Doug Vitale Tech Blog

Reset Windows passwords with Offline NT Password & Registry Editor

The Offline NT Password & Registry Editor is a small Linux boot disk that you can use to change or delete Windows passwords outside of the Windows OS environment for local accounts. This can be useful if you forget your Windows password or the password belonging to the Administrator account. This utility can enable you to change or delete passwords, but it cannot tell you what the password for an account actually is. As such it is not appropriate to label Offline NT Password & Registry Editor as a ‘password recovery tool'; it’s a password editor, just like the name says.

It is compatible with Windows 3.x, Windows 95/98/ME, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows 7, and Windows Server 2008.

Please note that the Offline NT Password & Registry Editor (‘Offline’) home page states: “If password is reset on users that have EFS encrypted files, and the system is XP or newer, all encrypted files for that user will be UNREADABLE and cannot be recovered unless you remember the old password again“.

Also note that Offline cannot be used to change or reset Active Directory passwords.

Offline’s versioning is done using release dates. The version used in this tutorial is 110511 (for 11 May 2011).

How to use it

First, download the installation ‘cd******.zip’ file from the website above and extract it locally. Burn the resulting .iso file to a CD-ROM. If you plan to boot to a USB drive, download the ‘usb********.zip’ file and extract its contents to the drive.

Second, insert the CD or USB drive into the computer and reboot it. Before the Windows OS loads (while the manufacturer’s screen is briefly displayed), hit the appropriate key (usually one of the twelve ‘F’ keys) to enter the boot device manager where you can specify a device to boot to (overriding the default device, which is almost always C:\ on the internal hard drive).

Your computer will load the contents of the Offline CD or USB drive. When it is finished you will be prompted as follows.

1. You are first given the opportunity to specify any boot parameters that Offline should follow. Your choices are:

Press enter to boot, or give linux kernel boot options first if needed.
boot nousb - to turn off USB if not used and it causes problems
boot irqpoll - if some drivers hang with irq problem messages
boot vga=ask - if you have problems with the video mode
boot nodrivers - skip automatic disk driver loading

boot:

Just hit Enter. If you don’t make a choice, Offline will start normally after 15 seconds.

2. Offline will search your PC for physical hard drives and for the partitions on those drives. When it is done you will see something like:

Disks:
Disk /dev/sda: x-amount GB, x-amount bytes

Candidate Windows partitions found:
1: /dev/sda1 x-amountMB BOOT
2: /dev/sda2 x-amountMB

Please select partition by number or:

q = quit
d = automatically start disk drivers
m = manually select disk drivers to load
f = fetch additional drivers from floppy/usb
a = show all partitions found
l = show probably Windows (NTFS) partitions only


Select: [1]

Choose the partition where Windows is installed (usually choice 1) and hit Enter.

3. Now you will see output like this:

Selected 1

Mounting from /dev/sda1, with assumed filesystem type NTFS
So, let's really check if it is NTFS?

Yes, read-write seems OK.
Mounting it. This may take up to a few minutes:

Success!

Step TWO: Select PATH and registry files
DEBUG path: windows found as Windows
DEBUG path: system32 found as System32
DEBUG path: config found as config
DEBUG path: found correct case to be: Windows/System32/config

What is the path to the registry directory (relative to windows disk)?
[Windows/System32/config]:

Here is where you specify the location of the SAM file which Offline will attempt to edit. By default it is located in %SystemRoot%\Windows\System32\Config. Hit Enter to choose this default location. If you are not familiar with the Windows SAM file, you should definitely read up on it here and here.

4. Offline will search this location for the SAM and prompt you as follows:

DEBUG path: found correct case to be: Windows/System32/config

<displays all non-log files found in the config directory>

Select which part of registry to load, use predefined choices or list the files with space as delimiter
1 - Password reset [sam system security]
2 - RecoveryConsole parameters [software]
q - quit - return to previous
[1] :

Hit Enter to accept the default option (password reset).

5. The following choices appear:

<>==<> chntpw Main Interactive Menu <>==<>

Loaded hives: <sam> <system> <security>

1 - Edit user data and passwords
9 - Registry editor, now with full write support!
q - Quit (you will be asked if there is something to save)

What to do? [1] ->

Hit Enter to accept the default choice (edit user data and passwords).

6. Offline will now display the user accounts it finds like so:

==chntpw Edit User Info & Passwords==
RID ---- Username ----- Admin? --- | -Lock? --
01f4  |  Administrator |  ADMIN   |  dis/lock
03ea  |  User1                      |  dis/lock
03e9  |  User 2                     |  dis/lock
01f5  |  Guest                      |  dis/lock

Select: ! - quit, . - list users, 0x<RID> - User with RID (hex), or simply enter the username to change: [Administrator]

Type the username whose password you wish to edit or hit Enter to choose Administrator. RID refers to the Relative ID.

7. After you select an account, Offline will display some details on that account and then give you options on how to edit its password.

RID : 0500 [01f4]
Username: Administrator
fullname:
comment: Built-in account for administering the computer/domain
homedir:

User is member of 1 groups:
00000220 = Administrators (which has x members)
Account bits: 0x0211 =
[x] Disabled   |   [ ] Homedir req.   |   [ ] Passwd not req.
[ ] Temp. duplicate   |   [x] Normal account   |   [ ] NMS account
[ ] Domain trust ac   | [ ] Wks trust act.   |   [ ] Srv trust act
[x] Pwd don't expir   |   [ ] Auto lockout   |   [ ] (unknown 0x08)
[ ] (unknown 0x10)   |   [ ] (unknown 0x20)   |   [ ] (unknown 0x40)
Failed login count: 0, while max tries is: 0
Total login count: 15

----User Edit Menu:
1 - Clear (blank) user password
2 - Edit (set new) user password (careful with this on XP or Vista)
3 - Promote user (make user an administrator)
4 - Unlock and enable user account [probably locked now]
q - Quit editing user, back to user select

Select: [q]

Choose 1, 2, 3, or 4, hit Enter, and follow the prompts.

8. After you make the required changes, type ‘!’ to quit and hit Enter. Now type ‘q’ to quit and hit Enter again. You will now be asked:

Step Four: Writing back changes
About to write files back! Do it? [n]:

Hit Enter to choose no; you do not want to reverse what you just did. Now you are asked:

New run? [n] :

Hit Enter for no and press Ctrl-Alt-Delete to reboot (you might want to remove your CD-ROM or USB drive first).

Questions?

Consult the Offline NT Password & Registry Editor’s frequently asked questions.

Recommended reading

Yes, it is possible to change the root password on Linux in a similar manner. In fact, you can even use standard Linux distributions to change passwords on Windows.

If you found the content of this article helpful and want to expand your knowledge further, please consider buying a relevant book using the links below. Thanks!

Hacking Windows Exposed on Amazon Hacking Windows Exposed  Big Book of Windows Hacks on Amazon Big Book of Windows Hacks

Seven Deadliest Microsoft Attacks on Amazon 7 Deadliest Microsoft Attacks  Basics of Hacking and Pen Testing on Amazon Basics of Hacking and Pen Testing

Windows 7 Missing Manual on Amazon Windows 7: The Missing Manual Windows 7 Tweaks on Amazon Windows 7 Tweaks

About these ads
%d bloggers like this: