07-19-2019, 11:32 AM
Modifying Windows local accounts with Fedora and chntpw
<div><p>I recently encountered a problem at work where a client’s Windows 10 PC lost trust to the domain. The user is an executive and the hindrance of his computer can affect real-time mission-critical tasks. He gave me 30 minutes to resolve the issue while he attended a meeting.</p>
<p> <span id="more-28801"></span> </p>
<p>Needless to say, I’ve encountered this issue many times in my career. It’s an easy fix using the Windows 7/8/10 installation media to reset the Administrator password, remove the PC off the domain and rejoin it. Unfortunately it didn’t work this time. After 20 minutes of scouring the net and scanning through the Microsoft Docs with no success, I turned to my development machine running Fedora with hopes of finding a solution.</p>
<p>With <em>dnf search</em> I found a utility called <strong>chntpw</strong>:</p>
<pre class="wp-block-preformatted">$ dnf search windows | grep password</pre>
<p>According to the summary, <em>chntpw</em> will “change passwords in Windows SAM files.”</p>
<p>Little did I know at the time there was more to this utility than explained in the summary. Hence, this article will go through the steps I used to successfully reset a Windows local user password using <em>chntpw</em> and a Fedora Workstation Live boot USB. The article will also cover some of the features of <em>chntpw</em> used for basic user administration.</p>
<h2>Installation and setup</h2>
<p>If the PC can connect to the internet after booting the live media, install <em>chntpw</em> from the official Fedora repository with:</p>
<pre class="wp-block-preformatted">$ sudo dnf install chntpw</pre>
<p>If you’re unable to access the internet, no sweat! Fedora Workstation Live boot media has all the dependencies installed out-of-the-box, so all we need is the package. You can find the builds for your Fedora version from the <a rel="noreferrer noopener" aria-label=" (opens in a new tab)" href="https://koji.fedoraproject.org/koji/packageinfo?packageID=6945" target="_blank">Fedora Project’s Koji</a> site. You can use another computer to download the utility and use a USB thumb drive, or other form of media to copy the package.</p>
<p>First and foremost we need to create the Fedora Live USB stick. If you need instructions, the article on <a href="https://fedoramagazine.org/make-fedora-usb-stick/">How to make a Fedora USB stick</a> is a great reference.</p>
<p>Once the key is created shut-down the Windows PC, insert the thumb drive if the USB key was created on another computer, and turn on the PC — be sure to boot from the USB drive. Once the live media boots, select “Try Fedora” and open the Terminal application.</p>
<p>Also, we need to mount the Windows drive to access the files. Enter the following command to view all drive partitions with an NTFS filesystem:</p>
<pre class="wp-block-preformatted">$ sudo blkid | grep ntfs</pre>
<p>Most hard drives are assigned to <em>/dev/sdaX</em> where X is the partition number — virtual drives may be assigned to <em>/dev/vdX</em>, and some newer drives (like SSDs) use <em>/dev/nvmeX</em>. For this example the Windows C drive is assigned to <em>/dev/sda2</em>. To mount the drive enter:</p>
<pre class="wp-block-preformatted">$ sudo mount /dev/sda2 /mnt</pre>
<p>Fedora Workstation contains the <em>ntfs-3g</em> and <em>ntfsprogs </em>packages out-of-the-box. If you’re using a spin that does not have NTFS working out of the box, you can install these two packages from the official Fedora repository with:</p>
<pre class="wp-block-preformatted">$ sudo dnf install ntfs-3g ntfsprogs</pre>
<p>Once the drive is mounted, navigate to the location of the SAM file and verify that it’s there:</p>
<pre class="wp-block-preformatted">$ cd /mnt/Windows/System32/config<br />$ ls | grep SAM<br /> SAM<br /> SAM.LOG1<br /> SAM.LOG2</pre>
<h2>Clearing or resetting a password</h2>
<p>Now it’s time to get to work. The help flag <strong>-h</strong> provides everything we need to know about this utility and how to use it:</p>
