chntpw
chntpw is a powerful offline Windows password and registry editor that allows you to reset or blank local user account passwords by directly editing the SAM (Security Account Manager) database and SYSTEM registry hive. It’s essential for password recovery, forensic analysis, and system recovery scenarios.
Installation
Section titled “Installation”Linux (Debian/Ubuntu)
Section titled “Linux (Debian/Ubuntu)”apt-get update
apt-get install chntpwLinux (Fedora/RHEL)
Section titled “Linux (Fedora/RHEL)”dnf install chntpwFrom Source
Section titled “From Source”git clone https://github.com/Principia-1/chntpw.git
cd chntpw/source
make
sudo make installVerify Installation
Section titled “Verify Installation”chntpw -h
chntpw -VPrerequisites
Section titled “Prerequisites”| Task | Requirement |
|---|---|
| Password reset | Boot media (Linux USB, WinPE, or live CD) |
| Access SAM/SYSTEM | Windows partition mounted or extracted |
| Registry editing | SYSTEM and SOFTWARE hives accessible |
| Write permissions | Mount with write permissions enabled |
| Hash viewing | Access to SAM file intact |
Mounting Windows Partitions
Section titled “Mounting Windows Partitions”Identify Disks and Partitions
Section titled “Identify Disks and Partitions”lsblk
fdisk -l
parted -lFind NTFS Partitions
Section titled “Find NTFS Partitions”blkid | grep -i ntfs
fdisk -l | grep NTFSMount Windows Drive (Read-Only for Safety)
Section titled “Mount Windows Drive (Read-Only for Safety)”# Create mount point
sudo mkdir -p /mnt/windows
# Mount read-only first (safe browsing)
sudo mount -t ntfs-3g -o ro /dev/sdX1 /mnt/windows
# Mount with write access (for editing)
sudo mount -t ntfs-3g -o rw /dev/sdX1 /mnt/windowsMount with Read-Write
Section titled “Mount with Read-Write”# NTFS (using ntfs-3g)
sudo mount -t ntfs-3g -o rw,remove_hiberfile /dev/sdX1 /mnt/windows
# Using mount.ntfs
sudo mount.ntfs -o force /dev/sdX1 /mnt/windowsUnmount When Done
Section titled “Unmount When Done”sudo umount /mnt/windowsLocating SAM and System Files
Section titled “Locating SAM and System Files”Standard Windows Paths
Section titled “Standard Windows Paths”# SAM database location
C:\Windows\System32\config\SAM
C:\Windows\System32\config\SYSTEM
# On mounted partition
/mnt/windows/Windows/System32/config/SAM
/mnt/windows/Windows/System32/config/SYSTEMFinding Files on Mounted Drive
Section titled “Finding Files on Mounted Drive”find /mnt/windows -name "SAM" 2>/dev/null
find /mnt/windows/Windows/System32/config -type f
# List all config files
ls -la /mnt/windows/Windows/System32/config/Verify File Integrity
Section titled “Verify File Integrity”# Check SAM file exists and size
stat /mnt/windows/Windows/System32/config/SAM
# List with details
ls -lh /mnt/windows/Windows/System32/config/SAM*Interactive Password Reset Mode
Section titled “Interactive Password Reset Mode”List All Users
Section titled “List All Users”chntpw -l /path/to/SAMInteractive Menu
Section titled “Interactive Menu”chntpw /path/to/SAMMenu Options:
1— Edit user password2— List user names and RIDs3— Add new user4— Promote user to admin5— Reset password field (blank password)6— Clear user password (NT hash to empty)7— Exit/quit
Step-by-Step Password Reset
Section titled “Step-by-Step Password Reset”# Start interactive session
sudo chntpw -i /mnt/windows/Windows/System32/config/SAM
# Example: Reset Administrator password
# 1. Select user (usually RID 500 for admin)
# 2. Choose option "1" to edit user
# 3. Set new password or leave blank
# 4. Type "q" to quit and save changesClearing Passwords (Blank Password)
Section titled “Clearing Passwords (Blank Password)”Interactive Blank Password
Section titled “Interactive Blank Password”sudo chntpw /mnt/windows/Windows/System32/config/SAM
# In menu: Select user, choose "6" to blank password
# User can login without passwordCommand-Line Blank Password (Legacy Syntax)
Section titled “Command-Line Blank Password (Legacy Syntax)”# Blank user password for specific RID
chntpw -u Administrator /path/to/SAMRemove Password Hash Entirely
Section titled “Remove Password Hash Entirely”# Interactive: select user, clear password field
sudo chntpw -i /mnt/windows/Windows/System32/config/SAM
# Option 6: Clear password (sets NT hash to empty)Promoting Users to Admin
Section titled “Promoting Users to Admin”Interactive Admin Promotion
Section titled “Interactive Admin Promotion”sudo chntpw -i /mnt/windows/Windows/System32/config/SAM
# Select user
# Option 4: Promote to admin
# Confirm changesVerify User Groups
Section titled “Verify User Groups”# After promotion, user belongs to:
# - Administrators group (RID 544)
# - Users group (RID 545)Registry Editing Mode
Section titled “Registry Editing Mode”Access Registry Hives
Section titled “Access Registry Hives”# Edit SOFTWARE hive
chntpw -e /mnt/windows/Windows/System32/config/SOFTWARE
# Edit SYSTEM hive
chntpw -e /mnt/windows/Windows/System32/config/SYSTEM
# Edit SAM for user info
chntpw -e /mnt/windows/Windows/System32/config/SAMRegistry Navigation
Section titled “Registry Navigation”# List registry keys at current path
ls
# Change directory (navigate keys)
cd HKEY_LOCAL_MACHINE
# Go to specific key
cd "Microsoft\Windows NT\CurrentVersion"
# Go up one level
cd ..
