chntpw
chntpw is a powerful offline Windows password and registry editor that allows you to reset or blank local user account passwords by directly editing the SAM (Security Account Manager) database and SYSTEM registry hive. It’s essential for password recovery, forensic analysis, and system recovery scenarios.
Installation
섹션 제목: “Installation”Linux (Debian/Ubuntu)
섹션 제목: “Linux (Debian/Ubuntu)”apt-get update
apt-get install chntpwLinux (Fedora/RHEL)
섹션 제목: “Linux (Fedora/RHEL)”dnf install chntpwFrom Source
섹션 제목: “From Source”git clone https://github.com/Principia-1/chntpw.git
cd chntpw/source
make
sudo make installVerify Installation
섹션 제목: “Verify Installation”chntpw -h
chntpw -VPrerequisites
섹션 제목: “Prerequisites”| Task | Requirement |
|---|---|
| Password reset | Boot media (Linux USB, WinPE, or live CD) |
| Access SAM/SYSTEM | Windows partition mounted or extracted |
| Registry editing | SYSTEM and SOFTWARE hives accessible |
| Write permissions | Mount with write permissions enabled |
| Hash viewing | Access to SAM file intact |
Mounting Windows Partitions
섹션 제목: “Mounting Windows Partitions”Identify Disks and Partitions
섹션 제목: “Identify Disks and Partitions”lsblk
fdisk -l
parted -lFind NTFS Partitions
섹션 제목: “Find NTFS Partitions”blkid | grep -i ntfs
fdisk -l | grep NTFSMount Windows Drive (Read-Only for Safety)
섹션 제목: “Mount Windows Drive (Read-Only for Safety)”# Create mount point
sudo mkdir -p /mnt/windows
# Mount read-only first (safe browsing)
sudo mount -t ntfs-3g -o ro /dev/sdX1 /mnt/windows
# Mount with write access (for editing)
sudo mount -t ntfs-3g -o rw /dev/sdX1 /mnt/windowsMount with Read-Write
섹션 제목: “Mount with Read-Write”# NTFS (using ntfs-3g)
sudo mount -t ntfs-3g -o rw,remove_hiberfile /dev/sdX1 /mnt/windows
# Using mount.ntfs
sudo mount.ntfs -o force /dev/sdX1 /mnt/windowsUnmount When Done
섹션 제목: “Unmount When Done”sudo umount /mnt/windowsLocating SAM and System Files
섹션 제목: “Locating SAM and System Files”Standard Windows Paths
섹션 제목: “Standard Windows Paths”# SAM database location
C:\Windows\System32\config\SAM
C:\Windows\System32\config\SYSTEM
# On mounted partition
/mnt/windows/Windows/System32/config/SAM
/mnt/windows/Windows/System32/config/SYSTEMFinding Files on Mounted Drive
섹션 제목: “Finding Files on Mounted Drive”find /mnt/windows -name "SAM" 2>/dev/null
find /mnt/windows/Windows/System32/config -type f
# List all config files
ls -la /mnt/windows/Windows/System32/config/Verify File Integrity
섹션 제목: “Verify File Integrity”# Check SAM file exists and size
stat /mnt/windows/Windows/System32/config/SAM
# List with details
ls -lh /mnt/windows/Windows/System32/config/SAM*Interactive Password Reset Mode
섹션 제목: “Interactive Password Reset Mode”List All Users
섹션 제목: “List All Users”chntpw -l /path/to/SAMInteractive Menu
섹션 제목: “Interactive Menu”chntpw /path/to/SAMMenu Options:
1— Edit user password2— List user names and RIDs3— Add new user4— Promote user to admin5— Reset password field (blank password)6— Clear user password (NT hash to empty)7— Exit/quit
Step-by-Step Password Reset
섹션 제목: “Step-by-Step Password Reset”# Start interactive session
sudo chntpw -i /mnt/windows/Windows/System32/config/SAM
# Example: Reset Administrator password
# 1. Select user (usually RID 500 for admin)
# 2. Choose option "1" to edit user
# 3. Set new password or leave blank
# 4. Type "q" to quit and save changesClearing Passwords (Blank Password)
섹션 제목: “Clearing Passwords (Blank Password)”Interactive Blank Password