<pre class="wp-block-preformatted">$ chntpw -h<br />chntpw: change password of a user in a Windows SAM file,<br />or invoke registry editor. Should handle both 32 and 64 bit windows and<br />all version from NT3.x to Win8.1<br />chntpw [OPTIONS] [systemfile] [securityfile] [otherreghive] […]<br /> -h This message<br /> -u Username or RID (0x3e9 for example) to interactively edit<br /> -l list all users in SAM file and exit<br /> -i Interactive Menu system<br /> -e Registry editor. Now with full write support!<br /> -d Enter buffer debugger instead (hex editor), <br /> -v Be a little more verbose (for debuging)<br /> -L For scripts, write names of changed files to /tmp/changed<br /> -N No allocation mode. Only same length overwrites possible (very safe mode)<br /> -E No expand mode, do not expand hive file (safe mode)<br /><br />Usernames can be given as name or RID (in hex with 0x first)<br />See readme file on how to get to the registry files, and what they are.<br /> Source/binary freely distributable under GPL v2 license. See README for details.<br /> NOTE: This program is somewhat hackish! You are on your own!</pre>
<p>Use the <strong>-l</strong> parameter to display a list of users it reads from the SAM file:</p>
<pre class="wp-block-preformatted">$ sudo chntpw -l SAM<br />chntpw version 1.00 140201, © Petter N Hagen<br />Hive name (from header): <\SystemRoot\System32\Config\SAM><br />ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c <br />File size 65536 [10000] bytes, containing 7 pages (+ 1 headerpage)<br />Used for data: 346/37816 blocks/bytes, unused: 23/7016 blocks/bytes.<br /><br />| RID -|---------- Username ------------| Admin? |- Lock? --|<br />| 01f4 | Administrator | ADMIN | dis/lock |<br />| 01f7 | DefaultAccount | | dis/lock |<br />| 03e8 | defaultuser0 | | dis/lock |<br />| 01f5 | Guest | | dis/lock |<br />| 03ea | sysadm | ADMIN | |<br />| 01f8 | WDAGUtilityAccount | | dis/lock |<br />| 03e9 | WinUser | | |</pre>
<p>Now that we have a list of Windows users we can edit the account. Use the <strong>-u</strong> parameter followed by the username and the name of the SAM file. For this example, edit the <em>sysadm</em> account:</p>
<pre class="wp-block-preformatted">$ sudo chntpw -u sysadm SAM<br />chntpw version 1.00 140201, © Petter N Hagen<br />Hive name (from header): <\SystemRoot\System32\Config\SAM><br />ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c <br />File size 65536 [10000] bytes, containing 7 pages (+ 1 headerpage)<br />Used for data: 346/37816 blocks/bytes, unused: 23/7016 blocks/bytes.<br /> <br />================= USER EDIT ==================== <br /><br />RID : 1002 [03ea]<br />Username: sysadm<br />fullname: SysADM<br />comment : <br />homedir : <br /><br />00000220 = Administrators (which has 2 members) <br /> <br />Account bits: 0x0010 =<br />[ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. | <br />[ ] Temp. duplicate | [X] Normal account | [ ] NMS account | <br />[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act | <br />[ ] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) | <br />[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) | <br /><br />Failed login count: 0, while max tries is: 0<br />Total login count: 0 <br /> <br />- - - User Edit Menu:<br />1 - Clear (blank) user password<br />(2 - Unlock and enable user account) [seems unlocked already]<br />3 - Promote user (make user an administrator)<br />4 - Add user to a group<br />5 - Remove user from a group<br />q - Quit editing user, back to user select<br />Select: [q] ></pre>
<p>To clear the password press <strong>1</strong> and ENTER. If successful you will see the following message:</p>
