26 January 2013

HOW TO: Reset Windows Admin Password?

Have you ever been experienced inputting Administrator password and all passwords were incorrect? Or if not, you need to access the admin user to perform maintenance diagnostics, but they didn't give you the password? Well, if you are willing to access the administrator with a password, you can do it by resetting it or if not removing it instead.

Admit it; there are many times you will forget your password, and it gets annoying remembering those.  And most of us, if we will not get our password, we tend to reinstall the operating system and it was surely getting pretty boring. To lessen the high blood pressure moments, with this tool. However, it helps you to solve the problem by resetting the Windows Admin Password.

To access the administrator username, you need to boot it up to cd/floppy/USB.

Offline NT Password & Registry Editor

It is a FREE tool that will reset the Windows Admin Password on a local Windows system. It is cool because you need not the old password to set a new one. And it works pretty well booting in CD, USB offline.

  • Supports all Windows from NT3.5 to Win7, also 64 bit and also the Server versions (like 2003 and 2008)
  • Detects and offers to unlock locked or disabled out user accounts!
  • Registry utilities that work under Linux/UNIX, and can be used for other things than password editing.

Here I will put on USB Flash Drive only because the most PC system can boot up in USB and I tested it in a flash drive.

How to make an bootable USB drive

1. First, you need to download the file here:

3. Once finish downloading, unzip it and copy all files inside directly to your FLASH Drive. (sample if you have Flash DRIVE J: put the files there)

4. Then, install BootLoader on your FLASH drive using CMD (command prompt)*

If you are using Windows Vista/Windows 7, be sure to run as administrator! 
*type cmd and right click and run as Administrator
5. Since I have my flash drive J: I want to execute bootloader now, the command is
J:syslinux -ma X:

Don't use C:, and it will have ldlinux.sys once installed correctly

6. Now, you are done!

The next step is to boot it in the BIOS before entering Windows desktop.

Correctly set to boot in USB or else it will not detect your bootloader, and it will not successfully reset Admin password.

If properly boots it will show like this:

If it boots, you should see this:

  ISOLINUX 3.51 2007-06-10  Copyright (C) 1994-2007 H. Peter Anvin

  *                                                                         *
  *  Windows NT/2k/XP/Vista Change Password / Registry Editor / Boot CD     *
  *                                                                         *
  *  (c) 1998-2007 Petter Nordahl-Hagen. Distributed under GNU GPL v2       *
  *                                                                         *
  *             CAUSED BY THE (MIS)USE OF THIS SOFTWARE                     *
  *                                                                         *
  * More info at: http://pogostick.net/~pnh/ntpasswd/                       *
  * Email       : [email protected]                                         *
  *                                                                         *
  * CD build date: Sun Sep 23 14:15:35 CEST 2007                            *

  Press enter to boot, or give linux kernel boot options first if needed.
  Some that I have to use once in a while:
  boot nousb          - to turn off USB if not used and it causes problems
  boot irqpoll        - if some drivers hang with irq problem messages
  boot nodrivers      - skip automatic disk driver loading


Just press 'enter' key and then it will display kernel messages about hardware...don't panic its normal.

It displays something like this:

Loading vmlinuz..................
  Loading scsi.cgz.........................

  Loading initrd.cgz..........
  Linux version ([email protected]) (gcc version 4.1.1 20060724 (prerelease) (4.1.1-3mdk)) #2 Sun Sep 9 16:59:48 CEST 2007
  BIOS-provided physical RAM map:
   BIOS-e820: 0000000000000000 - 000000000009f800 (usable)
   BIOS-e820: 000000000009f800 - 00000000000a0000 (reserved)
   BIOS-e820: 00000000000ca000 - 00000000000cc000 (reserved)
   BIOS-e820: 00000000000dc000 - 0000000000100000 (reserved)
   BIOS-e820: 0000000000100000 - 00000000316f0000 (usable)
   BIOS-e820: 00000000316f0000 - 00000000316ff000 (ACPI data)
   BIOS-e820: 00000000316ff000 - 0000000031700000 (ACPI NVS)
   BIOS-e820: 0000000031700000 - 0000000031800000 (usable)
   BIOS-e820: 00000000fec00000 - 00000000fec10000 (reserved)
   BIOS-e820: 00000000fee00000 - 00000000fee01000 (reserved)
   BIOS-e820: 00000000fffe0000 - 0000000100000000 (reserved)
  792MB LOWMEM available.
  Zone PFN ranges:
    DMA             0 ->     4096
    Normal       4096 ->   202752
  early_node_map[1] active PFN ranges


  Serial: 8250/16550 driver $Revision: 1.90 $ 4 ports, IRQ sharing enabled
  serial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
  Floppy drive(s): fd0 is 1.44M
  FDC 0 is a post-1991 82077
  RAMDISK driver initialized: 16 RAM disks of 32000K size 1024 blocksize
  USB Universal Host Controller Interface driver v3.0
  Initializing USB Mass Storage driver...
  usbcore: registered new interface driver usb-storage
  USB Mass Storage support registered.
  serio: i8042 KBD port at 0x60,0x64 irq 1
  serio: i8042 AUX port at 0x60,0x64 irq 12
  usbcore: registered new interface driver usbhid
  drivers/hid/usbhid/hid-core.c: v2.6:USB HID core driver
  Using IPI Shortcut mode
  BIOS EDD facility v0.16 2004-Jun-25, 1 devices found
  Freeing unused kernel memory: 144k freed
  Booting ntpasswd
  Mounting: proc sys
  Ramdisk setup complete, stage separation..
  In stage 2
  Spawning shells on console 2 - 6
  Initialization complete!

