Yes, it happens to all of us doesn’t it? In a moment of exuberance, in the highlight of delight, at the apex of excitement… you attempt to login to your Windows box after months of inactivity, and well you can’t.
Access denied!!
And what makes things worse is you told yourself this would never happen to you. Also, since there’s no external DVD or CD-ROM drive, you don’t have an easy way to boot up a recovery drive.
You’ve blazed through all known passwords… you’ve even tried cracking your own password but alas! You just can’t get in and you’re about to lose your mind.
In this quick tutorial, I’m going to show you one proven trick for gaining access to our beleaguered Windows machine. And the best news is it’s easier than you think.
So there are a couple of tricks you can try to get into your box such as downloading the Offline NT Password Editor and completely blowing away your password. As long as you have a valid local account on your computer, you can zap the existing password (even if you don’t know the old one) and start over without reformatting your box.
You could also try cracking your password but that’s not very effective. The most reliable fix is to create a Live Linux USB drive from a friends computer and then plug that thing in your computer so can boot to that.
In this guide, we’re going to use Kali Linux to pull this off but you could actually use any version of Linux. For example, many people use Ubuntu to do this but I prefer Kali.
In order to make the Live CD first lets first make sure we have everything in order:
- Kali Linux ISO
- UNetbootin
- A USB thumb drive with at least 4GB of space (be prepared to wipe it clean)
- Boot to Kali
- Run chntpw
- Unmount and login!
1. Grab Kali
Alright, the first thing we need to do is grab the Kali Linux ISO. Simply go to the Kali Linux downloads page, click the ISO and let it download. It doesn’t matter if you grab the 64 or 32 bit versions, but I prefer 64 bit because it runs slightly faster on machines that have more than 4 GB of RAM.
2. Snag UNetbootin
UNetbootin is a free Windows program that lets you create live USB drives for various Linux distributions.
When you install UNetbootin, you have two options:
- Distribution
- Diskimage
We want to pick Diskimage at the bottom of the application because the Kali Linux distribution isn’t included in the Distribution drop down box in UNetbootin.
So click the Diskimage radio button, make sure ISO is selected and then click the little button with the three horizontal dots to browse to the Kali Linux distribution you just downloaded.
Now plug in your USB drive, make sure the Type at the bottom says of UNetbootin is set to: USB Drive, select your Drive and then click OK to format and create the Live USB. As long as you have at least 4GB of space on the drive you should be okay.
Just make sure the type is set to USB Drive and not Hard Disk or else you’ll be in a world of hurt…
3. Boot the the USB drive
When the Live USB process is completed you should see all the files on your USB drive. It shouldn’t take longer than a few minutes to create the media.
Okay, so now we’re looking good. Now we need to boot from this thing.
The easiest and most reliable way to boot to a USB drive on a PC is to hit reboot the box and then start hitting F12 like crazy.
Another way to boot from the USB drive is to press Del, Esc, F1 or F2 repeatedly during bootup so you can get into the BIOS or UEFI screen. From here you should be able to choose the Boot order. Which key you press to enter your BIOS/UEFI screen depends on your computer manufacturer that’s why I listed so many options.
Alright so now what?
When the box boots we should see something that looks like this:
4. Boot into Kali
Alrighty, now we need to mount your Windows drive into the Kali Linux environment so we can access the files there.
Pop open the terminal – this is basically the Linux version of a Windows command prompt. Now we need to create a mount point so we can mount the Windows partition to our Linux environment.
Open the terminal and type:
ls /dev/sd*
We need to look for our Windows partition. All Linux devices are located in a folder called /dev.
You might be thinking like – how is this possible?
This is because in Linux everything is a file - including physical devices. So your DVD-ROM is represented as a file and your entire hard drive is represented as a file too.
So what we need to do is to find all our hard drives which typically live in /dev/sda. The /dev/sda1 and /dev/sda2 files you see in the screenshot below are actually partitions on the hard drive /dev/sda.
I hope that makes sense.
So our Windows partition lives on either /dev/sda1 or /dev/sda2 – let’s mount both to see where it is
mount /dev/sda1 /mnt mount /dev/sda2 /mnt
If this doesn’t work for some reason you can type prefix each command with sudo (this is like clicking Yes to the UAC prompt in Windows)
Alright, so we mounted both partitions into a folder called /mnt/ in Linux. Now let’s take a look inside.
Just type:
cd mnt && ls
You could also type
cd mnt ls
on two different lines – the && thing will save you a step though (nice little Linux trick eh? hehehe)
5. Run chntpw
Alright, so let’s CD into /mnt/Windows/System32/config and then run chntpw to see what our options are
cd Windows/System32/config && chntpw
So we have a bunch of options
Let’s run the interactive Menu system by pressing the -i switch in that long list of options and we want to do it against the SAM file.
sudo chntpw -i SAM
Awesome – so press 1 and hit enter to Edit user data and passwords.
Then enter the hex code next to the user you wish to change the password for.
It’s under the RID column. Just copy and paste it and press Enter.
Then press 1 to clear (blank) the user password out.
Hit enter and that should do the trick.
It’s going to look like nothing happened – but if you scroll up just a tad you’ll see where it says:
Password cleared!
If so, you’re on the home stretch baby.
Press q to quit the chntpw interactive screen, hit q again and then hit y to write the changes to the hive files.
So it’s q enter
q enter
y enter
6. unmount and login
Now let’s unmount the mnt folder and reboot:
Change back into the root directory and type
cd / && sudo umount /mnt
Just keep in mind the unmount command is umount NOT unmount. That messes’ a lot of newbies up –
Now reboot and you should be able to login to your Windows box without a password.
bizzam!
The Bottom Line
Alright so there you have it – I just logged into my Windows 10 box even though I completely forgot the password.
Just to review we grabbed the Kali Linux distro. So I chose Kali because I use it on my laptop but you could have picked Ubuntu or something else. The reason I picked Kali is because it comes with chntpw built in so I didn’t have to download it. If you have ubuntu you can grab chntpw by running:
sudo apt-get install chntpw
Then we installed UNetbootin so we could create a bootable Kali distro. We pointed UNetbootin to the Kali ISO, booted from the USB stick into Kali, mounted the Windows share, ran chntpw and then rebooted the box and logged in!
So if this post helped you please leave a comment! I really want to know – also if you have questions leave a comment too – I like comments