I recently encountered a problem at work where a client’s Windows 10 PC lost trust to the domain. The user is an executive and the hindrance of his computer can affect real-time mission-critical tasks. He gave me 30 minutes to resolve the issue while he attended a meeting.<\/p>\n
<\/span> <\/p>\n Needless to say, I’ve encountered this issue many times in my career. It’s an easy fix using the Windows 7\/8\/10 installation media to reset the Administrator password, remove the PC off the domain and rejoin it. Unfortunately it didn’t work this time. After 20 minutes of scouring the net and scanning through the Microsoft Docs with no success, I turned to my development machine running Fedora with hopes of finding a solution.<\/p>\n With dnf search<\/em> I found a utility called chntpw<\/strong>:<\/p>\n According to the summary, chntpw<\/em> will “change passwords in Windows SAM files.”<\/p>\n Little did I know at the time there was more to this utility than explained in the summary. Hence, this article will go through the steps I used to successfully reset a Windows local user password using chntpw<\/em> and a Fedora Workstation Live boot USB. The article will also cover some of the features of chntpw<\/em> used for basic user administration.<\/p>\n If the PC can connect to the internet after booting the live media, install chntpw<\/em> from the official Fedora repository with:<\/p>\n If you’re unable to access the internet, no sweat! Fedora Workstation Live boot media has all the dependencies installed out-of-the-box, so all we need is the package. You can find the builds for your Fedora version from the Fedora Project’s Koji<\/a> site. You can use another computer to download the utility and use a USB thumb drive, or other form of media to copy the package.<\/p>\n First and foremost we need to create the Fedora Live USB stick. If you need instructions, the article on How to make a Fedora USB stick<\/a> is a great reference.<\/p>\n Once the key is created shut-down the Windows PC, insert the thumb drive if the USB key was created on another computer, and turn on the PC — be sure to boot from the USB drive. Once the live media boots, select “Try Fedora” and open the Terminal application.<\/p>\n Also, we need to mount the Windows drive to access the files. Enter the following command to view all drive partitions with an NTFS filesystem:<\/p>\n Most hard drives are assigned to \/dev\/sdaX<\/em> where X is the partition number — virtual drives may be assigned to \/dev\/vdX<\/em>, and some newer drives (like SSDs) use \/dev\/nvmeX<\/em>. For this example the Windows C drive is assigned to \/dev\/sda2<\/em>. To mount the drive enter:<\/p>\n Fedora Workstation contains the ntfs-3g<\/em> and ntfsprogs <\/em>packages out-of-the-box. If you’re using a spin that does not have NTFS working out of the box, you can install these two packages from the official Fedora repository with:<\/p>\n Once the drive is mounted, navigate to the location of the SAM file and verify that it’s there:<\/p>\n Now it’s time to get to work. The help flag -h<\/strong> provides everything we need to know about this utility and how to use it:<\/p>\n Use the -l<\/strong> parameter to display a list of users it reads from the SAM file:<\/p>\n Now that we have a list of Windows users we can edit the account. Use the -u<\/strong> parameter followed by the username and the name of the SAM file. For this example, edit the sysadm<\/em> account:<\/p>\n To clear the password press 1<\/strong> and ENTER. If successful you will see the following message:<\/p>\n Verify the change by repeating:<\/p>\n The “Lock?” column now shows BLANK<\/em> for the sysadm user. Type q<\/strong> to exit and y<\/strong> to write the changes to the SAM file. Reboot the machine into Windows and login using the account (in this case sysadm<\/em>) without a password.<\/p>\n Furthermore, chntpw<\/em> can perform basic Windows user administrative tasks. It has the ability to promote the user to the administrators group, unlock accounts, view and modify group memberships, and edit the registry.<\/p>\n chntpw<\/em> has an easy-to-use interactive menu to guide you through the process. Use the -i<\/strong> parameter to launch the interactive menu:<\/p>\n To display a list of groups and view its members, select option 2<\/strong> from the interactive menu:<\/p>\n To elevate the user with administrative privileges press 1<\/strong> to edit the account, then 3<\/strong> to promote the user:<\/p>\n Certainly the most noteworthy, as well as the most powerful, feature of chntpw is the ability to edit the registry and write to it. Select 9<\/strong> from the interactive menu:<\/p>\n As we saw earlier, the -h<\/strong> parameter allows us to quickly access a reference guide to the options available with chntpw. The man page contains detailed information and can be accessed with:<\/p>\n Also, if you’re interested in a more hands-on approach, spin up a virtual machine. Windows Server 2019<\/a> has an evaluation period of 180 days, and Windows Hyper-V Server 2019<\/a> is unlimited. Creating a Windows guest VM will provide the basics to modify the Administrator account for testing and learning. For help with quickly creating a guest VM refer to the article Getting started with virtualization in Gnome Boxes<\/a>.