chntpw

chntpw is a powerful offline Windows password and registry editor that allows you to reset or blank local user account passwords by directly editing the SAM (Security Account Manager) database and SYSTEM registry hive. It’s essential for password recovery, forensic analysis, and system recovery scenarios.

Installation

Linux (Debian/Ubuntu)

apt-get update
apt-get install chntpw

Linux (Fedora/RHEL)

dnf install chntpw

From Source

git clone https://github.com/Principia-1/chntpw.git
cd chntpw/source
make
sudo make install

Verify Installation

chntpw -h
chntpw -V

Prerequisites

Task	Requirement
Password reset	Boot media (Linux USB, WinPE, or live CD)
Access SAM/SYSTEM	Windows partition mounted or extracted
Registry editing	SYSTEM and SOFTWARE hives accessible
Write permissions	Mount with write permissions enabled
Hash viewing	Access to SAM file intact

Mounting Windows Partitions

Identify Disks and Partitions

lsblk
fdisk -l
parted -l

Find NTFS Partitions

blkid | grep -i ntfs
fdisk -l | grep NTFS

Mount Windows Drive (Read-Only for Safety)

# Create mount point
sudo mkdir -p /mnt/windows

# Mount read-only first (safe browsing)
sudo mount -t ntfs-3g -o ro /dev/sdX1 /mnt/windows

# Mount with write access (for editing)
sudo mount -t ntfs-3g -o rw /dev/sdX1 /mnt/windows

Mount with Read-Write

# NTFS (using ntfs-3g)
sudo mount -t ntfs-3g -o rw,remove_hiberfile /dev/sdX1 /mnt/windows

# Using mount.ntfs
sudo mount.ntfs -o force /dev/sdX1 /mnt/windows

Unmount When Done

sudo umount /mnt/windows

Locating SAM and System Files

Standard Windows Paths

# SAM database location
C:\Windows\System32\config\SAM
C:\Windows\System32\config\SYSTEM

# On mounted partition
/mnt/windows/Windows/System32/config/SAM
/mnt/windows/Windows/System32/config/SYSTEM

Finding Files on Mounted Drive

find /mnt/windows -name "SAM" 2>/dev/null
find /mnt/windows/Windows/System32/config -type f

# List all config files
ls -la /mnt/windows/Windows/System32/config/

Verify File Integrity

# Check SAM file exists and size
stat /mnt/windows/Windows/System32/config/SAM

# List with details
ls -lh /mnt/windows/Windows/System32/config/SAM*

Interactive Password Reset Mode

List All Users

chntpw -l /path/to/SAM

Interactive Menu

chntpw /path/to/SAM

Menu Options:

• 1 — Edit user password
• 2 — List user names and RIDs
• 3 — Add new user
• 4 — Promote user to admin
• 5 — Reset password field (blank password)
• 6 — Clear user password (NT hash to empty)
• 7 — Exit/quit

Step-by-Step Password Reset

# Start interactive session
sudo chntpw -i /mnt/windows/Windows/System32/config/SAM

# Example: Reset Administrator password
# 1. Select user (usually RID 500 for admin)
# 2. Choose option "1" to edit user
# 3. Set new password or leave blank
# 4. Type "q" to quit and save changes

Clearing Passwords (Blank Password)

Interactive Blank Password

sudo chntpw /mnt/windows/Windows/System32/config/SAM

# In menu: Select user, choose "6" to blank password
# User can login without password

Command-Line Blank Password (Legacy Syntax)

# Blank user password for specific RID
chntpw -u Administrator /path/to/SAM

Remove Password Hash Entirely

# Interactive: select user, clear password field
sudo chntpw -i /mnt/windows/Windows/System32/config/SAM

# Option 6: Clear password (sets NT hash to empty)

Promoting Users to Admin

Interactive Admin Promotion

sudo chntpw -i /mnt/windows/Windows/System32/config/SAM

# Select user
# Option 4: Promote to admin
# Confirm changes

Verify User Groups

# After promotion, user belongs to:
# - Administrators group (RID 544)
# - Users group (RID 545)

Registry Editing Mode

Access Registry Hives

# Edit SOFTWARE hive
chntpw -e /mnt/windows/Windows/System32/config/SOFTWARE

# Edit SYSTEM hive
chntpw -e /mnt/windows/Windows/System32/config/SYSTEM

# Edit SAM for user info
chntpw -e /mnt/windows/Windows/System32/config/SAM

Registry Navigation

# List registry keys at current path
ls

# Change directory (navigate keys)
cd HKEY_LOCAL_MACHINE

# Go to specific key
cd "Microsoft\Windows NT\CurrentVersion"

# Go up one level
cd ..

# Go to root
cd \

Viewing Registry Values

# List current key contents
ls

# Show value details
cat ValueName

# Display value type and data
get ValueName

Editing Registry Values

# Edit value (create if missing)
ed ValueName
# Enter new value at prompt

# Delete value
del ValueName

# Set value type
type ValueName REG_SZ

Common Registry Tasks

# Disable Windows Defender
cd "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender"
ed DisableAntiSpyware
# Set value to 1

