Csdrhrt

1. If you have an Ubuntu live CD you can reset it using chntpw application


2. You can use Bart's PE + Password Renew to reset the password


3. You can use Offline NT Password Editor to reset the password.

Detailed instructions on using any of the 3 are available over here.

If you can find a Microsoft ERD 6.5 or 7.0 boot disk, it can reset the Windows 7 password. It has to match the bit version to work, 32 or 64-bit Windows 7.

ERD (Emergency Repair Disc) boot disk is part of the DaRT (Diagnostic and Recovery Toolset), which is part of MDOP (Microsoft Desktop Optimization Pack). These are not available to the public, but they can be found.

ERD comes in five versions currently:

• 5.0 for XP


• 6.0 for Vista


• 6.5 or 7.0 for Windows 7


• 8.0 for Windows 8, 8.1


• 10.0 for Windows 10

There is an alternative method for Windows 7; all you need is either a Windows 7 install disk, System Repair Disk or WinRE partition on the hard drive.

Use F8 or boot from the disc. Once RE loads, choose "Repair your Computer", then load Command Prompt and run these two commands. The second command you will get a prompt to overwrite; say "yes".

copy c:windowssystem32sethc.exe c:



copy c:windowssystem32cmd.exe c:windowssystem32sethc.exe

Restart the PC. When you reach the Login screen, hit the Shift key five times. A command window will open. Type the following:

net user  (type the name of the account)  (type any password)

and hit the Enter key, and when prompted to overwrite, type "Yes", and hit the Enter key again, and close the command window, and log on with the new password you just created.

After that you might want to put the original sticky key file back in its place, so go ahead and boot your PC with the repair CD or USB that you used earlier, and in the command prompt window type the following:

copy c:sethc.exe c:windowssystem32sethc.exe

press Enter, then when prompted to Overwrite, type "Yes" and hit the Enter key again, then close the window, and restart the PC.

Or if you prefer a 3rd party password cracker, here is a good one
"tested from NT3.5 up to Windows 8.1, including the server versions like 2003, 2008 and 2012. Also 64 bit windows supported."

Run an Ophcrack LiveCD to try and crack the password, provided that you have a sufficiently easy alphanumerical password.

Offline NT Password Editor

Offine NT Password & Registry Editor works basically the same as PC Login Now in that it erases your Windows password instead of recovering it. You can then simply log in to your account without entering a password.

source

Grab a copy of unetbootin from here. Install NTpasswd onto a flash drive. By running NTpasswd off the flash drive you'll be able to reset the password on the computer to blank. It's pretty easy to use as well.

Use this bootdisk to boot PCs with Windows OSes to blank out the LOCAL user account passwords, ENABLE or DISABLE LOCAL user accounts, etc.

You can use this if you've forgotten your LOCAL Windows user account password, you've done a factory reimage/reset on your Windows OS and the account has a password you don't know what it is, and things of this sort of nature so you can log into Windows as some account WITHOUT a password just to get in, and then set the password from the Windows Control Panel, etc. to something you do know afterwards.

THE STEPS IN BRIEF

1. Download the bootdisk image file




2. Burn bootdisk image file onto media (e.g. USB or CD) to boot PC from it rather than the hard drive or Windows.




3. Put the newly burned bootdisk media into the PC, and then instruct the PC to boot from it rather than the internal hard drive with Windows installed.




4. Follow the instruction from the below section labeled INSTRUCTIONS ONCE BOOTED TO for what options to pick, etc. to enable existing local Windows accounts and/or blank out the password of the accounts and so on.

General Information

_{Resource: http://pogostick.net/~pnh/ntpasswd/bootdisk.html}

Offline Windows Password & Registry Editor, Bootdisk / CD

I've put together a CD or USB Drive image which contains things needed
to reset the passwords on most systems.

The bootdisk should support most of the more usual disk controllers,
and it should auto-load most of them. Both PS/2 and USB keyboard
supported.

More or less tested from NT3.5 up to Windows 8.1, including the server
versions like 2003, 2008 and 2012. Also 64 bit windows supported.

DANGER WILL ROBINSON!

If password is reset on users that have EFS encrypted files, and the system is XP or newer, all encrypted files for that user will be
UNREADABLE! and cannot be recovered unless you remember the old
password again If you don't know if you have encrypted files or not,
you most likely don't have them. (except maybe on corporate systems)

Please see the Frequently Asked
Questions and the
version history below before emailing questions to me. Thanks!

Download Bootdisk

_{Resource: http://pogostick.net/~pnh/ntpasswd/bootdisk.html}

Download

Note: Some links may be offsite.