<pre class="wp-block-preformatted">...<br />Select: [q] > 1 <br />Password cleared!<br />================= USER EDIT ====================<br /> <br />RID : 1002 [03ea]<br />Username: sysadm<br />fullname: SysADM<br />comment : <br />homedir : <br /><br />00000220 = Administrators (which has 2 members)<br /><br />Account bits: 0x0010 =<br />[ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. | <br />[ ] Temp. duplicate | [X] Normal account | [ ] NMS account | <br />[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act | <br />[ ] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) | <br />[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) | <br /><br />Failed login count: 0, while max tries is: 0<br />Total login count: 0<br />** No NT MD4 hash found. This user probably has a BLANK password!<br />** No LANMAN hash found either. Try login with no password!<br />...</pre>
<p>Verify the change by repeating:</p>
<pre class="wp-block-preformatted">$ sudo chntpw -l SAM<br />chntpw version 1.00 140201, © Petter N Hagen<br />Hive name (from header): <\SystemRoot\System32\Config\SAM><br />ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c <br />File size 65536 [10000] bytes, containing 7 pages (+ 1 headerpage)<br />Used for data: 346/37816 blocks/bytes, unused: 23/7016 blocks/bytes.<br /><br />| RID -|---------- Username ------------| Admin? |- Lock? --|<br />| 01f4 | Administrator | ADMIN | dis/lock |<br />| 01f7 | DefaultAccount | | dis/lock |<br />| 03e8 | defaultuser0 | | dis/lock |<br />| 01f5 | Guest | | dis/lock |<br />| 03ea | sysadm | ADMIN | *BLANK* |<br />| 01f8 | WDAGUtilityAccount | | dis/lock |<br />| 03e9 | WinUser | | | <br /><br />...</pre>
<p>The “Lock?” column now shows <em>BLANK</em> for the sysadm user. Type <strong>q</strong> to exit and <strong>y</strong> to write the changes to the SAM file. Reboot the machine into Windows and login using the account (in this case <em>sysadm</em>) without a password.</p>
<h2>Features</h2>
<p>Furthermore, <em>chntpw</em> can perform basic Windows user administrative tasks. It has the ability to promote the user to the administrators group, unlock accounts, view and modify group memberships, and edit the registry.</p>
<h3>The interactive menu</h3>
<p><em>chntpw</em> has an easy-to-use interactive menu to guide you through the process. Use the <strong>-i</strong> parameter to launch the interactive menu:</p>
<pre class="wp-block-preformatted">$ chntpw -i SAM<br />chntpw version 1.00 140201, © Petter N Hagen<br />Hive name (from header): <\SystemRoot\System32\Config\SAM><br />ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c <br />File size 65536 [10000] bytes, containing 7 pages (+ 1 headerpage)<br />Used for data: 346/37816 blocks/bytes, unused: 23/7016 blocks/bytes.<br /><br /><>========<> chntpw Main Interactive Menu <>========<> <br />Loaded hives: <br /> 1 - Edit user data and passwords<br /> 2 - List groups<br /> - - -<br /> 9 - Registry editor, now with full write support!<br /> q - Quit (you will be asked if there is something to save) </pre>
<h3>Groups and account membership</h3>
<p>To display a list of groups and view its members, select option <strong>2</strong> from the interactive menu:</p>
<pre class="wp-block-preformatted">...<br />What to do? [1] -> 2<br />Also list group members? [n] y<br />=== Group # 220 : Administrators<br /> 0 | 01f4 | Administrator | <br /> 1 | 03ea | sysadm | <br />=== Group # 221 : Users<br /> 0 | 0004 | NT AUTHORITY\INTERACTIVE | <br /> 1 | 000b | NT AUTHORITY\Authenticated Users | <br /> 2 | 03e8 | defaultuser0 | <br /> 3 | 03e9 | WinUser | <br />=== Group # 222 : Guests<br /> 0 | 01f5 | Guest | <br />=== Group # 223 : Power Users<br />... <br />=== Group # 247 : Device Owners</pre>
<h3>Adding the user to the administrators group</h3>
<p>To elevate the user with administrative privileges press <strong>1</strong> to edit the account, then <strong>3</strong> to promote the user:</p>
<pre class="wp-block-preformatted">...<br />Select: [q] > 3<br /><br />=== PROMOTE USER<br />Will add the user to the administrator group (0x220)<br />and to the users group (0x221). That should usually be<br />what is needed to log in and get administrator rights.<br />Also, remove the user from the guest group (0x222), since<br />it may forbid logins.<br /><br />(To add or remove user from other groups, please other menu selections)<br /><br />Note: You may get some errors if the user is already member of some<br />of these groups, but that is no problem.<br /><br />Do it? (y/n) [n] : y <br /><br />Adding to 0x220 (Administrators) …<br />sam_put_user_grpids: success exit<br />Adding to 0x221 (Users) …<br />sam_put_user_grpids: success exit<br />Removing from 0x222 (Guests) …<br />remove_user_from_grp: NOTE: group not in users list of groups, may mean user not member at all. Safe. Continuing.<br />remove_user_from_grp: NOTE: user not in groups list of users, may mean user was not member at all. Does not matter, continuing.<br />sam_put_user_grpids: success exit <br /><br />Promotion DONE! </pre>
