chntpw - Reset/Bypass Windows Forgotten Password

Have you forgotten your Windows login password and you are worried about it? Then this article is just for you. In this article, you are going to learn how to bypass/reset the Windows logon screen.

Bypass Windows Forget Password

This tutorial provides guidance on bypassing a forgotten password in Windows. It outlines various methods and techniques to regain access to a Windows system when the password is lost or forgotten.



Recover Your Windows OS Password Using Offline NT Password & Registry Editor

This tutorial provides instructions on recovering a Windows operating system password using Offline NT Password & Registry Editor. It guides users through the process of resetting or removing a forgotten Windows password.

 

chntpw is a Kali Linux tool that can be used to edit the windows registry, and promote a user to administrator, as well as several other useful options.
Using chntpw is a great way to reset a Windows Password or otherwise gain access to a Windows machine when you don’t know what the password is?

 



 

Steps to Remove the Forgotten Windows Password

For this purpose, our requirement will be, Bootable Kali Live USB persistence

How to Install Kali Linux

This tutorial provides a step-by-step guide on how to install Kali Linux, a popular penetration testing and ethical hacking Linux distribution. It covers the installation process from downloading the ISO file to configuring the system.


I have a laptop installed with Windows 10 Pro, and I have forgotten my login password. 



I am not able to log in with any of my passwords. So now I want to reset the password.  Follow the below steps to reset the password:

1. First of all, turn off your machine and boot with your Kali Live USB persistence. Click “live USB Persistence”. It will take time to boot. After all, you see the Kali Linux appears on the screen.


 2. Double-click on the Largest Volume that shows on Your Desktop Screen, which stores all the data of your Windows operating system. It may be different from your side. Don’t worry, just open that file. Actually, this is the C drive of your Windows OS.
  • From here right-click on your mouse and open the terminal here.
  • Now change the directory to the configuration folder, where SAM files are stored.
    • The Security Account Manager (SAM) is a database that is present on computers running Windows operating systems that stores user accounts and security descriptors for users on the local computer.

┌──(kali㉿kali)-[/media/kali/EE622B77622B43A5]
└─$ cd Windows/System32/config/ 
                                                                                     
┌──(kali㉿kali)-[/media/…/EE622B77622B43A5/Windows/System32/config]
└─$ ls SAM*
SAM
SAM{fd9a35bb-49fe-11e9-aa2c-248a07783950}.TM.blf
SAM{fd9a35bb-49fe-11e9-aa2c-248a07783950}.TMContainer00000000000000000001.regtrans-ms
SAM{fd9a35bb-49fe-11e9-aa2c-248a07783950}.TMContainer00000000000000000002.regtrans-ms
SAM.LOG1
SAM.LOG2                                                                                                                                                              
┌──(kali㉿kali)-[/media/…/EE622B77622B43A5/Windows/System32/config]
└─$ 

3. Now run chntpw. Let me check with the help command:

┌──(kali㉿kali)-[/media/…/EE622B77622B43A5/Windows/System32/config]
└─$ sudo chntpw -h            
chntpw: change password of a user in a Windows SAM file,
or invoke registry editor. Should handle both 32 and 64 bit windows and
all version from NT3.x to Win8.1
chntpw [OPTIONS] <samfile> [systemfile] [securityfile] [otherreghive] [...]
 -h          This message
 -u <user>   Username or RID (0x3e9 for example) to interactively edit
 -l          list all users in SAM file and exit
 -i          Interactive Menu system
 -e          Registry editor. Now with full write support!
 -d          Enter buffer debugger instead (hex editor), 
 -v          Be a little more verbose (for debuging)
 -L          For scripts, write names of changed files to /tmp/changed
 -N          No allocation mode. Only same length overwrites possible (very safe mode)
 -E          No expand mode, do not expand hive file (safe mode)

Usernames can be given as name or RID (in hex with 0x first)

See readme file on how to get to the registry files, and what they are.
Source/binary freely distributable under GPL v2 license. See README for details.
NOTE: This program is somewhat hackish! You are on your own!
4.  To reset the password use the following command. "i" is used in an interactive menu system.

                                                                                     
┌──(kali㉿kali)-[/media/…/EE622B77622B43A5/Windows/System32/config]
└─$ sudo chntpw -i SAM         
chntpw version 1.00 140201, (c) Petter N Hagen
Hive <SAM> name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c <lh>
File size 65536 [10000] bytes, containing 7 pages (+ 1 headerpage)
Used for data: 318/31760 blocks/bytes, unused: 31/13072 blocks/bytes.



<>========<> chntpw Main Interactive Menu <>========<>

Loaded hives: <SAM>

  1 - Edit user data and passwords
  2 - List groups
      - - -
  9 - Registry editor, now with full write support!
  q - Quit (you will be asked if there is something to save)


What to do? [1] ->
5. Now type 1 to edit user data and passwords.

What to do? [1] -> 1   


===== chntpw Edit User Info & Passwords ====

| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrator                  | ADMIN  | dis/lock |
| 01f7 | DefaultAccount                 |        | dis/lock |
| 01f5 | Guest                          |        | dis/lock |
| 03e9 | mr dev                         | ADMIN  | dis/lock |
| 01f8 | WDAGUtilityAccount             |        | dis/lock |

Please enter user number (RID) or 0 to exit: [3e9] 
6. Now copy the user number (RID) and paste it.

