Resetting Windows Passwords with Knoppix

Inspired by/Information from KNOPPIX HACKS O'REILY book, using captive-ntfs and chntpw utility.

Resetting Lost Windows NT
Passwords with KNOPPIX Linux


Situation:
You have forgotten a local user password on a Microsoft Windows NT, 2000, XP, 2003 computer. This is especially useful if the forgotten password if for the ?Administrator? account.

What you?ll need:
A copy of KNOPPIX Linux. Any version should do fine, in my example I am using KNOPPIX 3.4 which is actually slightly outdated, but we don?t need any of the newer KNOPPIX features for this example.

User accounts have an interesting history in Windows. The Windows 9x series did offer usernames and passwords, but every user could overwrite every other user?s files, and the system did not offer any real security, If you forgot your password in Windows 9x, resetting it is as simple as deleting a .pwd file with a DOS disk. With Windows NT, 2000, and XP, Microsoft has increased its user security by creating different user accounts on the same system and password that protect them. However, unlike in Windows 9x, if you forget your Administrator password, your only resource is to purchase a tool to reset your Windows password or to reinstall Windows to create a new administrator account. If you have a Knoppix disc, you can download and use the ?chntpw? tool, which is a small program that lets you eset the local passwords on a Windows system, and return to your system.

First step is, obviously, to boot the computer with Knoppix. There are multiple ways to get chntpw, but luckily for us, it?s now part of Debian?s ?unstable? repositories. Since Knoppix is Debian based, we can get the latest .deb file from http://packages.debian.org/unstable/admin/chntpw. Download the file to your /home/Knoppix folder. Since most of the Knoppix system is read-only, we can?t directly install the .deb package. Instead, you must convert it to a tar file, and then extract out the chntpw utility. Open up a terminal and run the following commands:

Knoppix@ttyp1[knoppix]$ alien ?to-tgz chntpw_.deb
Knoppix@ttyp1[knoppix]$ tar xvzf chntpw.tgz ./usr/sbin/chntpw
Knoppix@ttyp1[knoppix]$ mv ./usr/sbin/chntpw ./

Once you have finished with these commands, the chntpw utility is in /home/Knoppix and ready to use. Now let?s reset the password!

To reset the password, you must have write permissions on the Windows partition. If you have a FAT or FAT32 Windows partition, this is easy. However, the standard and common file system for Windows NT, 2000, and XP is NTFS. So now I will explain how to mount your Windows partition using ?captive-ntfs?. As of Knoppix 3.4, Captive NTFS is included on the CD. Captive NTFS is actually a process that uses the NTFS drivers that Windows itself uses.
Though it has worked for many people, it is still considered somewhat experimental, and anything of great importance should be backed up prior to use.

Knoppix includes an easy-to-use Captive NTFS wizard which will scan the hardrives for the necessary NTFS .dlls. Access the wizard by K-Menu -> KNOPPIX -> Utilities -> Captive NTFS. Click forward to see a list of the system files that Captive NTFS has already located on your Knoppix system. Click forward again, and the wizard mounts and scans your hard drives for the essential files it needs.

Once Captive NTFS has the module it needs, it activates the OK button even though it continues to scan other directories and partitions for drivers. If you are in a hurry, you can click OK to immediately mount the NTFS partitions. If you wait for the scan to finish, you are prompted with an option to specify locations for drivers, such as a USB flash drive, or click forward to download the drivers from the Windows XP service Pack 1.

Once you are finished with the wizard, you are ready to mount an NTFS partition. Open up a terminal and use the following command:

Knoppix@ttyp1[knoppix]$ sudo mount ?t captive-ntfs ?o uid=Knoppix,gid=Knoppix /dev/hda1 /mnt/hda1

Obviously, replace the name of the partition, if it is not correct. The ?t option is used to specify file-system type, use captive-ntfs to use the NTFS drivers that the captive ntfs wizard previously found. The ?o argument tell mount to make user and group ?knoppix? the owner of this drive. Now that this drive is mounted, you have full read/write access to the drive and the possibly to do unlimited good and evil to your drive.

Make sure to unmount the drive after you?re done to be sure that changes are synced!!!!
Knoppix@ttyp1[knoppix]$ sudo umount /mnt/hda1


Now to continue resetting the password. Once the partition is mounted, we must find the directory containing the SAM file. For Windows 2000 and XP systems, this should be under /winnt/system32/config and /windows/system32/config, respectively. In this example, navigate to /mnt/hda1/windows/system32/config directory. You should see a number of files, including SAM, SYSTEM, and SECURITY that may or may not be in all caps. Now, to reset the ?Administrator? password, do the following:

Knoppix@ttyp1[config]$ /home/Knoppix/chntpw SAM

You will see a few messages, and at the end should be prompted with an option to enter the new password. It is my strong recommendation that you simple reset(blank) the password by using the asterisk(*). I have not had good luck changing the password to something new, but blanking it works all the time from my experience. So, do the following:

Please enter new password: *

Hit [Enter]

There you go! You should now have a blank password on the local Administrator account of that Windows installation. If you want to reset the password for any account other than ?Administrator? you can use the following commands:

Knoppix@ttyp1[config]$ /home/knoppix/chntpw ?l SAM
To view all user accounts on the system

Knoppix@ttyp1[config]$ /home/knoppix/chntpw/ -u username SAM
To reset the account password for the username of your choice.

Once you have changed the password and saved your changes, unmount the filestem and reboot:

Knoppix@ttyp1[config]$ cd
Knoppix@ttyp1[knoppix]$ sudo umount /dev/hda1
Knoppix@ttyp1[knoppix]$ sudo reboot