<h3>Editing the Windows registry</h3>
<p>Certainly the most noteworthy, as well as the most powerful, feature of chntpw is the ability to edit the registry and write to it. Select <strong>9</strong> from the interactive menu:</p>
<pre class="wp-block-preformatted">...<br />What to do? [1] -> 9<br />Simple registry editor. ? for help.<br /><br />> ?<br /> Simple registry editor:<br /> hive [] - list loaded hives or switch to hive number<br /> cd - change current key<br /> ls | dir [] - show subkeys & values,<br /> cat | type - show key value<br /> dpi - show decoded DigitalProductId value<br /> hex - hexdump of value data<br /> ck [] - Show keys class data, if it has any<br /> nk - add key<br /> dk - delete key (must be empty)<br /> ed - Edit value<br /> nv - Add value<br /> dv - Delete value<br /> delallv - Delete all values in current key<br /> rdel - Recursively delete key & subkeys<br /> ek - export key to (Windows .reg file format)<br /> debug - enter buffer hexeditor<br /> st [] - debug function: show struct info<br /> q - quit <br /></pre>
<h3>Finding help</h3>
<p>As we saw earlier, the <strong>-h</strong> parameter allows us to quickly access a reference guide to the options available with chntpw. The man page contains detailed information and can be accessed with:</p>
<pre class="wp-block-preformatted">$ man chntpw</pre>
<p>Also, if you’re interested in a more hands-on approach, spin up a virtual machine. <a rel="noreferrer noopener" aria-label=" (opens in a new tab)" href="https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2019" target="_blank">Windows Server 2019</a> has an evaluation period of 180 days, and <a rel="noreferrer noopener" aria-label=" (opens in a new tab)" href="https://www.microsoft.com/en-us/evalcenter/evaluate-hyper-v-server-2019" target="_blank">Windows Hyper-V Server 2019</a> is unlimited. Creating a Windows guest VM will provide the basics to modify the Administrator account for testing and learning. For help with quickly creating a guest VM refer to the article <a rel="noreferrer noopener" aria-label=" (opens in a new tab)" href="https://fedoramagazine.org/getting-started-with-virtualization-in-gnome-boxes/" target="_blank">Getting started with virtualization in Gnome Boxes</a>.</p>
<h2>Conclusion</h2>
<p><em>chntpw</em> is a hidden gem for Linux administrators and IT professionals alike. While a nifty tool to quickly reset Windows account passwords, it can also be used to troubleshoot and modify local Windows accounts with a no-nonsense feel that delivers. This is perhaps only one such tool for solving the problem, though. If you’ve experienced this issue and have an alternative solution, feel free to put it in the comments below. </p>
<p>This tool, like many other “hacking” tools, holds with it an ethical responsibility. Even chntpw states:</p>
<blockquote class="wp-block-quote">
<p>NOTE: This program is somewhat hackish! You are on your own!</p>
</blockquote>
<p>When using such programs, we should remember the three edicts outlined in the message displayed when running <strong>sudo</strong> for the first time:</p>
<ol>
<li>Respect the privacy of others.</li>
<li>Think before you type.</li>
<li>With great power comes great responsibility.</li>
</ol>
<hr class="wp-block-separator" />
<p><em>Photo by </em><a href="https://unsplash.com/@silas_crioco?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText"><em>Silas Köhler</em></a><em> on </em><a href="https://unsplash.com/search/photos/key-lock?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText"><em>Unsplash</em></a><em>,</em></p>