CD release, see below on how to use

• cd140201.zip (~18MB) - Bootable CD image.




• usb140201.zip (~18MB) - Files for USB install

Previous release:

• cd110511.zip (~4MB) - Bootable CD image.




• usb110511.zip (~4MB) - Files for USB install

The files inside the USB zip are exactly the same as on the CD. See
below for instructions on how to make USB disk bootable.

Floppy release (not updated anymore), see below on how to use them

• 
  bd080526.zip (~1.4M) - Bootdisk image


• 
  drivers1-080526.zip
  (~310K) - Disk drivers (mostly PATA/SATA)


• 
  drivers2-080526.zip
  (~1.2M) - Disk drivers (mostly SCSI)

Previous versions may sometimes be found here (also my site)

NOTE: Versions before 0704xx will corrupt the disk on VISTA/win7/8!

NOTE THAT THE BOOTDISK CONTAINS CRYPTHOGRAPHIC CODE, and that it may be ILLEGAL to RE-EXPORT it from your country.

HOW TO USE

_{Resource: http://pogostick.net/~pnh/ntpasswd/bootdisk.html}

How to use?

_{Please read the walthrough (now a bit outdated, sorry) and the
FAQ before mailing me questions}

If you have the CD or USB, all drivers are included.

Overview

1. Get the machine to boot from the CD or USB drive.


2. Load drivers (usually automatic, but possible to run manual select)


3. Disk select, tell which disk contains the Windows system. Optionally
   you will have to load drivers.


4. PATH select, where on the disk is the system? (now usually
   automatic)


5. File select, which parts of registry to load, based on what you want
   to do.


6. Password reset or other registry edit.


7. Write back to disk (you will be asked)

DON'T PANIC!! - Most questions can usually be answered with the default answer which is given in [brackets]. Just press enter/return
to accept the default answer.

The walkthrough and instructions is now on its own page! but is quite old.. hope to make a new one..

What can go wrong?

Well. Lots of things, actually. But most of the problems is of the
type "cannot find" something. And then nothing happens.

Also, see the FAQ for
help with common problems.

INSTRUCTIONS ONCE BOOTED TO

It may be best to print these instruction and then follow from that printed copy—and print from the version on the web site resource URL perhaps too in case they update something with it since after my post here.

This is the detail that explains what options to pick once the bootdisk starts booting to find and point to the internal hard drive and pick the current Windows OS objects to blank out the LOCAL user accounts on that Windows OS on the hard drive.

This part may seem complex or involved at first, but just let the bootdisk boot up and go through the screen until it prompts or waits for you to tell it what to do. Look over these instructions and just pick the appropriate options as instructed—it should make sense so just read it over until you get it.

Typically though you'll. . .

a. pick the Windows disk partition on the hard drive the bootdisk
inspects

b. from the list of usernames it finds, type the name of the account
you'll change (e.g. administrator, jsmith, etc.)

c. from the next list, it'll tell you if the account is disabled, expired, etc. so you know what you'll need change to reset it for specifically to ensure you can sign on with it afterwards when booted back to Windows

d. on the next screen you'll want to unlock the account, blank the password on the account or set account as local administrator (option 1, 3, and 4).

• i. you may need to do step "d." one time per action and then pick the username of the account again for the next action if it needs
  more than one action completed (e.g. blank password, unlock account,
  etc.)




• ii. I'd just steer clear of setting passwords here and just do that through Windows Control Panel once you get signed onto Windows with a blank password as administrator, etc.

e. be sure you select "Y" to save your changes to and then when the PC reboots, let it reboot to Windows and then sign on with the blank password to the account you changed with the bootdisk.

If it doesn't work, boot to the bootdisk and do it again, maybe you didn't pick some option so it didn't do what you expected it to. Since you're factory wiping this hard drive anyway, there should not be much danger in loosing anything or corrupting anything as then you'd just reimage/factory reset it again.

_{Resource: http://pogostick.net/~pnh/ntpasswd/walkthrough.html}

Offline NT Password & Registry Editor, Walkthrough



2014, NOTE: This is now a bit old, some are the same, some look a bit different..



The following is a walkthrough of using the CD to reset one user (admin) on a test Vista computer.