섹션 제목: “Interactive Blank Password”sudo chntpw /mnt/windows/Windows/System32/config/SAM
# In menu: Select user, choose "6" to blank password
# User can login without passwordCommand-Line Blank Password (Legacy Syntax)
섹션 제목: “Command-Line Blank Password (Legacy Syntax)”# Blank user password for specific RID
chntpw -u Administrator /path/to/SAMRemove Password Hash Entirely
섹션 제목: “Remove Password Hash Entirely”# Interactive: select user, clear password field
sudo chntpw -i /mnt/windows/Windows/System32/config/SAM
# Option 6: Clear password (sets NT hash to empty)Promoting Users to Admin
섹션 제목: “Promoting Users to Admin”Interactive Admin Promotion
섹션 제목: “Interactive Admin Promotion”sudo chntpw -i /mnt/windows/Windows/System32/config/SAM
# Select user
# Option 4: Promote to admin
# Confirm changesVerify User Groups
섹션 제목: “Verify User Groups”# After promotion, user belongs to:
# - Administrators group (RID 544)
# - Users group (RID 545)Registry Editing Mode
섹션 제목: “Registry Editing Mode”Access Registry Hives
섹션 제목: “Access Registry Hives”# Edit SOFTWARE hive
chntpw -e /mnt/windows/Windows/System32/config/SOFTWARE
# Edit SYSTEM hive
chntpw -e /mnt/windows/Windows/System32/config/SYSTEM
# Edit SAM for user info
chntpw -e /mnt/windows/Windows/System32/config/SAMRegistry Navigation
섹션 제목: “Registry Navigation”# List registry keys at current path
ls
# Change directory (navigate keys)
cd HKEY_LOCAL_MACHINE
# Go to specific key
cd "Microsoft\Windows NT\CurrentVersion"
# Go up one level
cd ..
# Go to root
cd \Viewing Registry Values
섹션 제목: “Viewing Registry Values”# List current key contents
ls
# Show value details
cat ValueName
# Display value type and data
get ValueNameEditing Registry Values
섹션 제목: “Editing Registry Values”# Edit value (create if missing)
ed ValueName
# Enter new value at prompt
# Delete value
del ValueName
# Set value type
type ValueName REG_SZCommon Registry Tasks
섹션 제목: “Common Registry Tasks”# Disable Windows Defender
cd "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender"
ed DisableAntiSpyware
# Set value to 1
# Enable RDP
cd "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server"
ed fDenyTSConnections
# Set value to 0
# Set UAC level
cd "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System"
ed EnableLUA
# Set value to 0Common Scenarios
섹션 제목: “Common Scenarios”Locked Out Administrator Account
섹션 제목: “Locked Out Administrator Account”Scenario: Unable to login to Windows, forgot admin password
# 1. Boot from Linux live USB
# 2. Mount Windows partition
sudo mount -t ntfs-3g -o rw /dev/sdX1 /mnt/windows
# 3. Reset admin password
sudo chntpw -i /mnt/windows/Windows/System32/config/SAM
# 4. Select Administrator (usually RID 500)
# 5. Choose option 6 to blank password
# 6. Reboot system and login without password
# 7. Once logged in, set permanent password
# Windows will prompt for new password on loginPromote Limited User to Admin
섹션 제목: “Promote Limited User to Admin”# 1. Boot live media and mount partition
sudo mount -t ntfs-3g -o rw /dev/sdX1 /mnt/windows
# 2. Start chntpw
sudo chntpw -i /mnt/windows/Windows/System32/config/SAM
# 3. Find the limited user
# (Option 2 to list all users)
# 4. Select target user
# 5. Choose option 4 to promote to admin
# 6. Confirm and saveForensic Analysis of User Accounts
섹션 제목: “Forensic Analysis of User Accounts”# 1. Mount partition read-only