</div>
<div><p>I recently encountered a problem at work where a client’s Windows 10 PC lost trust to the domain. The user is an executive and the hindrance of his computer can affect real-time mission-critical tasks. He gave me 30 minutes to resolve the issue while he attended a meeting.</p>
<p> <span id="more-28801"></span> </p>
<p>Needless to say, I’ve encountered this issue many times in my career. It’s an easy fix using the Windows 7/8/10 installation media to reset the Administrator password, remove the PC off the domain and rejoin it. Unfortunately it didn’t work this time. After 20 minutes of scouring the net and scanning through the Microsoft Docs with no success, I turned to my development machine running Fedora with hopes of finding a solution.</p>
<p>With <em>dnf search</em> I found a utility called <strong>chntpw</strong>:</p>
<pre class="wp-block-preformatted">$ dnf search windows | grep password</pre>
<p>According to the summary, <em>chntpw</em> will “change passwords in Windows SAM files.”</p>
<p>Little did I know at the time there was more to this utility than explained in the summary. Hence, this article will go through the steps I used to successfully reset a Windows local user password using <em>chntpw</em> and a Fedora Workstation Live boot USB. The article will also cover some of the features of <em>chntpw</em> used for basic user administration.</p>
<h2>Installation and setup</h2>
<p>If the PC can connect to the internet after booting the live media, install <em>chntpw</em> from the official Fedora repository with:</p>
<pre class="wp-block-preformatted">$ sudo dnf install chntpw</pre>
<p>If you’re unable to access the internet, no sweat! Fedora Workstation Live boot media has all the dependencies installed out-of-the-box, so all we need is the package. You can find the builds for your Fedora version from the <a rel="noreferrer noopener" aria-label=" (opens in a new tab)" href="https://koji.fedoraproject.org/koji/packageinfo?packageID=6945" target="_blank">Fedora Project’s Koji</a> site. You can use another computer to download the utility and use a USB thumb drive, or other form of media to copy the package.</p>
<p>First and foremost we need to create the Fedora Live USB stick. If you need instructions, the article on <a href="https://fedoramagazine.org/make-fedora-usb-stick/">How to make a Fedora USB stick</a> is a great reference.</p>
<p>Once the key is created shut-down the Windows PC, insert the thumb drive if the USB key was created on another computer, and turn on the PC — be sure to boot from the USB drive. Once the live media boots, select “Try Fedora” and open the Terminal application.</p>
<p>Also, we need to mount the Windows drive to access the files. Enter the following command to view all drive partitions with an NTFS filesystem:</p>
<pre class="wp-block-preformatted">$ sudo blkid | grep ntfs</pre>
<p>Most hard drives are assigned to <em>/dev/sdaX</em> where X is the partition number — virtual drives may be assigned to <em>/dev/vdX</em>, and some newer drives (like SSDs) use <em>/dev/nvmeX</em>. For this example the Windows C drive is assigned to <em>/dev/sda2</em>. To mount the drive enter:</p>
<pre class="wp-block-preformatted">$ sudo mount /dev/sda2 /mnt</pre>
<p>Fedora Workstation contains the <em>ntfs-3g</em> and <em>ntfsprogs </em>packages out-of-the-box. If you’re using a spin that does not have NTFS working out of the box, you can install these two packages from the official Fedora repository with:</p>
<pre class="wp-block-preformatted">$ sudo dnf install ntfs-3g ntfsprogs</pre>
<p>Once the drive is mounted, navigate to the location of the SAM file and verify that it’s there:</p>
<pre class="wp-block-preformatted">$ cd /mnt/Windows/System32/config<br />$ ls | grep SAM<br /> SAM<br /> SAM.LOG1<br /> SAM.LOG2</pre>
<h2>Clearing or resetting a password</h2>
<p>Now it’s time to get to work. The help flag <strong>-h</strong> provides everything we need to know about this utility and how to use it:</p>