  ** Preparing driver modules to dir /lib/modules/
  input: AT Translated Set 2 keyboard as /class/input/input0

And then

  * Windows Registry Edit Utility Floppy / chntpw                         *
  * (c) 1997 - 2007 Petter N Hagen - [email protected]                    *
  * GNU GPL v2 license, see files on CD                                   *
  *                                                                       *
  * This utility will enable you to change or blank the password of       *
  * any user (incl. administrator) on an Windows NT/2k/XP/Vista           *
  * WITHOUT knowing the old password.                                     *
  * Unlocking locked/disabled accounts also supported.                    *
  *                                                                       *
  * It also has a registry editor, and there is now support for           *
  * adding and deleting keys and values.                                  *
  *                                                                       *
  * Tested on: NT3.51 & NT4: Workstation, Server, PDC.                    *
  *            Win2k Prof & Server to SP4. Cannot change AD.              *
  *            XP Home & Prof: up to SP2                                  *
  *            Win 2003 Server (cannot change AD passwords)               *
  *            Vista 32 and 64 bit                                        *
  *                                                                       *
  * HINT: If things scroll by too fast, press SHIFT-PGUP/PGDOWN ...       *

  There are several steps to go through:
  - Disk select with optional loading of disk drivers
  - PATH select, where are the Windows systems files stored
  - File-select, what parts of registry we need
  - Then finally the password change or registry edit itself
  - If changes were made, write them back to disk

  DON'T PANIC! Usually the defaults are OK, just press enter
               all the way through the questions

  ¤ Step ONE: Select disk where the Windows installation is

  Disk /dev/sda: 42.9 GB, 42949672960 bytes

  Candidate Windows partitions found:
   1 :        /dev/sda1   40958MB BOOT

Here it has found one disk with one partition
  Please select partition by number or
   q = quit
   d = automatically start disk drivers
   m = manually select disk drivers to load
   f = fetch additional drivers from floppy / usb
   a = show all partitions found
   l = show propbable Windows (NTFS) partitions only
  Select: [1]

 -rw-------    2 0        0          262144 Feb 28  2007 BCD-Template
  -rw-------    2 0        0         6815744 Sep 23 12:33 COMPONENTS
  -rw-------    1 0        0          262144 Sep 23 12:33 DEFAULT
  drwx------    1 0        0               0 Nov  2  2006 Journal
  drwx------    1 0        0            8192 Sep 23 12:33 RegBack
  -rw-------    1 0        0          524288 Sep 23 12:33 SAM
  -rw-------    1 0        0          262144 Sep 23 12:33 SECURITY
  -rw-------    1 0        0        15728640 Sep 23 12:33 SOFTWARE
  -rw-------    1 0        0         9175040 Sep 23 12:33 SYSTEM
  drwx------    1 0        0            4096 Nov  2  2006 TxR
  drwx------    1 0        0            4096 Feb 27  2007 systemprofile

  Select which part of registry to load, use predefined choices
  or list the files with space as delimiter
  1 - Password reset [sam system security]
  2 - RecoveryConsole parameters [software]
  q - quit - return to previous
  [1] :

Choice 1 is for password edit, most used.
But if you wish, you can load any of the files (just enter it's name) and do manual registry edit on them.But here, we select 1 for password edit, some files are copied around into memory and the edit application is invoked.

 Selected files: sam system security
  Copying sam system security to /tmp

  ¤ Step THREE: Password or registry edit
  chntpw version 0.99.5 070923 (decade), (c) Petter N Hagen
  Hive  name (from header): <\SystemRoot\System32\Config\SAM>
  ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c 
  Page at 0x44000 is not 'hbin', assuming file contains garbage at end
  File size 524288 [80000] bytes, containing 11 pages (+ 1 headerpage)
  Used for data: 288/250904 blocks/bytes, unused: 15/23176 blocks/bytes.

  Hive  name (from header): 
  ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c 
  Page at 0x8b4000 is not 'hbin', assuming file contains garbage at end
  File size 9175040 [8c0000] bytes, containing 2117 pages (+ 1 headerpage)
  Used for data: 96982/6224016 blocks/bytes, unused: 4381/2830032 blocks/bytes.

  Hive  name (from header): 
  ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c 
  Page at 0x6000 is not 'hbin', assuming file contains garbage at end
  File size 262144 [40000] bytes, containing 5 pages (+ 1 headerpage)
  Used for data: 334/17312 blocks/bytes, unused: 7/3008 blocks/bytes.

