chntpw
chntpw is a powerful offline Windows password and registry editor that allows you to reset or blank local user account passwords by directly editing the SAM (Security Account Manager) database and SYSTEM registry hive. It’s essential for password recovery, forensic analysis, and system recovery scenarios.
Installation
Abschnitt betitelt „Installation“Linux (Debian/Ubuntu)
Abschnitt betitelt „Linux (Debian/Ubuntu)“apt-get update
apt-get install chntpwLinux (Fedora/RHEL)
Abschnitt betitelt „Linux (Fedora/RHEL)“dnf install chntpwFrom Source
Abschnitt betitelt „From Source“git clone https://github.com/Principia-1/chntpw.git
cd chntpw/source
make
sudo make installVerify Installation
Abschnitt betitelt „Verify Installation“chntpw -h
chntpw -VPrerequisites
Abschnitt betitelt „Prerequisites“| Task | Requirement |
|---|---|
| Password reset | Boot media (Linux USB, WinPE, or live CD) |
| Access SAM/SYSTEM | Windows partition mounted or extracted |
| Registry editing | SYSTEM and SOFTWARE hives accessible |
| Write permissions | Mount with write permissions enabled |
| Hash viewing | Access to SAM file intact |
Mounting Windows Partitions
Abschnitt betitelt „Mounting Windows Partitions“Identify Disks and Partitions
Abschnitt betitelt „Identify Disks and Partitions“lsblk
fdisk -l
parted -lFind NTFS Partitions
Abschnitt betitelt „Find NTFS Partitions“blkid | grep -i ntfs
fdisk -l | grep NTFSMount Windows Drive (Read-Only for Safety)
Abschnitt betitelt „Mount Windows Drive (Read-Only for Safety)“# Create mount point
sudo mkdir -p /mnt/windows
# Mount read-only first (safe browsing)
sudo mount -t ntfs-3g -o ro /dev/sdX1 /mnt/windows
# Mount with write access (for editing)
sudo mount -t ntfs-3g -o rw /dev/sdX1 /mnt/windowsMount with Read-Write
Abschnitt betitelt „Mount with Read-Write“# NTFS (using ntfs-3g)
sudo mount -t ntfs-3g -o rw,remove_hiberfile /dev/sdX1 /mnt/windows
# Using mount.ntfs
sudo mount.ntfs -o force /dev/sdX1 /mnt/windowsUnmount When Done
Abschnitt betitelt „Unmount When Done“sudo umount /mnt/windowsLocating SAM and System Files
Abschnitt betitelt „Locating SAM and System Files“Standard Windows Paths
Abschnitt betitelt „Standard Windows Paths“# SAM database location
C:\Windows\System32\config\SAM
C:\Windows\System32\config\SYSTEM
# On mounted partition
/mnt/windows/Windows/System32/config/SAM
/mnt/windows/Windows/System32/config/SYSTEMFinding Files on Mounted Drive
Abschnitt betitelt „Finding Files on Mounted Drive“find /mnt/windows -name "SAM" 2>/dev/null
find /mnt/windows/Windows/System32/config -type f
# List all config files
ls -la /mnt/windows/Windows/System32/config/Verify File Integrity
Abschnitt betitelt „Verify File Integrity“# Check SAM file exists and size
stat /mnt/windows/Windows/System32/config/SAM
# List with details
ls -lh /mnt/windows/Windows/System32/config/SAM*Interactive Password Reset Mode
Abschnitt betitelt „Interactive Password Reset Mode“List All Users
Abschnitt betitelt „List All Users“chntpw -l /path/to/SAMInteractive Menu
Abschnitt betitelt „Interactive Menu“chntpw /path/to/SAMMenu Options:
1— Edit user password2— List user names and RIDs3— Add new user4— Promote user to admin5— Reset password field (blank password)6— Clear user password (NT hash to empty)7— Exit/quit
Step-by-Step Password Reset
Abschnitt betitelt „Step-by-Step Password Reset“# Start interactive session
sudo chntpw -i /mnt/windows/Windows/System32/config/SAM