Insert the CD and convince your BIOS that it should boot from it. How to boot from a CD varies from computer make to computer make, so I cannot help you much. Some BIOS shows a boot device select menu if you press ESC, F8, F11 or F12 or something like that during the self test. (some even tell you on the screen what to press)



If it boots, you should see this:



  ISOLINUX 3.51 2007-06-10  Copyright (C) 1994-2007 H. Peter Anvin







***************************************************************************   *                                                                         *   *  Windows NT/2k/XP/Vista Change Password / Registry Editor / Boot CD     *   *                                                          

*   *  (c) 1998-2007 Petter Nordahl-Hagen. Distributed under GNU GPL v2       *   *                                                        

*   * DISCLAIMER: THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTIES!          *   *             THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY DAMAGE       *   *             CAUSED BY THE (MIS)USE OF THIS SOFTWARE

*   *                                                                         *   * More info at: http://pogostick.net/~pnh/ntpasswd/                       *   * Email       : pnh@pogostick.net                                         *   *                                                                         *   * CD build date: Sun Sep 23 14:15:35 CEST 2007                            *   ***************************************************************************



  Press enter to boot, or give linux kernel boot options first if needed.   Some that I have to use once in a while:   boot nousb       

- to turn off USB if not used and it causes problems   boot irqpoll        - if some drivers hang with irq problem messages   boot nodrivers      - skip automatic disk driver loading



  boot: Usually just press enter here. If you have linux knowledge, you can tweak kernel options if you need/like.



Then it boots and outputs a lot of kernel messages about your hardware and such.. most if not all are nothing to worry about.





  Loading vmlinuz..................   Loading scsi.cgz.........................



  Loading initrd.cgz..........   Ready.   Linux version 2.6.22.6 (root@athene) (gcc version 4.1.1 20060724 (prerelease) (4.1.1-3mdk))

#2 Sun Sep 9 16:59:48 CEST 2007   BIOS-provided physical RAM map:    BIOS-e820: 0000000000000000 - 000000000009f800 (usable)    BIOS-e820: 000000000009f800 - 00000000000a0000 (reserved)    BIOS-e820: 00000000000ca000 - 00000000000cc000 (reserved)    BIOS-e820: 00000000000dc000 - 0000000000100000 (reserved)    BIOS-e820: 0000000000100000 - 00000000316f0000 (usable)    BIOS-e820: 00000000316f0000 - 00000000316ff000 (ACPI data)    BIOS-e820: 00000000316ff000 - 0000000031700000 (ACPI NVS)    BIOS-e820: 0000000031700000 - 0000000031800000 (usable)    BIOS-e820: 00000000fec00000 - 00000000fec10000 (reserved)    BIOS-e820: 00000000fee00000 - 00000000fee01000 (reserved)    BIOS-e820: 00000000fffe0000 - 0000000100000000 (reserved)   792MB LOWMEM available.   Zone PFN ranges:

    DMA             0 ->     4096

    Normal       4096 ->   202752   early_node_map[1] active PFN ranges



 ...



  Serial: 8250/16550 driver $Revision: 1.90 $ 4 ports, IRQ sharing enabled   serial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A   Floppy drive(s): fd0 is 1.44M   FDC 0 is a post-1991 82077   RAMDISK driver initialized: 16 RAM disks of 32000K size 1024 blocksize   USB Universal Host Controller Interface driver v3.0   Initializing USB Mass Storage driver...   usbcore: registered new interface driver usb-storage   USB Mass Storage support registered.   serio: i8042 KBD port at 0x60,0x64 irq 1   serio: i8042 AUX port at 0x60,0x64 irq 12   usbcore: registered new interface driver usbhid   drivers/hid/usbhid/hid-core.c: v2.6:USB HID core driver   Using IPI Shortcut mode   BIOS EDD facility v0.16 2004-Jun-25, 1 devices found   Freeing unused kernel memory: 144k freed   Booting ntpasswd   Mounting: proc sys   Ramdisk setup complete, stage separation..   In stage 2   Spawning shells on console 2 - 6   Initialization complete!



  ** Preparing driver modules to dir /lib/modules/2.6.22.6   input: AT Translated Set 2 keyboard as /class/input/input0



Most of the generic linux boot now done, and we try to load the disk drivers. If you use the floppy version you will be asked to swap floppies at this point. Drivers are then tried based on PCI hardware indentification.