  * SAM policy limits:
  Failed logins before lockout is: 0
  Minimum password length        : 0
  Password history count         : 0

  ======== chntpw Main Interactive Menu ========

  Loaded hives:   

    1 - Edit user data and passwords
    2 - Syskey status & change
    3 - RecoveryConsole settings
        - - -
    9 - Registry editor, now with full write support!
    q - Quit (you will be asked if there is something to save)

  What to do? [1] ->

This demo shows selection 1 for password edit, but you can also do other things.
Note that 2, Syskey may be dangerous! AND NOT NEEDED TO RESET PASSWORDS! and does not work at all on Vista, but you get some info before you do any changes.Selection 3, RecoveryConsole is only relevant for Win2k, XP and 2003 and you must have selected to load the SOFTWARE part of the registry (selection 2) earlier.
The manual registry editor is always available, it is not the most user-friendly thing, but anyway..
We continue our quest to change our "admin" users password..
  ===== chntpw Edit User Info & Passwords ====

  | RID -|---------- Username ------------| Admin? |- Lock? --|
  | 03e8 | admin                          | ADMIN  |          |
  | 01f4 | Administrator                  | ADMIN  | dis/lock |
  | 03ec | grumf1                         |        |          |
  | 03ed | grumf2                         |        |          |
  | 03ee | grumf3                         |        |          |
  | 01f5 | Guest                          |        | dis/lock |
  | 03ea | jalla1                         | ADMIN  | *BLANK*  |
  | 03eb | jalla2                         |        | *BLANK*  |
  | 03e9 | petro                          | ADMIN  | *BLANK*  |

This is a list of all local users on the machine. You may see more users here than in the overly user-friendly control panel, for example XP has some help and support built in users.
The users marked "ADMIN" are members of the administrators group, which means they have admin rights, if you can login to one of them you can get control of the machine.The buildt in (at install time in all windows versions) administrator is always RID 01f4. This example is from Vista, and Vista by default has this locked down (the installer instead asks and makes another user the regular use administrator, in this case RID 03e8)The "lock?" collumn show if the user account is disabled or locked out (due to many logon attempts for example) or BLANK if the password seems to be blank.We select to edit the "admin" user (this was the user made administrator by the Vista installer)
  Select: ! - quit, . - list users, 0x - User with RID (hex)
  or simply enter the username to change: [Administrator] admin

  RID     : 1000 [03e8]
  Username: admin
  comment :
  homedir :

  User is member of 1 groups:
  00000220 = Administrators (which has 4 members)

Group 220 is THE BOSS GROUP! :)

  Account bits: 0x0214 =
  [ ] Disabled        | [ ] Homedir req.    | [X] Passwd not req. |
  [ ] Temp. duplicate | [X] Normal account  | [ ] NMS account     |
  [ ] Domain trust ac | [ ] Wks trust act.  | [ ] Srv trust act   |
  [X] Pwd don't expir | [ ] Auto lockout    | [ ] (unknown 0x08)  |
  [ ] (unknown 0x10)  | [ ] (unknown 0x20)  | [ ] (unknown 0x40)  |

  Failed login count: 0, while max tries is: 0
  Total  login count: 3

Some status info, user is locked out if "Disabled" is set or "Failed login count" is larger than "max tries" policy setting. This user is not locked in any way. The lockout can be reset with option 4 below.
  - - - - User Edit Menu:
   1 - Clear (blank) user password
   2 - Edit (set new) user password (careful with this on XP or Vista)
   3 - Promote user (make user an administrator)
  (4 - Unlock and enable user account) [seems unlocked already]
   q - Quit editing user, back to user select
  Select: [q] > 1
  Password cleared!

Here we just reset/clear/blank the password.
But you can also try to set a new password with option 2, but it will only work if the password is not blank already. Also, it often fails to work on XP and newer systems.
Number 3 is to put a non-admin user into the administrators (220) group, thus making the user an administrator. IT IS STILL EXPERIMENTAL AND IT MAY sometimes RESULT IN STRANGE ERRORS WHEN LATER EDITING THE GROUP FROM WINDOWS! Also, usually pointless in promoting the Guest user, as it is most likely forbidden to log in by the security policy settings.
  Select: ! - quit, . - list users, 0x - User with RID (hex)
  or simply enter the username to change: [Administrator] !

Exclamation point ! quits out (it's SHIFT 1 on the US keyboard layout used on the boot CD)
Then we get back to the main menu, and select to quit..
  ======== chntpw Main Interactive Menu ========

  Loaded hives:   

    1 - Edit user data and passwords
    2 - Syskey status & change
    3 - RecoveryConsole settings
        - - -
    9 - Registry editor, now with full write support!
    q - Quit (you will be asked if there is something to save)

  What to do? [1] -> q

  Hives that have changed:
   #  Name
   0   - OK

  ¤ Step FOUR: Writing back changes
  About to write file(s) back! Do it? [n] : y

You must input Y, or the changes will not be saved. This is the last chance to change your mind!
  Writing  sam

Only changed files of the registry are actually written back.
If you forgot something, you may run again, else press CTRL-ALT-DEL to reboot.

SOurce: http://pogostick.net/~pnh/ntpasswd/

Featured Offers: