that you may need to recover the forgotten password of an user account at some point.
If it is a Linux or Unix user account, you can simply boot into the rescue or emergency mode, and reset the forgotten password of the user account. We have documented the steps to reset forgotten Root password in Linux and Unix operating systems. Check the following links for more details.
- How To Reset Root User Password In CentOS 8, RHEL 8, AlmaLinux 8, Rocky Linux 8
- How To Reset Sudo Password In Ubuntu 22.04 / 20.04 LTS
- How To Reset Root User Password In Arch Linux, CentOS And Ubuntu
- How To Reset Or Recover Root User Password In FreeBSD
In my opinion, resetting a Linux user password is quite easy! We boot into the single user mode from the Grub boot menu, mount the filesystem in read/write mode and use the passwd
command to change the root
or any normal user password. If the Grub menu is password-protected, you can boot via a Linux cd and follow the same procedure to reset the Linux user accounts password.
Recovering forgotten Windows administrator password can also be done via a Linux live CD or any other Linux-based rescue CDs, for example SystemRescue or ClonezIlla.
In this guide, I am going to show you how to reset a Windows user password using Chntpw utility and Ubuntu live cd. Not just ubuntu live CD, you can use any other Linux live CD or System rescue CD or Hiren's BootCD.
I tested this guide on Windows 8 and Windows 10 platforms. In both platforms, I can able to successfully change the Windows user password with Chntpw utility.
Before getting started, let me give a brief introduction to Chntpw utility.
What is Chntpw?
Chntpw is a utility to view some information and reset user passwords in a Windows NT/2000 SAM user database file used by Microsoft Windows Operating System, specifically in NT3.x and later versions.
The SAM user database file is usually located at \WINDOWS\system32\config\SAM
on the Windows file system.
In addition, Chntpw contains a simple registry editor and a hex-editor with which the information contained in a registry file can be browsed and modified.
The Chntpw utility comes with all Linux ISO images. Simply connect to Internet and install Chntpw utlity. If you use Clonezilla or SystemRescue CD, they have included Chntpw by default, so you don't have to bother with manual installation.
Chntpw supports the following options:
- -h : View Summary of options
- -u username : Username or User ID to change. The default user is 'Administrator'.
- -l : List all users in the SAM database.
- -i : Open interactive menu system.
- -e : Open Registry editor.
- -d : Open hex-editor
- -E : Enable Safe mode.
- -v : Print verbose information. Useful when debugging.
Reset Windows User Account Password with Chtntpw and Linux Live CD
Step 1: Boot your Windows System with Linux Live CD
Boot your Windows system with any available Linux live cd images. For the purpose of this guide, I will be using Ubuntu live cd.
Step 2: Install Chntpw Utility
After booting into the live environment, make sure you're connected to the Internet and install Chntpw program.
In Ubuntu-based systems, enable [Universe] repository and install Chntpw utility using the following command:
$ sudo apt install chntpw
If you boot into RPM-based systems, like Fedora, you can install Chntpw using the following command:
$ sudo dnf install chntpw
Step 3: Find the Windows Installation Partition
Now, we need to find out on which partition Windows OS is installed. To find Windows installation partition, you can use any disk management CLI utilities like fdisk
or sfdisk
.
$ sudo sfdisk -l
Sample Output:
[...] Device Boot Start End Sectors Size Id Type /dev/sda1 * 2048 1026047 1024000 500M 7 HPFS/NTFS/exFAT /dev/sda2 1026048 104855551 103829504 49.5G 7 HPFS/NTFS/exFAT [...]
As you see in the above output, my Windows 10 OS is installed in /dev/sda2
partition. In other words, /dev/sda2 is the C:\
drive. And the /dev/sda1
is the system partition which contains important hardware-specific files that are needed to load Windows.
Step 4: Mount Windows Partition
After finding the right partition where the Windows OS is installed, you need to mount it in your Linux platform.
Let me create a mountpoint named winmount
in my $HOME
directory.
$ mkdir ~/winmount
Mount the Windows partition (i.e. /dev/sda2 in my case) in the newly created mountpoint ~/winmount
using mount
command:
$ sudo mount /dev/sda2 ~/winmount
Heads Up: In the above example, I have used 'sudo'
command while mounting the partition. If you mount the windows partition in $HOME
directory, you don't need to use 'sudo'
. I have included 'sudo' just for sake of clarity, because some users may try to mount the partition in directories (E.g. /mnt/
) that requires 'sudo' rights.
Step 5: Remove Windows User Password
We have mounted the Windows partition in ~/winmount
directory.