  ** Will now try to auto-load relevant drivers based on PCI information



  ---- AUTO DISK DRIVER select ----   --- PROBE FOUND THE FOLLOWING DRIVERS:   ata_piix   ata_generic   mptspi   --- TRYING TO LOAD THE DRIVERS   ### Loading ata_piix   scsi0 : ata_piix   scsi1 : ata_piix   ata1: PATA max UDMA/33 cmd 0x000101f0 ctl 0x000103f6 bmdma 0x00011050 irq 14   ata2: PATA max UDMA/33 cmd 0x00010170 ctl 0x00010376 bmdma 0x00011058 irq 15   ata2.00: ATAPI: VMware Virtual IDE CDROM Drive, 00000001, max UDMA/33   ata2.00: configured for UDMA/33   scsi 1:0:0:0: CD-ROM            NECVMWar VMware IDE CDR10 1.00 PQ: 0 ANSI: 5   sr0: scsi3-mmc drive: 1x/1x xa/form2 cdda tray   Uniform CD-ROM driver Revision: 3.20



  ### Loading ata_generic



  ### Loading mptspi   Fusion MPT base driver 3.04.04   Copyright (c) 1999-2007 LSI Logic Corporation   Fusion MPT SPI Host driver 3.04.04   PCI: Found IRQ 9 for device 0000:00:10.0   mptbase: Initiating ioc0 bringup   ioc0: 53C1030: Capabilities={Initiator}   scsi2 : ioc0: LSI53C1030, FwRev=01032920h, Ports=1, MaxQ=128, IRQ=9   scsi 2:0:0:0: Direct-Access     VMware,  VMware Virtual S 1.0  PQ: 0 ANSI: 2    target2:0:0: Beginning Domain Validation    target2:0:0: Domain Validation skipping write tests    target2:0:0: Ending Domain Validation    target2:0:0: FAST-40 WIDE SCSI 80.0 MB/s ST (25 ns, offset 127)   sd 2:0:0:0: [sda] 83886080 512-byte hardware sectors (42950 MB)   sd 2:0:0:0: [sda] Write Protect is off   sd 2:0:0:0: [sda] Cache data unavailable   sd 2:0:0:0: [sda] Assuming drive cache: write through   sd 2:0:0:0: [sda] 83886080 512-byte hardware sectors (42950 MB)   sd 2:0:0:0: [sda] Write Protect is off   sd 2:0:0:0: [sda] Cache data unavailable   sd 2:0:0:0: [sda] Assuming drive cache: write through    sda: sda1   sd 2:0:0:0: [sda] Attached SCSI disk



Most of these messages are from the drivers themselves. Some talk a lot, some doesn't. But all give info on the brand and model and size of the disks found, if any.





  -------------------------------------------------------------   Driver load done, if none loaded, you may try manual instead.  

-------------------------------------------------------------





  ** If no disk show up, you may have to try again (d option) or manual (m).



You can later load more drivers..







*************************************************************************   * Windows Registry Edit Utility Floppy / chntpw                         *   * (c) 1997 - 2007 Petter N Hagen - pnh@pogostick.net                    *   * GNU GPL v2 license, see files on CD                                   *   *                                                                       *   * This utility will enable you to change or blank the password of       *   * any user (incl. administrator) on an Windows NT/2k/XP/Vista           *   * WITHOUT knowing the old password.                                     *   * Unlocking locked/disabled accounts also supported.                    *   *                                                                       *   * It also has a registry editor, and there is now support for           *   * adding and deleting keys and values.                                  *   *                                                                       *   * Tested on: NT3.51 & NT4: Workstation, Server, PDC.                    *   *            Win2k Prof & Server to SP4. Cannot change AD.              *   *            XP Home & Prof: up to SP2                                  *   *            Win 2003 Server (cannot change AD passwords)               *   *            Vista 32 and 64 bit                                        *   *                                                                       *   * HINT: If things scroll by too fast, press SHIFT-PGUP/PGDOWN ...       *   *************************************************************************



  =========================================================   There are several steps to go through:

  - Disk select with optional loading of disk drivers

  - PATH select, where are the Windows systems files stored

  - File-select, what parts of registry we need

  - Then finally the password change or registry edit itself

  - If changes were made, write them back to disk



  DON'T PANIC! Usually the defaults are OK, just press enter

               all the way through the questions



  =========================================================   ¤ Step ONE: Select disk where the Windows installation is  

=========================================================



  Disks:   Disk /dev/sda: 42.9 GB, 42949672960 bytes



  Candidate Windows partitions found:    1 :        /dev/sda1   40958MB BOOT



Here it has found one disk with one partition



  Please select partition by number or    q = quit    d = automatically start disk drivers    m = manually select disk drivers to load    f = fetch additional drivers from floppy / usb    a = show all partitions found    l = show propbable Windows (NTFS) partitions only   Select: [1]



Here you select one of the partitions listed above (in this case there is only one) or one of the letters from the menu.



Floppy users may need to do 'f' to load in more drivers from another floppy.



The 'd' option will re-run the PCI scan and start relevant drivers (they must already be loaded from floppy with 'f' option)



The 'm' for manual load will present a list of all the drivers with short description if available, and allow you to specify which to load. (Dependecies are handled automatically)



Here we only have one partition, so we just press enter to select it.