# Go to root
cd \Viewing Registry Values
Section titled “Viewing Registry Values”# List current key contents
ls
# Show value details
cat ValueName
# Display value type and data
get ValueNameEditing Registry Values
Section titled “Editing Registry Values”# Edit value (create if missing)
ed ValueName
# Enter new value at prompt
# Delete value
del ValueName
# Set value type
type ValueName REG_SZCommon Registry Tasks
Section titled “Common Registry Tasks”# Disable Windows Defender
cd "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender"
ed DisableAntiSpyware
# Set value to 1
# Enable RDP
cd "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server"
ed fDenyTSConnections
# Set value to 0
# Set UAC level
cd "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System"
ed EnableLUA
# Set value to 0Common Scenarios
Section titled “Common Scenarios”Locked Out Administrator Account
Section titled “Locked Out Administrator Account”Scenario: Unable to login to Windows, forgot admin password
# 1. Boot from Linux live USB
# 2. Mount Windows partition
sudo mount -t ntfs-3g -o rw /dev/sdX1 /mnt/windows
# 3. Reset admin password
sudo chntpw -i /mnt/windows/Windows/System32/config/SAM
# 4. Select Administrator (usually RID 500)
# 5. Choose option 6 to blank password
# 6. Reboot system and login without password
# 7. Once logged in, set permanent password
# Windows will prompt for new password on loginPromote Limited User to Admin
Section titled “Promote Limited User to Admin”# 1. Boot live media and mount partition
sudo mount -t ntfs-3g -o rw /dev/sdX1 /mnt/windows
# 2. Start chntpw
sudo chntpw -i /mnt/windows/Windows/System32/config/SAM
# 3. Find the limited user
# (Option 2 to list all users)
# 4. Select target user
# 5. Choose option 4 to promote to admin
# 6. Confirm and saveForensic Analysis of User Accounts
Section titled “Forensic Analysis of User Accounts”# 1. Mount partition read-only
sudo mount -t ntfs-3g -o ro /dev/sdX1 /mnt/windows
# 2. List all users and hash information
sudo chntpw -l /mnt/windows/Windows/System32/config/SAM
# 3. Examine password hashes
sudo chntpw -l /mnt/windows/Windows/System32/config/SAM | grep -i "rid"
# 4. Extract hashes for offline cracking
sudo chntpw -l /mnt/windows/Windows/System32/config/SAM > hashes.txtDisable Security Features via Registry
Section titled “Disable Security Features via Registry”# 1. Mount Windows partition with write access
sudo mount -t ntfs-3g -o rw /dev/sdX1 /mnt/windows
# 2. Enter registry edit mode
sudo chntpw -e /mnt/windows/Windows/System32/config/SYSTEM
# 3. Navigate to terminal services
cd "ControlSet001\Control\Terminal Server"
# 4. Disable RDP requirement for network-level auth
ed fDenyTSConnections
# Enter 0
# 5. Disable Firewall (in different hive)
# Exit and edit SOFTWARE hiveSyntax Reference
Section titled “Syntax Reference”| Option | Purpose |
|---|---|
-h | Display help message |
-V | Show version information |
-l | List users in SAM file |
-u | Edit specific user |
-e | Enter registry edit mode |
-i | Interactive mode (guided menu) |
-r | Read-only mode (safe browsing) |
-n | Don’t write changes on exit |
-v | Verbose output |
-p | Provide path to SAM file |
Important Considerations
Section titled “Important Considerations”SAM File Locks
Section titled “SAM File Locks”# Windows locks SAM file when running
# Solution: Boot from live media or WinPE
# Check if file is locked
lsof /path/to/SAM
# Copy locked file (may fail)
cp /path/to/SAM SAM.bakRegistry Hive Versions
Section titled “Registry Hive Versions”# Different Windows versions use different hive formats
# Windows 7/8/10/11 — compatible with modern chntpw
# Windows XP/2003 — may have compatibility issues
# Verify file type
file /path/to/SAMBackup Important Files
Section titled “Backup Important Files”# Always backup before editing
cp /mnt/windows/Windows/System32/config/SAM SAM.backup
cp /mnt/windows/Windows/System32/config/SYSTEM SYSTEM.backup
# Keep original copies safe
tar -czf windows_registry_backup.tar.gz SAM.backup SYSTEM.backupUser Account Control (UAC) Bypass
Section titled “User Account Control (UAC) Bypass”# Disabling UAC via registry
# cd to: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
# Edit: EnableLUA value to 0
# Requires restart for changes to take effectTroubleshooting
Section titled “Troubleshooting”| Issue | Solution |
|---|---|
| ”SAM file not found” | Verify path is correct, check mounted partition |
| ”Permission denied” | Use sudo, ensure partition mounted with rw access |
| ”Invalid partition” | Check partition type with fdisk -l, may need different filesystem driver |
| ”Changes not saved” | Confirm exit with ‘q’ and save prompt, verify write permissions |
| ”Hive appears corrupted” | Use backup copy, check file integrity with stat |
Best Practices
Section titled “Best Practices”- Always boot from clean media (live USB, WinPE) for password reset
- Mount Windows partition read-only until ready to make changes
- Create backups of SAM and SYSTEM files before editing
- Verify user exists before attempting password reset
- Test new credentials before removing recovery media
- Document changes made for audit trail (if applicable)
- Use interactive mode (
-i) for guided, safer operation - Keep chntpw updated to latest version for security fixes