Change to /Windows/System32/config/
directory:
$ cd ~/winmount/Windows/System32/config/
Now, edit the SAM database using chntpw
utility by running the following command:
$ sudo chntpw -i SAM
it will open the chntpw interactive main wizard. Type 1 to choose "Edit user data and passwords" option and hit ENTER.
chntpw version 1.00 140201, (c) Petter N Hagen Hive <SAM> name (from header): <\SystemRoot\System32\Config\SAM> ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c <lh> File size 65536 [10000] bytes, containing 5 pages (+ 1 headerpage) Used for data: 289/25456 blocks/bytes, unused: 26/7152 blocks/bytes. <>========<> chntpw Main Interactive Menu <>========<> Loaded hives: <SAM> 1 - Edit user data and passwords 2 - List groups - - - 9 - Registry editor, now with full write support! q - Quit (you will be asked if there is something to save) What to do? [1] -> 1 [...]
Enter user number (RID). In my case, I am going to reset the password of user called "Senthilkumar", so I entered his RID i.e. 3e9.
[...] ===== chntpw Edit User Info & Passwords ==== | RID -|---------- Username ------------| Admin? |- Lock? --| | 01f4 | Administrator | ADMIN | dis/lock | | 01f7 | DefaultAccount | | dis/lock | | 01f5 | Guest | | dis/lock | | 03e9 | Senthilkumar | ADMIN | | Please enter user number (RID) or 0 to exit: [3e9] 3e9 [...]
Enter 1 to clear user password and hit ENTER.
[...] ================= USER EDIT ==================== RID : 1001 [03e9] Username: Senthilkumar fullname: comment : homedir : 00000220 = Administrators (which has 2 members) Account bits: 0x0214 = [ ] Disabled | [ ] Homedir req. | [X] Passwd not req. | [ ] Temp. duplicate | [X] Normal account | [ ] NMS account | [ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act | [X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) | [ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) | Failed login count: 0, while max tries is: 0 Total login count: 9 - - - - User Edit Menu: 1 - Clear (blank) user password (2 - Unlock and enable user account) [seems unlocked already] 3 - Promote user (make user an administrator) 4 - Add user to a group 5 - Remove user from a group q - Quit editing user, back to user select Select: [q] > 1 [...]
Next type q and hit ENTER to quit editing user and g back to the previous menu.
[...] - - - - User Edit Menu: 1 - Clear (blank) user password (2 - Unlock and enable user account) [seems unlocked already] 3 - Promote user (make user an administrator) 4 - Add user to a group 5 - Remove user from a group q - Quit editing user, back to user select Select: [q] > q [...]
Again, type q to quit chntpw interactive menu:
[...] <>========<> chntpw Main Interactive Menu <>========<> Loaded hives: <SAM> 1 - Edit user data and passwords 2 - List groups - - - 9 - Registry editor, now with full write support! q - Quit (you will be asked if there is something to save) What to do? [1] -> q [...]
You will be prompted to save the changes. Type y and hit ENTER to save the chnages and exit chntpw interactive menu.
[...] Hives that have changed: # Name 0 <SAM> Write hive files? (y/n) [n] : y
That's it. The Windows user password has been reset!!
Remove your Ubuntu live cd and reboot your system. Now you won't see the user password prompt at Windows login screen.
The following screenshot shows the Windows password prompt before removing the user password in Windows 10.
After removing the user password in Windows 10, the user is logged in automatically.
This procedure is same for resetting Windows 8 user password. As I stated already, you can use any Linux live CD or System Rescue CDs to reset Windows user password.
Frequently Asked Questions (FAQ)
A: No. If the Windows partition is encrypted, you can't mount it. Hence it is not possible to reset Windows password in encrypted drives with Chntpw.
A: It depends on the Linux CD you use. If you use System rescue cds such as Clonezilla, SystemRescue or PartedMagic, Chntpw is already included by default. So you don't have to install Chntpw in System rescue CDs. In normal live CDs, such as Ubuntu live cd or Fedora live cd, you may need to install Chntpw.
I always recommend you to keep at least one System rescue CD ready. It will definitely comes in handy when things goes side-ways.
A: No. Once the password is cleared, the user will be disconnected from the Domain controller. You may need to re-authenticate it. Or contact your Domain administrator.
Conclusion
In this tutorial, we learned how to reset forgotten Windows user account password with Chntpw utility. As you can see, the steps to reset Windows password using Chntpw with Linux live CD is easy!
4 comments
Let me get this straight… I’m supposed to turn off fastboot IN windows, that I can not log into, in order to reset password in Linux.
If I can log into windows, why would I need to reset password?
You are totally right. I never thought of it when I wrote this guide. I removed the “Disabling Fast Startup” section now. I will find a workaround and update the guide as soon as possible. My sincere apologies for being so dumb.
Account bits: 0x0210 =
[ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
[X] Pwd don’t expir | [ ] Auto lockout | [ ] (unknown 0x08) |
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |
I Clear the Password, but I can’t login still
Hmm.. strange. Actually it worked on my test system. What is your Windows version? Did you save the changes the after clearing the password?