Please enter user number (RID) or 0 to exit: [3e9] 03e9
================= USER EDIT ====================

RID     : 1001 [03e9]
Username: mr dev
fullname: 
comment : 
homedir : 

00000220 = Administrators (which has 2 members)

Account bits: 0x0214 =
[ ] Disabled        | [ ] Homedir req.    | [X] Passwd not req. | 
[ ] Temp. duplicate | [X] Normal account  | [ ] NMS account     | 
[ ] Domain trust ac | [ ] Wks trust act.  | [ ] Srv trust act   | 
[X] Pwd don't expir | [ ] Auto lockout    | [ ] (unknown 0x08)  | 
[ ] (unknown 0x10)  | [ ] (unknown 0x20)  | [ ] (unknown 0x40)  | 

Failed login count: 4, while max tries is: 0
Total  login count: 12

- - - - User Edit Menu:
 1 - Clear (blank) user password
 2 - Unlock and enable user account [probably locked now]
 3 - Promote user (make user an administrator)
 4 - Add user to a group
 5 - Remove user from a group
 q - Quit editing user, back to user select
Select: [q] >
7. Now type 1 to clear or blank the user password.

Select: [q] > 1
Password cleared!
================= USER EDIT ====================

RID     : 1001 [03e9]
Username: mr dev
fullname: 
comment : 
homedir : 

00000220 = Administrators (which has 2 members)

Account bits: 0x0214 =
[ ] Disabled        | [ ] Homedir req.    | [X] Passwd not req. | 
[ ] Temp. duplicate | [X] Normal account  | [ ] NMS account     | 
[ ] Domain trust ac | [ ] Wks trust act.  | [ ] Srv trust act   | 
[X] Pwd don't expir | [ ] Auto lockout    | [ ] (unknown 0x08)  | 
[ ] (unknown 0x10)  | [ ] (unknown 0x20)  | [ ] (unknown 0x40)  | 

Failed login count: 4, while max tries is: 0
Total  login count: 12
** No NT MD4 hash found. This user probably has a BLANK password!
** No LANMAN hash found either. Try login with no password!

- - - - User Edit Menu:
 1 - Clear (blank) user password
 2 - Unlock and enable user account [probably locked now]
 3 - Promote user (make user an administrator)
 4 - Add user to a group
 5 - Remove user from a group
 q - Quit editing user, back to user select
Select: [q] >
8. Now type 2 to unlock and enable the user account.

Select: [q] > 2
Unlocked!
================= USER EDIT ====================

RID     : 1001 [03e9]
Username: mr dev
fullname: 
comment : 
homedir : 

00000220 = Administrators (which has 2 members)

Account bits: 0x0214 =
[ ] Disabled        | [ ] Homedir req.    | [X] Passwd not req. | 
[ ] Temp. duplicate | [X] Normal account  | [ ] NMS account     | 
[ ] Domain trust ac | [ ] Wks trust act.  | [ ] Srv trust act   | 
[X] Pwd don't expir | [ ] Auto lockout    | [ ] (unknown 0x08)  | 
[ ] (unknown 0x10)  | [ ] (unknown 0x20)  | [ ] (unknown 0x40)  | 

Failed login count: 0, while max tries is: 0
Total  login count: 12
** No NT MD4 hash found. This user probably has a BLANK password!
** No LANMAN hash found either. Try login with no password!

- - - - User Edit Menu:
 1 - Clear (blank) user password
(2 - Unlock and enable user account) [seems unlocked already]
 3 - Promote user (make user an administrator)
 4 - Add user to a group
 5 - Remove user from a group
 q - Quit editing user, back to user select
Select: [q] >
9. Now type q, to quit editing user and go back to user select.

Select: [q] > q


<>========<> chntpw Main Interactive Menu <>========<>

Loaded hives: <SAM>

  1 - Edit user data and passwords
  2 - List groups
      - - -
  9 - Registry editor, now with full write support!
  q - Quit (you will be asked if there is something to save)


What to do? [1] -> 


Failed login count: 0, while max tries is: 0
Total  login count: 12
** No NT MD4 hash found. This user probably has a BLANK password!
** No LANMAN hash found either. Try login with no password!

- - - - User Edit Menu:
 1 - Clear (blank) user password
(2 - Unlock and enable user account) [seems unlocked already]
 3 - Promote user (make user an administrator)
 4 - Add user to a group
 5 - Remove user from a group
 q - Quit editing user, back to user select
Select: [q] > 
10. Now type q to quit.

Select: [q] > q


<>========<> chntpw Main Interactive Menu <>========<>

Loaded hives: <SAM>

  1 - Edit user data and passwords
  2 - List groups
      - - -
  9 - Registry editor, now with full write support!
  q - Quit (you will be asked if there is something to save)


What to do? [1] -> q

Hives that have changed:
 #  Name
 0  <SAM>
Write hive files? (y/n) [n] : 

11. Now type y to save the hive.

Write hive files? (y/n) [n] : y
0 <SAM> OK

                                                                                     
┌──(kali㉿kali)-[/media/…/EE622B77622B43A5/Windows/System32/config]
└─$ 

After all, the steps, unplug your Pendrive and reboot your system.



Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!