chntpw
chntpw is a powerful offline Windows password and registry editor that allows you to reset or blank local user account passwords by directly editing the SAM (Security Account Manager) database and SYSTEM registry hive. It’s essential for password recovery, forensic analysis, and system recovery scenarios.
Installation
Linux (Debian/Ubuntu)
apt-get update
apt-get install chntpwLinux (Fedora/RHEL)
dnf install chntpwFrom Source
git clone https://github.com/Principia-1/chntpw.git
cd chntpw/source
make
sudo make installVerify Installation
chntpw -h
chntpw -VPrerequisites
| Task | Requirement |
|---|---|
| Password reset | Boot media (Linux USB, WinPE, or live CD) |
| Access SAM/SYSTEM | Windows partition mounted or extracted |
| Registry editing | SYSTEM and SOFTWARE hives accessible |
| Write permissions | Mount with write permissions enabled |
| Hash viewing | Access to SAM file intact |
Mounting Windows Partitions
Identify Disks and Partitions
lsblk
fdisk -l
parted -lFind NTFS Partitions
blkid | grep -i ntfs
fdisk -l | grep NTFSMount Windows Drive (Read-Only for Safety)
# Create mount point
sudo mkdir -p /mnt/windows
# Mount read-only first (safe browsing)
sudo mount -t ntfs-3g -o ro /dev/sdX1 /mnt/windows
# Mount with write access (for editing)
sudo mount -t ntfs-3g -o rw /dev/sdX1 /mnt/windowsMount with Read-Write
# NTFS (using ntfs-3g)
sudo mount -t ntfs-3g -o rw,remove_hiberfile /dev/sdX1 /mnt/windows
# Using mount.ntfs
sudo mount.ntfs -o force /dev/sdX1 /mnt/windowsUnmount When Done
sudo umount /mnt/windowsLocating SAM and System Files
Standard Windows Paths
# SAM database location
C:\Windows\System32\config\SAM
C:\Windows\System32\config\SYSTEM
# On mounted partition
/mnt/windows/Windows/System32/config/SAM
/mnt/windows/Windows/System32/config/SYSTEMFinding Files on Mounted Drive
find /mnt/windows -name "SAM" 2>/dev/null
find /mnt/windows/Windows/System32/config -type f
# List all config files
ls -la /mnt/windows/Windows/System32/config/Verify File Integrity
# Check SAM file exists and size
stat /mnt/windows/Windows/System32/config/SAM
# List with details
ls -lh /mnt/windows/Windows/System32/config/SAM*Interactive Password Reset Mode
List All Users
chntpw -l /path/to/SAMInteractive Menu
chntpw /path/to/SAMMenu Options:
1— Edit user password2— List user names and RIDs3— Add new user4— Promote user to admin5— Reset password field (blank password)6— Clear user password (NT hash to empty)7— Exit/quit
Step-by-Step Password Reset
# Start interactive session
sudo chntpw -i /mnt/windows/Windows/System32/config/SAM
# Example: Reset Administrator password
# 1. Select user (usually RID 500 for admin)
# 2. Choose option "1" to edit user
# 3. Set new password or leave blank
# 4. Type "q" to quit and save changesClearing Passwords (Blank Password)
Interactive Blank Password
sudo chntpw /mnt/windows/Windows/System32/config/SAM
# In menu: Select user, choose "6" to blank password
# User can login without passwordCommand-Line Blank Password (Legacy Syntax)
# Blank user password for specific RID
chntpw -u Administrator /path/to/SAMRemove Password Hash Entirely
# Interactive: select user, clear password field
sudo chntpw -i /mnt/windows/Windows/System32/config/SAM
# Option 6: Clear password (sets NT hash to empty)Promoting Users to Admin
Interactive Admin Promotion
sudo chntpw -i /mnt/windows/Windows/System32/config/SAM
# Select user
# Option 4: Promote to admin
# Confirm changesVerify User Groups
# After promotion, user belongs to:
# - Administrators group (RID 544)
# - Users group (RID 545)Registry Editing Mode
Access Registry Hives
# Edit SOFTWARE hive
chntpw -e /mnt/windows/Windows/System32/config/SOFTWARE
# Edit SYSTEM hive
chntpw -e /mnt/windows/Windows/System32/config/SYSTEM
# Edit SAM for user info
chntpw -e /mnt/windows/Windows/System32/config/SAMRegistry Navigation
# List registry keys at current path
ls
# Change directory (navigate keys)
cd HKEY_LOCAL_MACHINE
# Go to specific key
cd "Microsoft\Windows NT\CurrentVersion"
# Go up one level
cd ..
