I often use this method to reset Windows passwords to avoid using expensive proprietary tools. The tool is called chntpw and its source is available here. Most Linux security distributions will have this tool installed by default. If you do not have the tool almost every package management system will have it available.
So in order to make this work we need to boot our Linux disk on our windows computer we are locked out of. I like to use Backtrack Linux for all my security needs (Most likely because I am a developer :-) ).
First thing we need to do is mount our windows partition. If you are using Backtrack we need to use ntfs-3g to mount the windows partition. This is assuming your windows partition is on sda1 and you have created a directory named windows to mount it on. If you are lost now then this post may not be for you.
- root@bt4:~# mount -t ntfs-3g /dev/sda1 /mnt/windows/ -o force
Once the partition is mounted, you must locate the directory containing the SAM file. For Windows 2000 and XP systems, this directory should be located under windows/system32/config or winnt/system32/config. In this example, navigate to the /mnt/windows/system32/config directory, and notice a number of files, including ones called SAM, SYSTEM, and SECURITY, that may or may not be in all caps. Once you have navigated to this directory on the command line, reset the Windows Administrator password by running chntpw. In Backtrack this tool exists in the $PATH however on your distro you may need to include a complete file path.
- root@bt4:~# chntpw SAM
Remember that SAM is the name of the SAM file in the directory, and may or may not be all in caps. The default for this utility is to edit the Administrator password, so there is no need to specify an account. While you have the option to change the password to a different value, it is recommended to just reset the password and then change it when you get back into Windows. You can reset the password by typing * instead of a password when prompted.
If you want to reset the password for a user other than Administrator, list the users in the SAM file with the -l option:
- root@bt4:~#chntpw -l
- chntpw version 0.99.2 040105, (c) Petter N Hagen
- Hive's name (from header): <SystemRootSystem32ConfigSAM>
- ROOT KEY at offset: 0x001020
- Page at 0x6000 is not 'hbin', assuming file contains garbage at end
- File size 262144  bytes, containing 5 pages (+ 1 headerpage)
- Used for data: 218/16928 blocks/bytes, unused: 4/3392 blocks/bytes.
- * SAM policy limits:
- Failed logins before lockout is: 0
- Minimum password length : 0
- Password history count : 0
- RID: 01f4, Username: <Administrator>, *BLANK password*
- RID: 01f5, Username: <Guest>, *disabled or locked*
- RID: 03e8, Username: <Bob>
- RID: 03ea, Username: <SUPPORT>, *disabled or locked*
- Hives that have changed:
- # Name
This example has four users: Administrator, Guest, Bob, and SUPPORT. Pick the user you want to edit, and then run chntpw with the -u option:
- root@bt4:~# chntpw SAM -u username
Once you change the password and save your changes, unmount the filesystem and reboot
When you boot back to Windows, the password should be blank, so you can log in and change the password with the regular Windows tools.