  Selected 1



  Mounting from /dev/sda1, with filesystem type NTFS



  NTFS volume version 3.1.



It was an NTFS filesystem, and it mounted successfully.





  =========================================================   ¤ Step TWO: Select PATH and registry files  

=========================================================   What is the path to the registry directory? (relative to windows disk)   [WINDOWS/system32/config] :



The registry is usually system32/config under WINDOWS or WINNT directory, depending on the windows version (and it may be changed during installation). If the correct partition has been selected, the default prompt will be adjusted to match if it can find one of the usual variants.



We accept the defaults.. and get a (bit filtered) directory listing showing most of the interesting registry files





  -rw-------    2 0        0          262144 Feb 28  2007 BCD-Template

-rw-------    2 0        0         6815744 Sep 23 12:33 COMPONENTS   -rw-------    1 0        0          262144 Sep 23 12:33 DEFAULT   drwx------    1 0        0               0 Nov  2  2006 Journal   drwx------    1 0        0            8192 Sep 23 12:33 RegBack  

-rw-------    1 0        0          524288 Sep 23 12:33 SAM   -rw-------    1 0        0          262144 Sep 23 12:33 SECURITY   -rw-------    1 0        0        15728640 Sep 23 12:33 SOFTWARE   -rw-------    1 0        0         9175040 Sep 23 12:33 SYSTEM   drwx------    1 0        0            4096 Nov  2  2006 TxR   drwx------    1 0        0            4096 Feb 27  2007 systemprofile



  Select which part of registry to load, use predefined choices   or list the files with space as delimiter   1 - Password reset [sam system security]   2 - RecoveryConsole parameters [software]   q - quit - return to previous   [1] :



Choice 1 is for password edit, most used. But if you wish, you can load any of the files (just enter it's name) and do manual registry edit on them.



But here, we select 1 for password edit, some files are copied around into memory and the edit application is invoked.





  Selected files: sam system security   Copying sam system security to /tmp



  =========================================================   ¤ Step THREE: Password or registry edit  

=========================================================   chntpw version 0.99.5 070923 (decade), (c) Petter N Hagen   Hive  name (from header): <SystemRootSystem32ConfigSAM>   ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf>   Page at 0x44000 is not 'hbin', assuming file contains garbage at end   File size 524288 [80000] bytes, containing 11 pages (+ 1 headerpage)   Used for data: 288/250904 blocks/bytes, unused: 15/23176 blocks/bytes.



  Hive  name (from header): <SYSTEM>   ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c <lh>   Page at 0x8b4000 is not 'hbin', assuming file contains garbage at end   File size 9175040 [8c0000] bytes, containing 2117 pages (+ 1 headerpage)   Used for data: 96982/6224016 blocks/bytes, unused: 4381/2830032 blocks/bytes.



  Hive  name (from header): <emRootSystem32ConfigSECURITY>   ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf>   Page at 0x6000 is not 'hbin', assuming file contains garbage at end   File size 262144 [40000] bytes, containing 5 pages (+ 1 headerpage)   Used for data: 334/17312 blocks/bytes, unused: 7/3008 blocks/bytes.





  * SAM policy limits:   Failed logins before lockout is: 0   Minimum password length        : 0   Password history count         : 0





  ======== chntpw Main Interactive Menu ========



  Loaded hives:   



    1 - Edit user data and passwords

    2 - Syskey status & change

    3 - RecoveryConsole settings

        - - -

    9 - Registry editor, now with full write support!

    q - Quit (you will be asked if there is something to save)





  What to do? [1] ->



This demo shows selection 1 for password edit, but you can also do other things. Note that 2, Syskey may be dangerous! AND NOT NEEDED TO RESET PASSWORDS! and does not work at all on Vista, but you get some info before you do any changes.



Selection 3, RecoveryConsole is only relevant for Win2k, XP and 2003 and you must have selected to load the SOFTWARE part of the registry (selection 2) earlier.



The manual registry editor is always available, it is not the most user-friendly thing, but anyway..



We continue our quest to change our "admin" users password..





  ===== chntpw Edit User Info & Passwords ====



  | RID -|---------- Username ------------| Admin? |- Lock? --|   | 03e8 | admin                          | ADMIN  |          |   | 01f4 | Administrator                  | ADMIN  | dis/lock |   | 03ec | grumf1 |        |          |   | 03ed | grumf2                         |      |          |   | 03ee | grumf3                         |        |      |   | 01f5 | Guest                          |        | dis/lock |   | 03ea | jalla1                         | ADMIN  | *BLANK*  |   | 03eb | jalla2                         |        | *BLANK*  |   | 03e9 | petro  | ADMIN  | *BLANK*  |



This is a list of all local users on the machine. You may see more users here than in the overly user-friendly control panel, for example XP has some help and support built in users. The users marked "ADMIN" are members of the administrators group, which means they have admin rights, if you can login to one of them you can get control of the machine.