# Go to root
cd \Viewing Registry Values
# List current key contents
ls
# Show value details
cat ValueName
# Display value type and data
get ValueNameEditing Registry Values
# Edit value (create if missing)
ed ValueName
# Enter new value at prompt
# Delete value
del ValueName
# Set value type
type ValueName REG_SZCommon Registry Tasks
# Disable Windows Defender
cd "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender"
ed DisableAntiSpyware
# Set value to 1
# Enable RDP
cd "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server"
ed fDenyTSConnections
# Set value to 0
# Set UAC level
cd "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System"
ed EnableLUA
# Set value to 0Common Scenarios
Locked Out Administrator Account
Scenario: Unable to login to Windows, forgot admin password
# 1. Boot from Linux live USB
# 2. Mount Windows partition
sudo mount -t ntfs-3g -o rw /dev/sdX1 /mnt/windows
# 3. Reset admin password
sudo chntpw -i /mnt/windows/Windows/System32/config/SAM
# 4. Select Administrator (usually RID 500)
# 5. Choose option 6 to blank password
# 6. Reboot system and login without password
# 7. Once logged in, set permanent password
# Windows will prompt for new password on loginPromote Limited User to Admin
# 1. Boot live media and mount partition
sudo mount -t ntfs-3g -o rw /dev/sdX1 /mnt/windows
# 2. Start chntpw
sudo chntpw -i /mnt/windows/Windows/System32/config/SAM
# 3. Find the limited user
# (Option 2 to list all users)
# 4. Select target user
# 5. Choose option 4 to promote to admin
# 6. Confirm and saveForensic Analysis of User Accounts
# 1. Mount partition read-only
sudo mount -t ntfs-3g -o ro /dev/sdX1 /mnt/windows
# 2. List all users and hash information
sudo chntpw -l /mnt/windows/Windows/System32/config/SAM
# 3. Examine password hashes
sudo chntpw -l /mnt/windows/Windows/System32/config/SAM | grep -i "rid"
# 4. Extract hashes for offline cracking
sudo chntpw -l /mnt/windows/Windows/System32/config/SAM > hashes.txtDisable Security Features via Registry
# 1. Mount Windows partition with write access
sudo mount -t ntfs-3g -o rw /dev/sdX1 /mnt/windows
# 2. Enter registry edit mode
sudo chntpw -e /mnt/windows/Windows/System32/config/SYSTEM
# 3. Navigate to terminal services
cd "ControlSet001\Control\Terminal Server"
# 4. Disable RDP requirement for network-level auth
ed fDenyTSConnections
# Enter 0
# 5. Disable Firewall (in different hive)
# Exit and edit SOFTWARE hiveSyntax Reference
| Option | Purpose |
|---|---|
-h | Display help message |
-V | Show version information |
-l | List users in SAM file |
-u | Edit specific user |
-e | Enter registry edit mode |
-i | Interactive mode (guided menu) |
-r | Read-only mode (safe browsing) |
-n | Don’t write changes on exit |
-v | Verbose output |
-p | Provide path to SAM file |
Important Considerations
SAM File Locks
# Windows locks SAM file when running
# Solution: Boot from live media or WinPE
# Check if file is locked
lsof /path/to/SAM
# Copy locked file (may fail)
cp /path/to/SAM SAM.bakRegistry Hive Versions
# Different Windows versions use different hive formats
# Windows 7/8/10/11 — compatible with modern chntpw
# Windows XP/2003 — may have compatibility issues
# Verify file type
file /path/to/SAMBackup Important Files
# Always backup before editing
cp /mnt/windows/Windows/System32/config/SAM SAM.backup
cp /mnt/windows/Windows/System32/config/SYSTEM SYSTEM.backup
# Keep original copies safe
tar -czf windows_registry_backup.tar.gz SAM.backup SYSTEM.backupUser Account Control (UAC) Bypass
# Disabling UAC via registry
# cd to: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
# Edit: EnableLUA value to 0
# Requires restart for changes to take effectTroubleshooting
| Issue | Solution |
|---|---|
| ”SAM file not found” | Verify path is correct, check mounted partition |
| ”Permission denied” | Use sudo, ensure partition mounted with rw access |
| ”Invalid partition” | Check partition type with fdisk -l, may need different filesystem driver |
| ”Changes not saved” | Confirm exit with ‘q’ and save prompt, verify write permissions |
| ”Hive appears corrupted” | Use backup copy, check file integrity with stat |
Best Practices
- Always boot from clean media (live USB, WinPE) for password reset
- Mount Windows partition read-only until ready to make changes
- Create backups of SAM and SYSTEM files before editing
- Verify user exists before attempting password reset
- Test new credentials before removing recovery media
- Document changes made for audit trail (if applicable)
- Use interactive mode (
-i) for guided, safer operation - Keep chntpw updated to latest version for security fixes