Recover Administrator's password

Offline NT Password & Registry Editor is a free tool based on Linux tool to change the password on an Windows NT/2k/XP installation without knowing the old password.

Tested on

  1. NT3.51 & NT4: Workstation, Server, PDC
  2. Windows 2000 Professional & Server to SP3. (Cannot change Active Directory)
  3. XP Home & Professional up to SP1

To download it. http://home.eunet.no/~pnordahl/ntpasswd/

  • This is a utility to (re)set the password of any user that has a valid (local) account on your NT system
  • You do not need to know the old password to set a new one.
  • It works offline, that is, you have to shutdown your computer and boot off a floppydisk
  • Will detect and offer to unlock locked or disabled out user accounts

    THIS SOFTWARE COMES WITH NO WARRANTY WHATSOEVER. THE AUTHOR AND THIS SITE IS NOT RESPONSIBLE FOR ANY DAMAGE CAUSED BY THE (MIS)USE OF THIS SOFTWARE!

    How to make bootdisk

    1. Download bd030112.zip (1.4MB) and rawwrite2.zip (10K) from here to make a boot floppy. If you need more SCSI driver or want to boot from CD-ROM, download the others. You can get rawwite2.exe from Linux CD as well.
    2. Extract both bd030112.zip and rawwrite2.zip files into same directory (for your convenience) and run rawrite2.exe
    3. Type the image filename and a drive letter. 
      RaWrite 2.0 - Write disk file to raw floppy diskette

Enter disk image source file name: bd030112.bin
Enter target diskette drive: a

    How to use

    1. Insert floppy or CD.
    2. Let the machine boot from the floppy or CD. You may need to change boot sequence from BIOS
    3. You'll see 
      ****************************************************************
* This utility will enable you to change the password of almost
* any user (incl. administrator) on an Windows NT/2k/XP installation
* WITHOUT knowing the old password.
* 
* The program is now able to actually parse/follow the internal
* registry structure completely.
* There is now support for adding and deleting keys and values.
* Tested on: NT3.51 & NT4: Workstation, Server, PDC.
*            Win2k Prof & Server to SP3. Cannot change AD.
*            XP Home & Prof: up to SP1
* Now also works with syskey, read warnings if applicable.
*
* You may either let the scripts try to figure out your configuration,
* or you may do it manually from the shell prompts.
* 
* Good luck!

Press return/enter to continue Enter
* In /etc/main.rc....
Calling scsi.rc to probe for SCSI controllers
Mounting floppy to fetch drivers from /scsi on it
SCSI-drivers found on floppy:

BusLogic.o.gz  aic7xxx.o.gz

Do you have your NT disks on a SCSI controller?
  y - this will autoprobe for the driver
  n - no, skip SCSI, I have IDE drives
  or give the scsi-driver modules name (without the .o or .gz)
  + optional parameters to go directly for a known driver

Probe for SCSI-drivers: [n]Enter

Calling part.rc to select partition
Partitions found on the disk(s):
   Device Boot Start    End      Blocks    Id     System
/dev/hda1   *      1   1859    14932386     7  HPFS/NTFS

Probable NT partitions:
/dev/hda1   *      1   1859    14932386     7  HPFS/NTFS
Wnat partition contains your NT installation?
[/dev/hda1] : Enter
FAT: Did not find valid FSINFO signature.
Found signature1 0x66024a1e signature2 0xc88b6602 sector=4.
VFS: Can't find a valid FAT filesystem on dev 03:01.
mount: wrong fs type, bad option, bad superblock on /deb/hda1,
       or too many mounted fil systems
/dev/hda1 is NTFS.
Trying to mount as readwrite on /mnt
NTFS volume version 3.0.
Success. Mounted NTFS /deb/hda1 on /mnt
Calling path.rc. to select path
What is the full path to the registry directory?
[winnt/system32/config] : Enter
-rw-------  1 0       0         65536 Jan 15 09:00 AppEvent.Evt
-rw-------  1 0       0         65536 Jan 15 09:00 default
-rw-------  1 0       0         65536 Jan 15 09:00 default.LOG
-rw-------  1 0       0         65536 Jan 15 09:00 default.sav
-rw-------  1 0       0         65536 Jan 15 09:00 netlogon.ftl
-rw-------  1 0       0         65536 Jan 15 09:00 SAM
-rw-------  1 0       0         65536 Jan 15 09:00 SAM.LOG
-rw-------  1 0       0         65536 Jan 15 09:00 SecEvent.Evt
-rw-------  1 0       0         65536 Jan 15 09:00 SECURITY
-rw-------  1 0       0         65536 Jan 15 09:00 SECURITY.LOG
-rw-------  1 0       0         65536 Jan 15 09:00 software
-rw-------  1 0       0         65536 Jan 15 09:00 software.LOG
-rw-------  1 0       0         65536 Jan 15 09:00 software.sav
-rw-------  1 0       0         65536 Jan 15 09:00 SysEvent.Evt
-rw-------  1 0       0         65536 Jan 15 09:00 system.sav
-rw-------  1 0       0         65536 Jan 15 09:00 TempLey.LOG
-rw-------  1 0       0         65536 Jan 15 09:00 userdiff
-rw-------  1 0       0         65536 Jan 15 09:00 userdiff.LOG
Which hives (files) do you want to edit (leave default for
password setting, separate multiple names with spaces)
[sam system security] : Enter
Copying sam system security to /tmp