# Example: Reset Administrator password
# 1. Select user (usually RID 500 for admin)
# 2. Choose option "1" to edit user
# 3. Set new password or leave blank
# 4. Type "q" to quit and save changesClearing Passwords (Blank Password)
Abschnitt betitelt „Clearing Passwords (Blank Password)“Interactive Blank Password
Abschnitt betitelt „Interactive Blank Password“sudo chntpw /mnt/windows/Windows/System32/config/SAM
# In menu: Select user, choose "6" to blank password
# User can login without passwordCommand-Line Blank Password (Legacy Syntax)
Abschnitt betitelt „Command-Line Blank Password (Legacy Syntax)“# Blank user password for specific RID
chntpw -u Administrator /path/to/SAMRemove Password Hash Entirely
Abschnitt betitelt „Remove Password Hash Entirely“# Interactive: select user, clear password field
sudo chntpw -i /mnt/windows/Windows/System32/config/SAM
# Option 6: Clear password (sets NT hash to empty)Promoting Users to Admin
Abschnitt betitelt „Promoting Users to Admin“Interactive Admin Promotion
Abschnitt betitelt „Interactive Admin Promotion“sudo chntpw -i /mnt/windows/Windows/System32/config/SAM
# Select user
# Option 4: Promote to admin
# Confirm changesVerify User Groups
Abschnitt betitelt „Verify User Groups“# After promotion, user belongs to:
# - Administrators group (RID 544)
# - Users group (RID 545)Registry Editing Mode
Abschnitt betitelt „Registry Editing Mode“Access Registry Hives
Abschnitt betitelt „Access Registry Hives“# Edit SOFTWARE hive
chntpw -e /mnt/windows/Windows/System32/config/SOFTWARE
# Edit SYSTEM hive
chntpw -e /mnt/windows/Windows/System32/config/SYSTEM
# Edit SAM for user info
chntpw -e /mnt/windows/Windows/System32/config/SAMRegistry Navigation
Abschnitt betitelt „Registry Navigation“# List registry keys at current path
ls
# Change directory (navigate keys)
cd HKEY_LOCAL_MACHINE
# Go to specific key
cd "Microsoft\Windows NT\CurrentVersion"
# Go up one level
cd ..
# Go to root
cd \Viewing Registry Values
Abschnitt betitelt „Viewing Registry Values“# List current key contents
ls
# Show value details
cat ValueName
# Display value type and data
get ValueNameEditing Registry Values
Abschnitt betitelt „Editing Registry Values“# Edit value (create if missing)
ed ValueName
# Enter new value at prompt
# Delete value
del ValueName
# Set value type
type ValueName REG_SZCommon Registry Tasks
Abschnitt betitelt „Common Registry Tasks“# Disable Windows Defender
cd "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender"
ed DisableAntiSpyware
# Set value to 1
# Enable RDP
cd "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server"
ed fDenyTSConnections
# Set value to 0
# Set UAC level
cd "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System"
ed EnableLUA
# Set value to 0Common Scenarios
Abschnitt betitelt „Common Scenarios“Locked Out Administrator Account
Abschnitt betitelt „Locked Out Administrator Account“Scenario: Unable to login to Windows, forgot admin password
# 1. Boot from Linux live USB
# 2. Mount Windows partition
sudo mount -t ntfs-3g -o rw /dev/sdX1 /mnt/windows
# 3. Reset admin password
sudo chntpw -i /mnt/windows/Windows/System32/config/SAM
# 4. Select Administrator (usually RID 500)
# 5. Choose option 6 to blank password
# 6. Reboot system and login without password
# 7. Once logged in, set permanent password
# Windows will prompt for new password on loginPromote Limited User to Admin
Abschnitt betitelt „Promote Limited User to Admin“# 1. Boot live media and mount partition
sudo mount -t ntfs-3g -o rw /dev/sdX1 /mnt/windows
# 2. Start chntpw
sudo chntpw -i /mnt/windows/Windows/System32/config/SAM
