Many tools can unlock and clear the user password for example Offline Windows Password & Registry Editor but only a few architecture. Therefore, I tried the program chntpw on Kali Live. This procedure works on all versions of Windows.
After starting the Kali live cd / usb, we need to determinate what is the Windows main partiton. You can use a program such as gparted. My Windows system partiton is sda2. Lets mount it:
root@kali:~# mount /dev/sda2 /mnt/
Create a backup:
root@kali:~# cp /mnt/Windows/System32/config/SAM /mnt/Windows/System32/config/SAM_bck-20150301
The default Kali version of chntpw is wrong! When I finished the unlocking process I need to quit and save changes to the SAM file, but program can’t quit. I have a loop. We need to downgrading the chntpw program:
root@kali:~# wget http://launchpadlibrarian.net/15221455/chntpw_0.99.5-0%2Bnmu1_i386.deb root@kali:~# dpkg -i chntpw_0.99.5-0+nmu1_i386.deb dpkg: warning: downgrading chntpw from 0.99.6-3kali3 to 0.99.5-0+nmu1
Now, we can start the unlocking and password clearing process:
root@kali:~# chntpw -i /mnt/Windows/System32/config/SAM chntpw version 0.99.5 070923 (decade), (c) Petter N Hagen Hive name (from header): &lt;\SystemRoot\System32\Config\SAM&gt; ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c Page at 0xf000 is not 'hbin', assuming file contains garbage at end File size 262144 [40000] bytes, containing 6 pages (+ 1 headerpage) Used for data: 255/51992 blocks/bytes, unused: 7/5160 blocks/bytes. * SAM policy limits: Failed logins before lockout is: 0 Minimum password length : 0 Password history count : 0 ======== chntpw Main Interactive Menu ======== Loaded hives: 1 - Edit user data and passwords 2 - Syskey status and change 3 - RecoveryConsole settings - - - 9 - Registry editor, now with full write support! q - Quit (you will be asked if there is something to save) What to do? [1] -: 1 ===== chntpw Edit User Info and Passwords ==== | RID -|---------- Username ------------| Admin? |- Lock? --| | 03eb | HomeGroupUser$ | | | | 01f4 | Rendszergazda | ADMIN | dis/lock | | 03e8 | user | ADMIN | dis/lock | | 01f5 | Vendeg | | dis/lock | | 03e9 | Zsofi | | dis/lock | Select: ! - quit, . - list users, 0x - User with RID (hex) or simply enter the username to change: [Rendszergazda] 0x01f4 RID : 0500 [01f4] Username: Rendszergazda fullname: comment : Beepitett fiok a gep/tartomany felugyeletehez homedir : User is member of 1 groups: 00000220 = Rendszergazdak (which has 2 members) Account bits: 0x0211 = [X] Disabled | [ ] Homedir req. | [ ] Passwd not req. | [ ] Temp. duplicate | [X] Normal account | [ ] NMS account | [ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act | [X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) | [ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) | Failed login count: 2, while max tries is: 0 Total login count: 1 - - - - User Edit Menu: 1 - Clear (blank) user password 2 - Edit (set new) user password (careful with this on XP or Vista) 3 - Promote user (make user an administrator) 4 - Unlock and enable user account [probably locked now] q - Quit editing user, back to user select Select: [q] : 1 Password cleared! Select: ! - quit, . - list users, 0x - User with RID (hex) or simply enter the username to change: [Rendszergazda] 0x01f4 RID : 0500 [01f4] Username: Rendszergazda fullname: comment : Beepitett fiok a gep/tartomany felugyeletehez homedir : User is member of 1 groups: 00000220 = Rendszergazdak (which has 2 members) Account bits: 0x0211 = [X] Disabled | [ ] Homedir req. | [ ] Passwd not req. | [ ] Temp. duplicate | [X] Normal account | [ ] NMS account | [ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act | [X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) | [ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) | Failed login count: 2, while max tries is: 0 Total login count: 1 ** No NT MD4 hash found. This user probably has a BLANK password! ** No LANMAN hash found either. Sorry, cannot change. Try login with no password! - - - - User Edit Menu: 1 - Clear (blank) user password 2 - Edit (set new) user password (careful with this on XP or Vista) 3 - Promote user (make user an administrator) 4 - Unlock and enable user account [probably locked now] q - Quit editing user, back to user select Select: [q] : 4 Unlocked! Select: ! - quit, . - list users, 0x - User with RID (hex) or simply enter the username to change: [Rendszergazda] <strong>!</strong> ======== chntpw Main Interactive Menu ======== Loaded hives: 1 - Edit user data and passwords 2 - Syskey status and change 3 - RecoveryConsole settings - - - 9 - Registry editor, now with full write support! q - Quit (you will be asked if there is something to save) What to do? [1] : q Hives that have changed: # Name 0 Write hive files? (y/n) [n] : y 0 - OK
Now, we are ready to reboot:
root@kali:~# reboot