Knoppix Reset Windows Admin Password
Knoppix Reset Windows Admin Password
If you forget a password for your user on your Windows system (especially if the user is administrator), your computer immediately becomes a paperweight. It’s like being locked out of your car without a spare set of keys and without a way to contact a locksmith. Use Knoppix as your locksmith to reset the password to a new value or even completely erase it.
User accounts have an interesting history in Windows. The Windows 9x series did offer usernames and passwords, but every user could overwrite every other user’s files, and the system did not offer any real security. If you forget your password in Windows 9x, resetting it is as simple as deleting a .pwd file with a DOS disk. With Windows NT, 2000, and XP, Microsoft has increased its user security by creating different user accounts on the same system and passwords that protect them. However, unlike in Windows 9x, if you forget your Administrator password, your only recourse is to purchase a tool to reset your Windows password or to reinstall Windows to create a new administrator account. If you have a Knoppix disc, you can download and use the chntpw tool, which is a small program that lets you reset the local passwords on a Windows system, and return to your system.
Get chntpw
The chntpw tool is part of the ntpasswd package, which can be downloaded in boot floppy form from its web site at http://home.eunet.no/~pnordahl/ntpasswd/. However, this gives you a floppy image and requires that you mount multiple loopback entries to extract the utility from the floppy image to use under Knoppix. While you can simply create an ntpasswd boot floppy, this means yet another rescue disk to carry with you, and the beauty of Knoppix is that you have access to all of your recovery tools in a single disc. Luckily, the chntpw tool is now part of Debian unstable, which means that you can grab it directly from Debian’s repository
You can get the latest chntpw package from http://packages.debian.org/unstable/admin/chntpw. Download the .deb to your /home/knoppix directory. Most of the Knoppix system is read-only, so you can’t directly install this package. Instead, you must convert it to a tar file, and then extract out the chntpw utility. Open up a terminal, and run the following commands:
knoppix@ttyp1[config]$ alien --to-tgz chntpw_0.99.2-1_i386 .deb
knoppix@ttyp1[config]$ tar xvzf chntpw-0.99.2 .tgz ./usr/sbin/chntpw
knoppix@ttyp1[config]$ mv ./usr/sbin/chntpw ./
Change the .deb and .tgz filenames to match the version of chntpw that you downloaded. This command makes use of the alien utility, which has the ability to convert files between .rpm, .deb, and .tgz. This conversion is necessary to extract only the chntpw executable file. Once you are finished with these commands, the chntpw utility is in /home/knoppix and ready to use.
Reset the Password
To reset the password, you must have write permissions on the Windows partition. If you have a FAT or FAT32 Windows partition, click on the drive on the desktop to mount it, then right-click on the hard-drive icon and choose Actions|Change read/write mode, or on the command line, type:
knoppix@ttyp1[config]$ sudo mount -o rw /dev/hda1
/mnt/hda1
Replace hda1 with your Windows partition. If you have an NTFS partition, follow the steps in Prev tuts to mount the NTFS partition with write permissions.
Once the partition is mounted, you must locate the directory containing the SAM file. For Windows 2000 and XP systems, this directory should be located under windows/system32/config or winnt/system32/config. In this example, navigate to the /mnt/hda1/windows/system32/config directory, and notice a number of files, including ones called SAM, SYSTEM, and SECURITY, that may or may not be in all caps. Once you have navigated to this directory on the command line, reset the Windows Administrator password by running:
knoppix@ttyp1[config]$ /home/knoppix/chntpw SAM
Remember that SAM is the name of the SAM file in the directory, and may or may not be all in caps. The default for this utility is to edit the Administrator password, so there is no need to specify an account. While you have the option to change the password to a different value, it is recommended to just reset the password and then change it when you get back into Windows. You can reset the password by typing * instead of a password when prompted.
knoppix@ttyp1[config]$ /home/knoppix/chntpw SAM
chntpw version 0.99.2 040105, (c) Petter N Hagen
openHive(sam) failed: Read-only file system, trying read-only
Hive's name (from header):
ROOT KEY at offset: 0x001020
...output supressed...
* = blank the password (This may work better than setting a new password!)
Enter nothing to leave it unchanged
Please enter new password: *
If you want to reset the password for a user other than Administrator, list the users in the SAM file with the -l option:
knoppix@ttyp1[config]$ /home/knoppix/chntpw -l SAM
chntpw version 0.99.2 040105, (c) Petter N Hagen
Hive's name (from header):
ROOT KEY at offset: 0x001020
Page at 0x6000 is not 'hbin', assuming file contains garbage at end
File size 262144 [40000] bytes, containing 5 pages (+ 1 headerpage)
Used for data: 218/16928 blocks/bytes, unused: 4/3392 blocks/bytes.
* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length : 0
Password history count : 0
RID: 01f4, Username: , *BLANK password*
RID: 01f5, Username: , *disabled or locked*
RID: 03e8, Username:
RID: 03ea, Username: , *disabled or locked*
Hives that have changed:
# Name
None!
This example has four users: Administrator, Guest, HelpAssistant, and SUPPORT_388945a0. Pick the user you want to edit, and then run chntpw with the -u option:
knoppix@ttyp1[config]$ /home/knoppix/chntpw -u username
SAM
Once you change the password and save your changes, unmount the filesystem and reboot:
knoppix@ttyp1[config]$ cd
knoppix@ttyp1[knoppix]$ sudo umount /mnt/hda1
When you boot back to Windows, the password should be blank, so you can log in and change the password with the regular Windows tools.