<pre class="wp-block-preformatted">$ chntpw -h<br />chntpw: change password of a user in a Windows SAM file,<br />or invoke registry editor. Should handle both 32 and 64 bit windows and<br />all version from NT3.x to Win8.1<br />chntpw [OPTIONS] [systemfile] [securityfile] [otherreghive] […]<br /> -h This message<br /> -u Username or RID (0x3e9 for example) to interactively edit<br /> -l list all users in SAM file and exit<br /> -i Interactive Menu system<br /> -e Registry editor. Now with full write support!<br /> -d Enter buffer debugger instead (hex editor), <br /> -v Be a little more verbose (for debuging)<br /> -L For scripts, write names of changed files to /tmp/changed<br /> -N No allocation mode. Only same length overwrites possible (very safe mode)<br /> -E No expand mode, do not expand hive file (safe mode)<br /><br />Usernames can be given as name or RID (in hex with 0x first)<br />See readme file on how to get to the registry files, and what they are.<br /> Source/binary freely distributable under GPL v2 license. See README for details.<br /> NOTE: This program is somewhat hackish! You are on your own!</pre>
<p>Use the <strong>-l</strong> parameter to display a list of users it reads from the SAM file:</p>
<pre class="wp-block-preformatted">$ sudo chntpw -l SAM<br />chntpw version 1.00 140201, © Petter N Hagen<br />Hive name (from header): <\SystemRoot\System32\Config\SAM><br />ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c <br />File size 65536 [10000] bytes, containing 7 pages (+ 1 headerpage)<br />Used for data: 346/37816 blocks/bytes, unused: 23/7016 blocks/bytes.<br /><br />| RID -|---------- Username ------------| Admin? |- Lock? --|<br />| 01f4 | Administrator | ADMIN | dis/lock |<br />| 01f7 | DefaultAccount | | dis/lock |<br />| 03e8 | defaultuser0 | | dis/lock |<br />| 01f5 | Guest | | dis/lock |<br />| 03ea | sysadm | ADMIN | |<br />| 01f8 | WDAGUtilityAccount | | dis/lock |<br />| 03e9 | WinUser | | |</pre>
<p>Now that we have a list of Windows users we can edit the account. Use the <strong>-u</strong> parameter followed by the username and the name of the SAM file. For this example, edit the <em>sysadm</em> account:</p>
<pre class="wp-block-preformatted">$ sudo chntpw -u sysadm SAM<br />chntpw version 1.00 140201, © Petter N Hagen<br />Hive name (from header): <\SystemRoot\System32\Config\SAM><br />ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c <br />File size 65536 [10000] bytes, containing 7 pages (+ 1 headerpage)<br />Used for data: 346/37816 blocks/bytes, unused: 23/7016 blocks/bytes.<br /> <br />================= USER EDIT ==================== <br /><br />RID : 1002 [03ea]<br />Username: sysadm<br />fullname: SysADM<br />comment : <br />homedir : <br /><br />00000220 = Administrators (which has 2 members) <br /> <br />Account bits: 0x0010 =<br />[ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. | <br />[ ] Temp. duplicate | [X] Normal account | [ ] NMS account | <br />[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act | <br />[ ] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) | <br />[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) | <br /><br />Failed login count: 0, while max tries is: 0<br />Total login count: 0 <br /> <br />- - - User Edit Menu:<br />1 - Clear (blank) user password<br />(2 - Unlock and enable user account) [seems unlocked already]<br />3 - Promote user (make user an administrator)<br />4 - Add user to a group<br />5 - Remove user from a group<br />q - Quit editing user, back to user select<br />Select: [q] ></pre>
<p>To clear the password press <strong>1</strong> and ENTER. If successful you will see the following message:</p>
<pre class="wp-block-preformatted">...<br />Select: [q] > 1 <br />Password cleared!<br />================= USER EDIT ====================<br /> <br />RID : 1002 [03ea]<br />Username: sysadm<br />fullname: SysADM<br />comment : <br />homedir : <br /><br />00000220 = Administrators (which has 2 members)<br /><br />Account bits: 0x0010 =<br />[ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. | <br />[ ] Temp. duplicate | [X] Normal account | [ ] NMS account | <br />[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act | <br />[ ] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) | <br />[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) | <br /><br />Failed login count: 0, while max tries is: 0<br />Total login count: 0<br />** No NT MD4 hash found. This user probably has a BLANK password!<br />** No LANMAN hash found either. Try login with no password!<br />...</pre>