<\/p>\n chntpw<\/em> is a hidden gem for Linux administrators and IT professionals alike. While a nifty tool to quickly reset Windows account passwords, it can also be used to troubleshoot and modify local Windows accounts with a no-nonsense feel that delivers. This is perhaps only one such tool for solving the problem, though. If you’ve experienced this issue and have an alternative solution, feel free to put it in the comments below. <\/p>\n This tool, like many other “hacking” tools, holds with it an ethical responsibility. Even chntpw states:<\/p>\n NOTE: This program is somewhat hackish! You are on your own!<\/p>\n<\/blockquote>\n When using such programs, we should remember the three edicts outlined in the message displayed when running sudo<\/strong> for the first time:<\/p>\n Photo by\u00a0<\/em>Silas K\u00f6hler<\/em><\/a>\u00a0on\u00a0<\/em>Unsplash<\/em><\/a>,<\/em><\/p>\n","protected":false},"excerpt":{"rendered":" I recently encountered a problem at work where a client’s Windows 10 PC lost trust to the domain. The user is an executive and the hindrance of his computer can affect real-time mission-critical tasks. He gave me 30 minutes to resolve the issue while he attended a meeting. Needless to say, I’ve encountered this issue […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[48],"tags":[45,61,46,47],"class_list":["post-96837","post","type-post","status-publish","format-standard","hentry","category-fedora-os","tag-fedora","tag-fedora-project-community","tag-magazine","tag-news"],"_links":{"self":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/96837","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/comments?post=96837"}],"version-history":[{"count":0,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/96837\/revisions"}],"wp:attachment":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media?parent=96837"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/categories?post=96837"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/tags?post=96837"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}$ dnf search windows | grep password<\/pre>\n
Installation and setup<\/h2>\n
$ sudo dnf install chntpw<\/pre>\n
$ sudo blkid | grep ntfs<\/pre>\n
$ sudo mount \/dev\/sda2 \/mnt<\/pre>\n
$ sudo dnf install ntfs-3g ntfsprogs<\/pre>\n
$ cd \/mnt\/Windows\/System32\/config
$ ls | grep SAM
SAM
SAM.LOG1
SAM.LOG2<\/pre>\nClearing or resetting a password<\/h2>\n
$ chntpw -h
chntpw: change password of a user in a Windows SAM file,
or invoke registry editor. Should handle both 32 and 64 bit windows and
all version from NT3.x to Win8.1
chntpw [OPTIONS] [systemfile] [securityfile] [otherreghive] [\u2026]
-h This message
-u Username or RID (0x3e9 for example) to interactively edit
-l list all users in SAM file and exit
-i Interactive Menu system
-e Registry editor. Now with full write support!
-d Enter buffer debugger instead (hex editor),
-v Be a little more verbose (for debuging)
-L For scripts, write names of changed files to \/tmp\/changed
-N No allocation mode. Only same length overwrites possible (very safe mode)
-E No expand mode, do not expand hive file (safe mode)
Usernames can be given as name or RID (in hex with 0x first)
See readme file on how to get to the registry files, and what they are.
Source\/binary freely distributable under GPL v2 license. See README for details.
NOTE: This program is somewhat hackish! You are on your own!<\/pre>\n$ sudo chntpw -l SAM
chntpw version 1.00 140201, (c) Petter N Hagen
Hive name (from header): <\\SystemRoot\\System32\\Config\\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c
File size 65536 [10000] bytes, containing 7 pages (+ 1 headerpage)
Used for data: 346\/37816 blocks\/bytes, unused: 23\/7016 blocks\/bytes.
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrator | ADMIN | dis\/lock |
| 01f7 | DefaultAccount | | dis\/lock |
| 03e8 | defaultuser0 | | dis\/lock |
| 01f5 | Guest | | dis\/lock |
| 03ea | sysadm | ADMIN | |
| 01f8 | WDAGUtilityAccount | | dis\/lock |
| 03e9 | WinUser | | |<\/pre>\n$ sudo chntpw -u sysadm SAM
chntpw version 1.00 140201, (c) Petter N Hagen
Hive name (from header): <\\SystemRoot\\System32\\Config\\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c
File size 65536 [10000] bytes, containing 7 pages (+ 1 headerpage)
Used for data: 346\/37816 blocks\/bytes, unused: 23\/7016 blocks\/bytes.