# Enable RDP
cd "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server"
ed fDenyTSConnections
# Set value to 0

# Set UAC level
cd "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System"
ed EnableLUA
# Set value to 0

Common Scenarios

Locked Out Administrator Account

Scenario: Unable to login to Windows, forgot admin password

# 1. Boot from Linux live USB
# 2. Mount Windows partition
sudo mount -t ntfs-3g -o rw /dev/sdX1 /mnt/windows

# 3. Reset admin password
sudo chntpw -i /mnt/windows/Windows/System32/config/SAM

# 4. Select Administrator (usually RID 500)
# 5. Choose option 6 to blank password
# 6. Reboot system and login without password

# 7. Once logged in, set permanent password
# Windows will prompt for new password on login

Promote Limited User to Admin

# 1. Boot live media and mount partition
sudo mount -t ntfs-3g -o rw /dev/sdX1 /mnt/windows

# 2. Start chntpw
sudo chntpw -i /mnt/windows/Windows/System32/config/SAM

# 3. Find the limited user
# (Option 2 to list all users)

# 4. Select target user
# 5. Choose option 4 to promote to admin
# 6. Confirm and save

Forensic Analysis of User Accounts

# 1. Mount partition read-only
sudo mount -t ntfs-3g -o ro /dev/sdX1 /mnt/windows

# 2. List all users and hash information
sudo chntpw -l /mnt/windows/Windows/System32/config/SAM

# 3. Examine password hashes
sudo chntpw -l /mnt/windows/Windows/System32/config/SAM | grep -i "rid"

# 4. Extract hashes for offline cracking
sudo chntpw -l /mnt/windows/Windows/System32/config/SAM > hashes.txt

Disable Security Features via Registry

# 1. Mount Windows partition with write access
sudo mount -t ntfs-3g -o rw /dev/sdX1 /mnt/windows

# 2. Enter registry edit mode
sudo chntpw -e /mnt/windows/Windows/System32/config/SYSTEM

# 3. Navigate to terminal services
cd "ControlSet001\Control\Terminal Server"

# 4. Disable RDP requirement for network-level auth
ed fDenyTSConnections
# Enter 0

# 5. Disable Firewall (in different hive)
# Exit and edit SOFTWARE hive

Syntax Reference

Option	Purpose
-h	Display help message
-V	Show version information
-l	List users in SAM file
-u	Edit specific user
-e	Enter registry edit mode
-i	Interactive mode (guided menu)
-r	Read-only mode (safe browsing)
-n	Don’t write changes on exit
-v	Verbose output
-p	Provide path to SAM file

Important Considerations

SAM File Locks

# Windows locks SAM file when running
# Solution: Boot from live media or WinPE

# Check if file is locked
lsof /path/to/SAM

# Copy locked file (may fail)
cp /path/to/SAM SAM.bak

Registry Hive Versions

# Different Windows versions use different hive formats
# Windows 7/8/10/11 — compatible with modern chntpw
# Windows XP/2003 — may have compatibility issues

# Verify file type
file /path/to/SAM

Backup Important Files

# Always backup before editing
cp /mnt/windows/Windows/System32/config/SAM SAM.backup
cp /mnt/windows/Windows/System32/config/SYSTEM SYSTEM.backup

# Keep original copies safe
tar -czf windows_registry_backup.tar.gz SAM.backup SYSTEM.backup

User Account Control (UAC) Bypass

# Disabling UAC via registry
# cd to: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
# Edit: EnableLUA value to 0
# Requires restart for changes to take effect

Troubleshooting

Issue	Solution
”SAM file not found”	Verify path is correct, check mounted partition
”Permission denied”	Use sudo, ensure partition mounted with rw access
”Invalid partition”	Check partition type with fdisk -l, may need different filesystem driver
”Changes not saved”	Confirm exit with ‘q’ and save prompt, verify write permissions
”Hive appears corrupted”	Use backup copy, check file integrity with stat

Best Practices

• Always boot from clean media (live USB, WinPE) for password reset
• Mount Windows partition read-only until ready to make changes
• Create backups of SAM and SYSTEM files before editing
• Verify user exists before attempting password reset
• Test new credentials before removing recovery media
• Document changes made for audit trail (if applicable)
• Use interactive mode (-i) for guided, safer operation
• Keep chntpw updated to latest version for security fixes