The buildt in (at install time in all windows versions) administrator is always RID 01f4. This example is from Vista, and Vista by default has this locked down (the installer instead asks and makes another user the regular use administrator, in this case RID 03e8)



The "lock?" collumn show if the user account is disabled or locked out (due to many logon attempts for example) or BLANK if the password seems to be blank.



We select to edit the "admin" user (this was the user made administrator by the Vista installer)





  Select: ! - quit, . - list users, 0x - User with RID (hex)   or simply enter the username to change: [Administrator] admin



  RID     : 1000 [03e8]   Username: admin   fullname:   comment :   homedir :



  User is member of 1 groups:   00000220 = Administrators (which has 4 members)



Group 220 is THE BOSS GROUP! :)



  Account bits: 0x0214 =   [ ] Disabled        | [ ] Homedir req.    | [X] Passwd not req. |   [ ] Temp. duplicate | [X] Normal account  | [ ] NMS account     |   [ ] Domain trust ac | [ ] Wks trust act.  | [ ] Srv trust act   |   [X] Pwd don't expir | [ ] Auto lockout    | [ ] (unknown 0x08)  |   [ ] (unknown 0x10)  | [ ] (unknown 0x20)  | [ ] (unknown 0x40)  |



  Failed login count: 0, while max tries is: 0   Total  login count: 3



Some status info, user is locked out if "Disabled" is set or "Failed login count" is larger than "max tries" policy setting. This user is not locked in any way. The lockout can be reset with option 4 below.



  - - - - User Edit Menu:    1 - Clear (blank) user password    2 - Edit (set new) user password (careful with this on XP or Vista)    3 - Promote user (make user an administrator)   (4 - Unlock and enable user account) [seems unlocked already]    q - Quit editing user, back to user select   Select: [q] > 1   Password cleared!



Here we just reset/clear/blank the password. But you can also try to set a new password with option 2, but it will only work if the password is not blank already. Also, it often fails to work on XP and newer systems.



Number 3 is to put a non-admin user into the administrators (220) group, thus making the user an administrator. IT IS STILL EXPERIMENTAL AND IT MAY sometimes RESULT IN STRANGE ERRORS WHEN LATER EDITING THE GROUP FROM WINDOWS! Also, usually pointless in promoting the Guest user, as it is most likely forbidden to log in by the security policy settings.





  Select: ! - quit, . - list users, 0x - User with RID (hex)   or simply enter the username to change: [Administrator] !



Exclamation point ! quits out (it's SHIFT 1 on the US keyboard layout used on the boot CD) Then we get back to the main menu, and select to quit..





  ======== chntpw Main Interactive Menu ========



  Loaded hives: <sam> <system> <security>



    1 - Edit user data and passwords

    2 - Syskey status & change

    3 - RecoveryConsole settings

        - - -

    9 - Registry editor, now with full write support!

    q - Quit (you will be asked if there is something to save)





  What to do? [1] -> q



  Hives that have changed:    #  Name    0   - OK



  =========================================================   ¤ Step FOUR: Writing back changes  

=========================================================   About to write file(s) back! Do it? [n] : y



You must answer y, or the changes will not be saved. This is the last chance to change your mind!



  Writing  sam



Only changed files of the registry are actually written back.



If you forgot something, you may run again, else press CTRL-ALT-DEL to reboot.





  ***** EDIT COMPLETE *****



  You can try again if it somehow failed, or you selected wrong   New run? [n] : n  

=========================================================



  * end of scripts.. returning to the shell..   * Press CTRL-ALT-DEL to reboot now (remove floppy first)   * or do whatever you want from the shell..   * However, if you mount something, remember to umount before reboot   * You may also restart the script procedure with 'sh /scripts/main.sh'



  (Please ignore the message about job control, it is not relevant)





  BusyBox v1.1.0-pre1 (2005.12.30-19:45+0000) Built-in shell (ash)   Enter 'help' for a list of built-in commands.



  sh: can't access tty; job control turned off And I got about a gazillion questions on this error message, even if it is mentioned in the FAQ It is from the shell telling it cannot do "job control" which means it cannot handle CTRL-C etc. It HAS NOTHING TO DO WITH YOUR PASSWORD RESET DID NOT WORK! That is caused by a lot of other things.