Now running chntpw
chntpw version 0.99.0 030112, (c) Petter N Hagen
Hive's name (from header) (\SystemRoot\System32\Config\Sam)
ROOT KEY at offset: 0x001020

File size 32768 [8000] bytes, containing 7 pages (+ 1 headerpage)
Used, for data: 319/26472 blocks/bytes, unused: 6/1976 blocks/bytes.
Hive's name (from header): (SYSTEM)
ROOT KEY at offset: 0x001020

File size 2555904 [270000] bytes, containing 584 pages (+ 1 headerpage)
Used, for data: 44209/2524072 blocks/bytes, unused: 19/9048 blocks/bytes.
Hive's name (from header): (SYSTEM)
ROOT KEY at offset: 0x001020

File size 49152 [c000] bytes, containing 11 pages (+ 1 headerpage)
Used, for data: 859/42568 blocks/bytes, unused: 5/2136 blocks/bytes.
Hello, this is SAM!
Failed logins before lockout is : 0
Minimum password length         : 0
Password history count          : 0

()========() chntpw Main Interactive Menu ()========()
Loaded hives: (sam) (system) (security)
  1 - Edit user data and passwords
  2 - Syskey status & change
      - - -
  9 - Registry editor, now with full write support!
  q - Quit (you will be asked if there is something to save)

What to do? [1] -> Enter

==== chntpw Edit User Info & Passwords ====

RID: 03f2, Username: (ACTUser)
RID: 03f2, Username: (Administrator)
RID: 03f2, Username: (ASPNET)
RID: 03f2, Username: (Guest), disabled or locked*
RID: 03f2, Username: (IUSR_HOGE-SRV)
RID: 03f2, Username: (IWAM_HOGE-SRV)
RID: 03f2, Username: (SQLDebugger)
RID: 03f2, Username: (hoge)
RID: 03f2, Username: (VUSER_HOGE-SRV)
RID: 03f2, Username: (VUSER_HOGE-SRV1)

Select: ! - quit, . - list users, 0x(RID) - User with RID (hex)
or simple enter the username to change: [Administrator] Enter
RID     : 032f
Username: Administrator
fullname:
comment :
homedir :

Account bits: 0x0215 =
[ ] Disabled        | [ ] Homedir req.      | [ ] passwd not req. |
[ ] Temp. duplicate | [X] Normail account   | [ ] NMS account     |
[ ] Domain trust ac | [ ] Wks trust act.    | [ ] Srv trust act   |
[X] Pwd don't expir | [ ] Auto lockout      | [ ] (unknown 0x08)  |
[ ] (unknown 0x10)  | [ ] (unknown 0x20)    | [ ] (unknown 0x40)  |

Failed login count: 0, while max tries is : 0
Total  login.count: 7
Account is disabled
Crypted NT pw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Crypted LM pw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
MD4 hash     : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
LANMAN hash  : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

* = blank the password (EXPERIMENTAL! but may fix problems)
Enter nothing to leave it unchanged
Please enter new password: *
Blanking password. This may actually fix things if previous password-preset
did not work. Or it may even make things worse. Happy joy!

Do you really wish to change it? (y/n) [n] y

Select: ! - quit, . - list users, 0x(RID) - User with RID (hex)
or simple enter the username to change: [Administrator] !

()========() chntpw Main Interactive Menu ()========()
Loaded hives: (sam) (system) (security)
  1 - Edit user data and passwords
  2 - Syskey status & change
      - - -
  9 - Registry editor, now with full write support!
  q - Quit (you will be asked if there is something to save)

What to do? [1] -> q

Hives that have changed:
 # Name
 0 (sam)
Write hive files? (y/n) [n] : y
Calling write.rc to select write back sam file
About to write file(s) back! Do it? [n] y
Writing sam
* end of scripts.. returning to the shell..
* Press CTRL-ALT-DELL to reboot now (remove floppy first)
* or do whatever you want from the shell..
* However, if you mount something, remember to umount before reboot
* You may also restart the script procedure with 'sh /scripts/main.rc'
#
    4. Remove the floppy and restart. Now you can log in without password (or whatever you set)
    Back - Support