Reset local Windows password with chntpw

xa-

If you want to reset Windows passwords with chntpw, you must first boot the machine with a Linux distribution. Kali Linux is only available if you can disable UEFI Secure Boot first. Alternatively, you can use an installation image from Ubuntu that is secure boot compatible.

In the next step, locate the partition with the Windows file system and mount it to a local directory so that you have write access to it. Kali Linux does not allow you to use the forensic mode. For control you can use mount to list all file systems, grep filters the list and displays only entries that contain win. It is important that the attribute rw appears on the Windows file system.

$ mount | grep win

Now change to the directory windows/system32/config. It contains several files whose names begin with SAM. They are managed by the Security Account manager.

$ cd /mnt/Windows/System32/config/

$ ls -l SAM*

The critical critical file is SAM. The command chntpw with the options -l lists which users are stored in the account file, which of them have admin rights and which are currently blocked.

$ chntpw -l SAM

To actually make changes, start the command with the option -i (for interactive). You can now first list all accounts and groups, select an account, and finally reset its password to an empty password. With q you leave first the user edit menu and then the main interactive menu. chntpw asks if you really want to save the changes.

$ chntpw -i SAM

>> chtnpw Main Interactive Menu

Loaded hives: <SAM>

1 - Edit user data and password

2 - List Groups

9 - Registry editor, now with full write support!

q - Quit (you will be asked if there is something to save)

What to do? > 1

Please enter user number (RID) or 0 to exit: (enter here user number)3e9

>> User Edit Menu:

1 - Clear (blank) user password

Select: [q] > 1

Password cleared

Select: [q] > q

Hives that have changed:

#   Name

O  <SAM>

Write hive files(y|n) : y

O   <SAM>  -  OK

Those were the steps. After restarting windows you can login to the changed account without entering a password. If this does not work, the user has set a different authentication procedure.