You can gain command line access (in SYSTEM context) to a Windows computer by changing a couple of registry values. You can then reset passwords, create new accounts, run cracking tools, and so on.

This is the short version, for advanced users and sysadmins:

1) Boot to Windows 7 from the installation or repair DVD, or from Windows PE 3 boot media, or from a Windows 7 installation on another HDD. (If the target OS is Vista, use the Vista installation DVD, or Windows PE 2, or another Vista installation. If the target OS is Windows XP, use Windows PE or another Windows XP installation.)

2) Load the SYSTEM registry hive from the target OS. Back it up first.

3) In the Setup key, change SetupType to 2 and CmdLine to cmd.exe.

4) Boot the target OS. You’ll get a command-line window in system context.

There are more details here including instructions for non-experts on using this technique to reset a password. (Remember that resetting a password will result in the loss of all encrypted files and data.)

You can reset your password using another tool called Hiren's BootCD.

Download Hiren's Boot from here, unzip it and use BurnCDCC.exe to burn the ISO to a DVD.

Boot using Hiren's Boot on your locked PC and in the menu shown select Offline NT/2000/XP/Vista/7 Password Changer and click Enter twice (for confirmation and to continue for the list of Linux Kernel Boot).

In the following prompt select the correct drive where the Windows is installed. Press Enter to confirm that your registry directory is Windows/system32/config.

On the chntpw Main Interactive Menu select [1] for Edit user data and passwords

Select the user you want to reset the password by typing the username and hitting Enter

There you have a list of options for this user. [1] should be for Clear the password.
After successfully resetting your forgotten Windows password, type “!” to close the User Editor Tool.

Now type “q” and hit Enter to close the Offline Password Editor and Registry tool.

Now type “y” and hit Enter to confirm the password change.

Now it will ask you whether you want to use it again or not. Just type “n” and hit Enter.

Remove your CD and restart the PC and your user shouldn't have a password anymore.

Hope this helps you.

Windows Boot Genius - Recovers your lost Windows local administrator/user passwords in Windows 8.1, 8, 7, Vista, XP.

Password Recovery Bundle - Instantly bypass, unlock or reset lost administrator and other account passwords on any Windows 8, 7, 2008, Vista, XP, 2003, 2000 system, if you forgot Windows password and couldn't log into the computer. It can also reset Windows domain administrator/user password for Windows 2012 / 2008 / 2003 / 2000 Active Directory servers.

Renee Passnow - Use PassNow which is independent of Windows system: reset login password, clone hard disk, create disk partition or format disk, erase data and fix system startup problems.

Adding an answer to cover the method that worked for me (which is not yet fully covered in other answers here). This works for Windows 7, later versions of windows have this exploit closed.

I attempted some other procedures listed in other answers without success. What worked for me was the replace sethc.exe (sticky keys) with cmd.exe hack/trick. But I had to do this through using Notepad.exe which is run to view logfiles after system recovery. Other techniques to get in on command-line as admin with drive mounted didn't work so I had to use this Notepad trick.

Procedure:

1. Shutdown and reboot. When Windows starting is seen hold down the power button and power off.




2. Power on. Windows boot should report that last Windows start up failed so it will give the option of "Launch startup repair". Choose this option.




3. Cancel the Startup Repair. Cancel the System Restore.




4. A report dialog will show reporting repair could not be done. In there expand "View problem details". Under problem details a link to x:/windows/... log file is shown. Click on this.



5. 
   

   Notepad.exe opens showing the logfile. This Notepad is running as Administrator and the mounted filesystem x: is your hard disk.

   
   
   

   5.1 Notepad: File - Open - browse to X:/Windows/system32 - scroll to sethc.exe

   
   
   

   5.2 Right-click on sethc.exe and rename to sethc-BACKUP.exe

   
   
   

   5.3 Scroll to cmd.exe. Right-click on cmd.exe. Copy. Right click. Paste.

   
   
   

   5.4. When I pasted cmd.exe the command-line ran (as Administrator) so I did 'cd x:/Windows/system32' and then 'copy cmd.exe sethc.exe' on command-line.

   
   
   

   5.4-1 If you prefer not command-line then just use Notepad File Open browser and make a copy of cmd.exe and rename it to sethc.exe

   
   



6. Reboot without any funny stuff.




7. At login page hit shift key 5 times or more triggering sticky keys. Instead of sticky keys prompt a command-line dialog appears. Running as Administrator. 'net user Administrator *' to set the password.

Good description with screenshots of the procedure here:
http://null-byte.wonderhowto.com/how-to/hack-windows-7-become-admin-0160151/

Background: The Administrator password with laptop was not known by owner. They had a user account with admin privs so didn't find the need of it. UNTIL the windows login page stopped showing their user! We are guessing the User profile became corrupt or had something bad in it.