================= USER EDIT ====================
RID : 1002 [03ea]
Username: sysadm
fullname: SysADM
comment :
homedir :
00000220 = Administrators (which has 2 members)
Account bits: 0x0010 =
[ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
[ ] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) |
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |
Failed login count: 0, while max tries is: 0
Total login count: 0
- - - User Edit Menu:
1 - Clear (blank) user password
(2 - Unlock and enable user account) [seems unlocked already]
3 - Promote user (make user an administrator)
4 - Add user to a group
5 - Remove user from a group
q - Quit editing user, back to user select
Select: [q] ><\/pre>\n...
Select: [q] > 1
Password cleared!
================= USER EDIT ====================
RID : 1002 [03ea]
Username: sysadm
fullname: SysADM
comment :
homedir :
00000220 = Administrators (which has 2 members)
Account bits: 0x0010 =
[ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
[ ] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) |
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |
Failed login count: 0, while max tries is: 0
Total login count: 0
** No NT MD4 hash found. This user probably has a BLANK password!
** No LANMAN hash found either. Try login with no password!
...<\/pre>\n$ sudo chntpw -l SAM
chntpw version 1.00 140201, (c) Petter N Hagen
Hive name (from header): <\\SystemRoot\\System32\\Config\\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c
File size 65536 [10000] bytes, containing 7 pages (+ 1 headerpage)
Used for data: 346\/37816 blocks\/bytes, unused: 23\/7016 blocks\/bytes.
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrator | ADMIN | dis\/lock |
| 01f7 | DefaultAccount | | dis\/lock |
| 03e8 | defaultuser0 | | dis\/lock |
| 01f5 | Guest | | dis\/lock |
| 03ea | sysadm | ADMIN | *BLANK* |
| 01f8 | WDAGUtilityAccount | | dis\/lock |
| 03e9 | WinUser | | |
...<\/pre>\nFeatures<\/h2>\n
The interactive menu<\/h3>\n
$ chntpw -i SAM
chntpw version 1.00 140201, (c) Petter N Hagen
Hive name (from header): <\\SystemRoot\\System32\\Config\\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c
File size 65536 [10000] bytes, containing 7 pages (+ 1 headerpage)
Used for data: 346\/37816 blocks\/bytes, unused: 23\/7016 blocks\/bytes.
<>========<> chntpw Main Interactive Menu <>========<>
Loaded hives:
1 - Edit user data and passwords
2 - List groups
- - -
9 - Registry editor, now with full write support!
q - Quit (you will be asked if there is something to save) <\/pre>\nGroups and account membership<\/h3>\n
...
What to do? [1] -> 2
Also list group members? [n] y
=== Group # 220 : Administrators
0 | 01f4 | Administrator |
1 | 03ea | sysadm |
=== Group # 221 : Users
0 | 0004 | NT AUTHORITY\\INTERACTIVE |
1 | 000b | NT AUTHORITY\\Authenticated Users |
2 | 03e8 | defaultuser0 |
3 | 03e9 | WinUser |
=== Group # 222 : Guests
0 | 01f5 | Guest |
=== Group # 223 : Power Users
...
=== Group # 247 : Device Owners<\/pre>\nAdding the user to the administrators group<\/h3>\n
...
Select: [q] > 3
=== PROMOTE USER
Will add the user to the administrator group (0x220)
and to the users group (0x221). That should usually be
what is needed to log in and get administrator rights.
Also, remove the user from the guest group (0x222), since
it may forbid logins.
(To add or remove user from other groups, please other menu selections)
Note: You may get some errors if the user is already member of some
of these groups, but that is no problem.
Do it? (y\/n) [n] : y
Adding to 0x220 (Administrators) \u2026
sam_put_user_grpids: success exit
Adding to 0x221 (Users) \u2026
sam_put_user_grpids: success exit
Removing from 0x222 (Guests) \u2026
remove_user_from_grp: NOTE: group not in users list of groups, may mean user not member at all. Safe. Continuing.
remove_user_from_grp: NOTE: user not in groups list of users, may mean user was not member at all. Does not matter, continuing.
sam_put_user_grpids: success exit
Promotion DONE! <\/pre>\nEditing the Windows registry<\/h3>\n
...
What to do? [1] -> 9
Simple registry editor. ? for help.
> ?
Simple registry editor:
hive [] - list loaded hives or switch to hive number
cd - change current key
ls | dir [] - show subkeys & values,
cat | type - show key value
dpi - show decoded DigitalProductId value
hex - hexdump of value data
ck [] - Show keys class data, if it has any
nk - add key
dk - delete key (must be empty)
ed - Edit value
nv - Add value
dv - Delete value
delallv - Delete all values in current key
rdel - Recursively delete key & subkeys
ek - export key to (Windows .reg file format)
debug - enter buffer hexeditor
st [] - debug function: show struct info
q - quit
<\/pre>\nFinding help<\/h3>\n
$ man chntpw<\/pre>\n
Conclusion<\/h2>\n
\n
\n
\n