sudo mount -t ntfs-3g -o ro /dev/sdX1 /mnt/windows
# 2. List all users and hash information
sudo chntpw -l /mnt/windows/Windows/System32/config/SAM
# 3. Examine password hashes
sudo chntpw -l /mnt/windows/Windows/System32/config/SAM | grep -i "rid"
# 4. Extract hashes for offline cracking
sudo chntpw -l /mnt/windows/Windows/System32/config/SAM > hashes.txtDisable Security Features via Registry
섹션 제목: “Disable Security Features via Registry”# 1. Mount Windows partition with write access
sudo mount -t ntfs-3g -o rw /dev/sdX1 /mnt/windows
# 2. Enter registry edit mode
sudo chntpw -e /mnt/windows/Windows/System32/config/SYSTEM
# 3. Navigate to terminal services
cd "ControlSet001\Control\Terminal Server"
# 4. Disable RDP requirement for network-level auth
ed fDenyTSConnections
# Enter 0
# 5. Disable Firewall (in different hive)
# Exit and edit SOFTWARE hiveSyntax Reference
섹션 제목: “Syntax Reference”| Option | Purpose |
|---|---|
-h | Display help message |
-V | Show version information |
-l | List users in SAM file |
-u | Edit specific user |
-e | Enter registry edit mode |
-i | Interactive mode (guided menu) |
-r | Read-only mode (safe browsing) |
-n | Don’t write changes on exit |
-v | Verbose output |
-p | Provide path to SAM file |
Important Considerations
섹션 제목: “Important Considerations”SAM File Locks
섹션 제목: “SAM File Locks”# Windows locks SAM file when running
# Solution: Boot from live media or WinPE
# Check if file is locked
lsof /path/to/SAM
# Copy locked file (may fail)
cp /path/to/SAM SAM.bakRegistry Hive Versions
섹션 제목: “Registry Hive Versions”# Different Windows versions use different hive formats
# Windows 7/8/10/11 — compatible with modern chntpw
# Windows XP/2003 — may have compatibility issues
# Verify file type
file /path/to/SAMBackup Important Files
섹션 제목: “Backup Important Files”# Always backup before editing
cp /mnt/windows/Windows/System32/config/SAM SAM.backup
cp /mnt/windows/Windows/System32/config/SYSTEM SYSTEM.backup
# Keep original copies safe
tar -czf windows_registry_backup.tar.gz SAM.backup SYSTEM.backupUser Account Control (UAC) Bypass
섹션 제목: “User Account Control (UAC) Bypass”# Disabling UAC via registry
# cd to: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
# Edit: EnableLUA value to 0
# Requires restart for changes to take effectTroubleshooting
섹션 제목: “Troubleshooting”| Issue | Solution |
|---|---|
| ”SAM file not found” | Verify path is correct, check mounted partition |
| ”Permission denied” | Use sudo, ensure partition mounted with rw access |
| ”Invalid partition” | Check partition type with fdisk -l, may need different filesystem driver |
| ”Changes not saved” | Confirm exit with ‘q’ and save prompt, verify write permissions |
| ”Hive appears corrupted” | Use backup copy, check file integrity with stat |
Best Practices
섹션 제목: “Best Practices”- Always boot from clean media (live USB, WinPE) for password reset
- Mount Windows partition read-only until ready to make changes
- Create backups of SAM and SYSTEM files before editing
- Verify user exists before attempting password reset
- Test new credentials before removing recovery media
- Document changes made for audit trail (if applicable)
- Use interactive mode (
-i) for guided, safer operation - Keep chntpw updated to latest version for security fixes