I attempted a series of procedures before getting the Notepad+sticky keys replace hack to work. For the record here they are (and the problem I encountered with them):

1. When trying to log in as Administrator after an incorrect password you are prompted to insert rescue disk (in order to reset password). We had a Windows 7 rescue disk on cd. But the prompt asked for floppy or USB. I had no handy USB stick and was too lazy to go shopping and messing with creating USB boot disk.




2. Using system repair disk to get in on command-line did not allow the replacing of sethc.exe with cmd.exe trick/hack. Or allow resetting admin password 'net use Administrator *'. The command-line was running as admin but not as the real admin on machine more as the system repair admin and the disk did not seem to be mounted with full access . . . ~ not sure ~




3. Using linux system rescue cd (https://www.system-rescue-cd.org (version 4.8.2)) I could not mount the drive. I would kindof see it was a GPT partitioned drive - tools ntfs-3g gparted sfdisk should work with GPT but didn't. This computer has a prompt for username + domain + password before windows starts so not sure but maybe there is some extra security (which is needed to mount drive?)

What eventually DID work was follow system recover sequence (no external/additional cd needed) at end view logfile (opens in Notepad). Then do file open - browse to cmd.exe - copy - paste - overwrite sethc.exe. Then reboot - trigger sticky keys - set password using command-line 'net user Administrator *'.

In conclusion, this solution doesn't require you to have any extra boot or repair CD. It is very portable :-) It is pretty simple. So it is probably worth trying as one of the first password recovery methods.

Use Kon-Boot to boot into the system bypassing the login. After you login change to your required password.

Some of the answers here are quite complicated for some. The easiest way I know is to use windows password rescuer..

how to use explanation are all here:
http://www.daossoft.com/documents/how-to-use-windows-password-rescuer-personal.html

EDIT: As suggested in the comment here is what you need.

1. Another computer




2. Windows Password Rescuer Software




3. A USB disk or a CD/DVD

Steps:

1. Download the tool from the Daosoft website http://www.daossoft.com/products/windows-password-rescuer.html .


2. Install it on an available computer then run it.


3. Create a password recovery disk (USB flash drive or a CD/DVD) using the tool..
   
   
   
   
   • choose between the media types depending on what u have (USB flash drive or a CD/DVD).. choose which drive it is on then on the step 2 click on begin burning..
   
   
   • when it is done remove the USB flash drive or the CD/DVD used
   
   
   
   


4. Now on the computer to be repaired boot it to CD/DVD or USB disk depending on the recovery disk made.


5. Restart your computer.. recovery disk should already be inserted.


6. It should boot through your recovery disk
   
   
   
   
   • on the ui choose the windows which is affected.
   
   
   • next choose the account you want to reset
   
   
   • then click on reset password, a prompt will appear asking you for confirmation on resetting that account's password - click on yes
   
   
   • on the table the account chosen should have the word blank on password
   
   
   
   


7. Click on reboot. There will be a confirmation window telling you can eject the recovery disk.. eject it then click yes.

You should have no problems logging in your account now.

One more tip. For Windows 8 and Windows 10, the preferred the login method is with Microsoft account. So you can reset the password and use the new for login.

Microsoft account password reset page: https://account.live.com/password/reset

For local windows account, you can reset the password by following this tutorial.

Reset Admin-Password Windows 8.1, November 2016

I'd prefer to answer to this question, because it is about Windows 8.1 and not 7, but it has been closed unwisely.

To avoid any misunderstanding: I needed to recover a Win 8.1 admin-pw.

If you try this answer: https://superuser.com/a/952224/82741 , and its Option 1, you'll find, that the trick no longer works.

The last step, when @td512 suggests to use net user ..., it did not work in my case. Instead, I found that I can have a GUI from Windows to change the PW: type control userpasswords2, which made it appear, instead of net user ....

i had this problem in past but i found a way to break the password.you just download this and read README.txt file you will get all easy steps using which you can break your password. still i am writing a steps for you :

STEPS:

step 1 : download the file from here

step 2 :copy all downloaded files in you removable disk (pen drive)

step 3 :open a command prompt write this line: h:syslinux.exe -ma h: (replace "h" with your removable drive like i,j,G)

step 4:insert a pen drive in your targeted PC and boot this pen drive(legacy must be ON).

step 5: click enter though out all the steps until you get instruction like clear password.

step 6:after getting this step clear password.complete this step and restart your system now it will not ask a password to enter and computer will start.