Resetting Windows passwords from linux

Table of contents

Forgot your Windows password? No worries, it happens. If you can boot your windows pc using a linux live usb drive or connect it's hard drive to a linux computer, resetting your password is a simple and quick process.

Mounting the drive

In order to access the windows drive, we obviously have to mount it first. This part can be a little tricky, because more recent versions of windows will commonly leave the NTFS file system on the drive in a dirty state, signaling that the drive is in an inconsistent state (for example because windows was shut down before all changes could be committed to disk). An ntfs partition with a set dirty bit (i.e. which is in a dirty state) will only let itself be mounted read-only by other systems. In linux environments, we can use the ntfsfix command (available in the ntfs-3g package in debian-based distros) to clean the ntfs partition and remove the dirty bit:

sudo ntfsfix -d /dev/sdb1

Replace /dev/sdb1 with the drive and partition number you want to mount. If you are unsure, run fdisk --list for a list of all available disks and partitions. The ntfsfix command will produce output similar to the following:

Mounting volume... The disk contains an unclean file system (0, 0).
Metadata kept in Windows cache, refused to mount.
Attempting to correct errors... 
Processing $MFT and $MFTMirr...
Reading $MFT... OK
Reading $MFTMirr... OK
Comparing $MFTMirr to $MFT... OK
Processing of $MFT and $MFTMirr completed successfully.
Setting required flags on partition... OK
Going to empty the journal ($LogFile)... OK
Checking the alternate boot sector... OK
NTFS volume version is 3.1.
NTFS partition /dev/sdb1 was processed successfully.

Even though it initially reports a failure to mount, this is not an error we have to deal with (we expected as much, because the dirty bit was set). As long as the last line indicates success, everything worked as intended.

Now that the partition is cleaned, we can easily mount it:

sudo mount /dev/sdb1 /mnt

Editing the windows user accounts

Navigate to the mount point of the windows disk and locate the directory Windows/System32/config inside:

cd /mnt/Windows/System32/config

Now we need to find the Security Account Manager (SAM) file, which contains information about local windows users, groups, permissions and passwords. Depending on your windows version, the file may be called sam, SAM or a different capitalization of the word. Let's assume our file is named SAM. Start by listing the user accounts contained within:

chntpw -l SAM

If your sam file is named differently, adjust the name at the end of the command. The output will look something like this:

chntpw version 1.00 140201, (c) Petter N Hagen
Hive <SAM> name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c <lh>
File size 65536 [10000] bytes, containing 7 pages (+ 1 headerpage)
Used for data: 315/31560 blocks/bytes, unused: 29/13272 blocks/bytes.

| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrator                  | ADMIN  | dis/lock |
| 01f7 | DefaultAccount                 |        | dis/lock |
| 01f5 | Guest                          |        | dis/lock |
| 03e9 | Jane                           |        |          |
| 01f8 | WDAGUtilityAccount             |        | dis/lock |

We only really care about the table at the bottom, listing all accounts known to the windows system, if they are locked and if they have admin privileges. Our sample file only has one unlocked account, so that is most likely the user we want to reset the password for. Start an interactive editing session for the user Jane:

chntpw -u Jane SAM

If the username contains uncommon characters you could also give the RID value to the -u flag instead (for the Jane account, this would be 03e9). The command starts an interactive session that let's us edit the selected account:

chntpw version 1.00 140201, (c) Petter N Hagen
Hive <SAM> name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c <lh>
File size 65536 [10000] bytes, containing 7 pages (+ 1 headerpage)
Used for data: 315/31560 blocks/bytes, unused: 29/13272 blocks/bytes.

================= USER EDIT ====================

RID    : 1001 [03e9]
Username: Jane
comment : 
homedir : 

Account bits: 0x0214 =
[ ] Disabled       | [ ] Homedir req.   | [X] Passwd not req. | 
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account    | 
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act  | 
[X] Pwd don't expir | [ ] Auto lockout   | [ ] (unknown 0x08) | 
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) | 

Failed login count: 0, while max tries is: 0
Total login count: 12

- - - - User Edit Menu:
 1 - Clear (blank) user password
(2 - Unlock and enable user account) [seems unlocked already]
 3 - Promote user (make user an administrator)
 4 - Add user to a group
 5 - Remove user from a group
 q - Quit editing user, back to user select
Select: [q] > 

Type 1 and hit enter to clear the password, then enter q and confirm the prompt "Write hive files?" by entering y. The last line of output should confirm that writes were successful:

 0 <SAM> - OK

And that's it! You can now unmount the drive and start the windows system again. Once you get to the login screen, you should automatically get logged in just by clicking on the account we cleared the password for, without being asked for the password at all.

More articles

Understanding how LFI/RFI exploits work

Exploring the vulnerabilities in a demo application

Running minecraft server in a Docker container

A cross-platform way to run an isolated minecraft server with resource limits

Javascript type coercion, truthy/falsy values and strict/loose equality

For when your expressions evaluate to "sort of true" and true thinks it's a number

Simplifying terminal operations with python modules

Saving time with python builtin modules

A complete guide to running windows software on linux

Making windows programs behave like they were written for linux

Essential SSH commands

Securely managing remote servers