# 3. Find the limited user
# (Option 2 to list all users)
# 4. Select target user
# 5. Choose option 4 to promote to admin
# 6. Confirm and saveForensic Analysis of User Accounts
Abschnitt betitelt „Forensic Analysis of User Accounts“# 1. Mount partition read-only
sudo mount -t ntfs-3g -o ro /dev/sdX1 /mnt/windows
# 2. List all users and hash information
sudo chntpw -l /mnt/windows/Windows/System32/config/SAM
# 3. Examine password hashes
sudo chntpw -l /mnt/windows/Windows/System32/config/SAM | grep -i "rid"
# 4. Extract hashes for offline cracking
sudo chntpw -l /mnt/windows/Windows/System32/config/SAM > hashes.txtDisable Security Features via Registry
Abschnitt betitelt „Disable Security Features via Registry“# 1. Mount Windows partition with write access
sudo mount -t ntfs-3g -o rw /dev/sdX1 /mnt/windows
# 2. Enter registry edit mode
sudo chntpw -e /mnt/windows/Windows/System32/config/SYSTEM
# 3. Navigate to terminal services
cd "ControlSet001\Control\Terminal Server"
# 4. Disable RDP requirement for network-level auth
ed fDenyTSConnections
# Enter 0
# 5. Disable Firewall (in different hive)
# Exit and edit SOFTWARE hiveSyntax Reference
Abschnitt betitelt „Syntax Reference“| Option | Purpose |
|---|---|
-h | Display help message |
-V | Show version information |
-l | List users in SAM file |
-u | Edit specific user |
-e | Enter registry edit mode |
-i | Interactive mode (guided menu) |
-r | Read-only mode (safe browsing) |
-n | Don’t write changes on exit |
-v | Verbose output |
-p | Provide path to SAM file |
Important Considerations
Abschnitt betitelt „Important Considerations“SAM File Locks
Abschnitt betitelt „SAM File Locks“# Windows locks SAM file when running
# Solution: Boot from live media or WinPE
# Check if file is locked
lsof /path/to/SAM
# Copy locked file (may fail)
cp /path/to/SAM SAM.bakRegistry Hive Versions
Abschnitt betitelt „Registry Hive Versions“# Different Windows versions use different hive formats
# Windows 7/8/10/11 — compatible with modern chntpw
# Windows XP/2003 — may have compatibility issues
# Verify file type
file /path/to/SAMBackup Important Files
Abschnitt betitelt „Backup Important Files“# Always backup before editing
cp /mnt/windows/Windows/System32/config/SAM SAM.backup
cp /mnt/windows/Windows/System32/config/SYSTEM SYSTEM.backup
# Keep original copies safe
tar -czf windows_registry_backup.tar.gz SAM.backup SYSTEM.backupUser Account Control (UAC) Bypass
Abschnitt betitelt „User Account Control (UAC) Bypass“# Disabling UAC via registry
# cd to: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
# Edit: EnableLUA value to 0
# Requires restart for changes to take effectTroubleshooting
Abschnitt betitelt „Troubleshooting“| Issue | Solution |
|---|---|
| ”SAM file not found” | Verify path is correct, check mounted partition |
| ”Permission denied” | Use sudo, ensure partition mounted with rw access |
| ”Invalid partition” | Check partition type with fdisk -l, may need different filesystem driver |
| ”Changes not saved” | Confirm exit with ‘q’ and save prompt, verify write permissions |
| ”Hive appears corrupted” | Use backup copy, check file integrity with stat |
Best Practices
Abschnitt betitelt „Best Practices“- Always boot from clean media (live USB, WinPE) for password reset
- Mount Windows partition read-only until ready to make changes
- Create backups of SAM and SYSTEM files before editing
- Verify user exists before attempting password reset
- Test new credentials before removing recovery media
- Document changes made for audit trail (if applicable)
- Use interactive mode (
-i) for guided, safer operation - Keep chntpw updated to latest version for security fixes