<p>Verify the change by repeating:</p>
<pre class="wp-block-preformatted">$ sudo chntpw -l SAM<br />chntpw version 1.00 140201, © Petter N Hagen<br />Hive name (from header): <\SystemRoot\System32\Config\SAM><br />ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c <br />File size 65536 [10000] bytes, containing 7 pages (+ 1 headerpage)<br />Used for data: 346/37816 blocks/bytes, unused: 23/7016 blocks/bytes.<br /><br />| RID -|---------- Username ------------| Admin? |- Lock? --|<br />| 01f4 | Administrator | ADMIN | dis/lock |<br />| 01f7 | DefaultAccount | | dis/lock |<br />| 03e8 | defaultuser0 | | dis/lock |<br />| 01f5 | Guest | | dis/lock |<br />| 03ea | sysadm | ADMIN | *BLANK* |<br />| 01f8 | WDAGUtilityAccount | | dis/lock |<br />| 03e9 | WinUser | | | <br /><br />...</pre>
<p>The “Lock?” column now shows <em>BLANK</em> for the sysadm user. Type <strong>q</strong> to exit and <strong>y</strong> to write the changes to the SAM file. Reboot the machine into Windows and login using the account (in this case <em>sysadm</em>) without a password.</p>
<h2>Features</h2>
<p>Furthermore, <em>chntpw</em> can perform basic Windows user administrative tasks. It has the ability to promote the user to the administrators group, unlock accounts, view and modify group memberships, and edit the registry.</p>
<h3>The interactive menu</h3>
<p><em>chntpw</em> has an easy-to-use interactive menu to guide you through the process. Use the <strong>-i</strong> parameter to launch the interactive menu:</p>
<pre class="wp-block-preformatted">$ chntpw -i SAM<br />chntpw version 1.00 140201, © Petter N Hagen<br />Hive name (from header): <\SystemRoot\System32\Config\SAM><br />ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c <br />File size 65536 [10000] bytes, containing 7 pages (+ 1 headerpage)<br />Used for data: 346/37816 blocks/bytes, unused: 23/7016 blocks/bytes.<br /><br /><>========<> chntpw Main Interactive Menu <>========<> <br />Loaded hives: <br /> 1 - Edit user data and passwords<br /> 2 - List groups<br /> - - -<br /> 9 - Registry editor, now with full write support!<br /> q - Quit (you will be asked if there is something to save) </pre>
<h3>Groups and account membership</h3>
<p>To display a list of groups and view its members, select option <strong>2</strong> from the interactive menu:</p>
<pre class="wp-block-preformatted">...<br />What to do? [1] -> 2<br />Also list group members? [n] y<br />=== Group # 220 : Administrators<br /> 0 | 01f4 | Administrator | <br /> 1 | 03ea | sysadm | <br />=== Group # 221 : Users<br /> 0 | 0004 | NT AUTHORITY\INTERACTIVE | <br /> 1 | 000b | NT AUTHORITY\Authenticated Users | <br /> 2 | 03e8 | defaultuser0 | <br /> 3 | 03e9 | WinUser | <br />=== Group # 222 : Guests<br /> 0 | 01f5 | Guest | <br />=== Group # 223 : Power Users<br />... <br />=== Group # 247 : Device Owners</pre>
<h3>Adding the user to the administrators group</h3>
<p>To elevate the user with administrative privileges press <strong>1</strong> to edit the account, then <strong>3</strong> to promote the user:</p>
<pre class="wp-block-preformatted">...<br />Select: [q] > 3<br /><br />=== PROMOTE USER<br />Will add the user to the administrator group (0x220)<br />and to the users group (0x221). That should usually be<br />what is needed to log in and get administrator rights.<br />Also, remove the user from the guest group (0x222), since<br />it may forbid logins.<br /><br />(To add or remove user from other groups, please other menu selections)<br /><br />Note: You may get some errors if the user is already member of some<br />of these groups, but that is no problem.<br /><br />Do it? (y/n) [n] : y <br /><br />Adding to 0x220 (Administrators) …<br />sam_put_user_grpids: success exit<br />Adding to 0x221 (Users) …<br />sam_put_user_grpids: success exit<br />Removing from 0x222 (Guests) …<br />remove_user_from_grp: NOTE: group not in users list of groups, may mean user not member at all. Safe. Continuing.<br />remove_user_from_grp: NOTE: user not in groups list of users, may mean user was not member at all. Does not matter, continuing.<br />sam_put_user_grpids: success exit <br /><br />Promotion DONE! </pre>
<h3>Editing the Windows registry</h3>
<p>Certainly the most noteworthy, as well as the most powerful, feature of chntpw is the ability to edit the registry and write to it. Select <strong>9</strong> from the interactive menu:</p>
<pre class="wp-block-preformatted">...<br />What to do? [1] -> 9<br />Simple registry editor. ? for help.<br /><br />> ?<br /> Simple registry editor:<br /> hive [] - list loaded hives or switch to hive number<br /> cd - change current key<br /> ls | dir [] - show subkeys & values,<br /> cat | type - show key value<br /> dpi - show decoded DigitalProductId value<br /> hex - hexdump of value data<br /> ck [] - Show keys class data, if it has any<br /> nk - add key<br /> dk - delete key (must be empty)<br /> ed - Edit value<br /> nv - Add value<br /> dv - Delete value<br /> delallv - Delete all values in current key<br /> rdel - Recursively delete key & subkeys<br /> ek - export key to (Windows .reg file format)<br /> debug - enter buffer hexeditor<br /> st [] - debug function: show struct info<br /> q - quit <br /></pre>
<h3>Finding help</h3>
<p>As we saw earlier, the <strong>-h</strong> parameter allows us to quickly access a reference guide to the options available with chntpw. The man page contains detailed information and can be accessed with:</p>
<pre class="wp-block-preformatted">$ man chntpw</pre>
<p>Also, if you’re interested in a more hands-on approach, spin up a virtual machine. <a rel="noreferrer noopener" aria-label=" (opens in a new tab)" href="https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2019" target="_blank">Windows Server 2019</a> has an evaluation period of 180 days, and <a rel="noreferrer noopener" aria-label=" (opens in a new tab)" href="https://www.microsoft.com/en-us/evalcenter/evaluate-hyper-v-server-2019" target="_blank">Windows Hyper-V Server 2019</a> is unlimited. Creating a Windows guest VM will provide the basics to modify the Administrator account for testing and learning. For help with quickly creating a guest VM refer to the article <a rel="noreferrer noopener" aria-label=" (opens in a new tab)" href="https://fedoramagazine.org/getting-started-with-virtualization-in-gnome-boxes/" target="_blank">Getting started with virtualization in Gnome Boxes</a>.</p>
<h2>Conclusion</h2>
<p><em>chntpw</em> is a hidden gem for Linux administrators and IT professionals alike. While a nifty tool to quickly reset Windows account passwords, it can also be used to troubleshoot and modify local Windows accounts with a no-nonsense feel that delivers. This is perhaps only one such tool for solving the problem, though. If you’ve experienced this issue and have an alternative solution, feel free to put it in the comments below. </p>
<p>This tool, like many other “hacking” tools, holds with it an ethical responsibility. Even chntpw states:</p>
<blockquote class="wp-block-quote">
<p>NOTE: This program is somewhat hackish! You are on your own!</p>
</blockquote>
<p>When using such programs, we should remember the three edicts outlined in the message displayed when running <strong>sudo</strong> for the first time:</p>
<ol>
<li>Respect the privacy of others.</li>
<li>Think before you type.</li>
<li>With great power comes great responsibility.</li>
</ol>
<hr class="wp-block-separator" />
<p><em>Photo by </em><a href="https://unsplash.com/@silas_crioco?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText"><em>Silas Köhler</em></a><em> on </em><a href="https://unsplash.com/search/photos/key-lock?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText"><em>Unsplash</em></a><em>,</em></p>
</div>