Resetting Windows Passwords with Knoppix
Inspired by/Information from KNOPPIX HACKS O'REILY book, using captive-ntfs and chntpw utility.
Resetting Lost Windows NT Passwords with KNOPPIX Linux Situation: You have forgotten a local user password on a Microsoft Windows NT, 2000, XP, 2003 computer. This is especially useful if the forgotten password if for the ‘Administrator’ account. What you’ll need: A copy of KNOPPIX Linux. Any version should do fine, in my example I am using KNOPPIX 3.4 which is actually slightly outdated, but we don’t need any of the newer KNOPPIX features for this example. User accounts have an interesting history in Windows. The Windows 9x series did offer usernames and passwords, but every user could overwrite every other user’s files, and the system did not offer any real security, If you forgot your password in Windows 9x, resetting it is as simple as deleting a .pwd file with a DOS disk. With Windows NT, 2000, and XP, Microsoft has increased its user security by creating different user accounts on the same system and password that protect them. However, unlike in Windows 9x, if you forget your Administrator password, your only resource is to purchase a tool to reset your Windows password or to reinstall Windows to create a new administrator account. If you have a Knoppix disc, you can download and use the ‘chntpw’ tool, which is a small program that lets you eset the local passwords on a Windows system, and return to your system. First step is, obviously, to boot the computer with Knoppix. There are multiple ways to get chntpw, but luckily for us, it’s now part of Debian’s ‘unstable’ repositories. Since Knoppix is Debian based, we can get the latest .deb file from http://packages.debian.org/unstable/admin/chntpw. Download the file to your /home/Knoppix folder. Since most of the Knoppix system is read-only, we can’t directly install the .deb package. Instead, you must convert it to a tar file, and then extract out the chntpw utility. Open up a terminal and run the following commands: Code:
Knoppix@ttyp1[knoppix]$ alien –to-tgz chntpw_<version>.deb To reset the password, you must have write permissions on the Windows partition. If you have a FAT or FAT32 Windows partition, this is easy. However, the standard and common file system for Windows NT, 2000, and XP is NTFS. So now I will explain how to mount your Windows partition using ‘captive-ntfs’. As of Knoppix 3.4, Captive NTFS is included on the CD. Captive NTFS is actually a process that uses the NTFS drivers that Windows itself uses. Though it has worked for many people, it is still considered somewhat experimental, and anything of great importance should be backed up prior to use. Knoppix includes an easy-to-use Captive NTFS wizard which will scan the hardrives for the necessary NTFS .dlls. Access the wizard by K-Menu -> KNOPPIX -> Utilities -> Captive NTFS. Click forward to see a list of the system files that Captive NTFS has already located on your Knoppix system. Click forward again, and the wizard mounts and scans your hard drives for the essential files it needs. Once Captive NTFS has the module it needs, it activates the OK button even though it continues to scan other directories and partitions for drivers. If you are in a hurry, you can click OK to immediately mount the NTFS partitions. If you wait for the scan to finish, you are prompted with an option to specify locations for drivers, such as a USB flash drive, or click forward to download the drivers from the Windows XP service Pack 1. Once you are finished with the wizard, you are ready to mount an NTFS partition. Open up a terminal and use the following command: Code:
Knoppix@ttyp1[knoppix]$ sudo mount –t captive-ntfs –o uid=Knoppix,gid=Knoppix /dev/hda1 /mnt/hda1 Make sure to unmount the drive after you’re done to be sure that changes are synced!!!! Code:
Knoppix@ttyp1[knoppix]$ sudo umount /mnt/hda1 Code:
Knoppix@ttyp1[config]$ /home/Knoppix/chntpw SAM Code:
Please enter new password: * There you go! You should now have a blank password on the local Administrator account of that Windows installation. If you want to reset the password for any account other than ‘Administrator’ you can use the following commands: Code:
Knoppix@ttyp1[config]$ /home/knoppix/chntpw –l SAM Code:
Knoppix@ttyp1[config]$ /home/knoppix/chntpw/ -u username SAM Once you have changed the password and saved your changes, unmount the filestem and reboot: Code:
Knoppix@ttyp1[config]$ cd |
Nice, this would also fit very nicely in the Tutorials section. If you submit it there it's less likely to get buried under other posts.
|
submitted :)
|
UPDATED: Knoppix 4.02 CD, for Dell intel controller and SATA drive with NTFS partition.
problems: Knoppix 4 CD does not contain captive-ntfs, I am using a new Dell with SATA and an intel controller (it seems knoppix is one of the few distros with the ability to recognize the drives -/dev/sda). 1. mount the ntfs partition using the instructions on the KNOPPIX CD: "It will work on Knoppix 4 (adding a few files, modifying files) using the description in the KNOPPIX/linux-ntfs/FOR-DEVELOPERS.txt for libntfs+fuse, or regularly and transparent on Knoppix 5 with the included mount.ntfs". -Klaus Knopper 2. continue with chntpw instructions above. Good luck |
Nice thread. Posting here to subscribe. Anyway, I have a linux like boot CD which I used on my Windows 2000 installation to recover my password. I have Knoppix too, Will try my hands on this one too. You can make a nice tutorial on this one.
|
thanks for the update...
Yeah, I should probably rewrite this tutorial for knoppix 5... but... even i don't have knoppix 5 yet :P soon enough though :) |
erm... could this be used to change passwords on our 2003 server ? Better lock the Server room I think!
|
A lot easier is the Offline NT Password & Registry Editor, an open-source program that comes on a boot floppy or boot CD and can safely change arbitrary passwords or registry entries on NTFS.
|
Nope. sorry spooon. The Offline NT Password & Registry Editor, which is a great product, also did not recognize the Dell SATA controller. Maybe with the next driver update.
|
I little bit of additional info
I am a newbie. Following your instruction i noticed that each time i would scan to get my captive ntfs.sys module enabled my captive screen would just disappear. Later on I figured out that this was due to the fact that if you run knoppix 3.6 and you go to run Capture NTFS from Knoppix, Utilities menu I would run it as a knoppix user and not as a root. Also if i tried to log in as a root it would request a password. After playing with it i figured out the way around this limitation. So the following steps fixed my problem:
1. I opened shell and entered sudo -s which allowed me to get root shell 2. I copied from /mnt/hda1/windows/system32/drivers two files to /var/lib/captive cp /mnt/hda1/windows/system32/drivers/ntfs.sys /var/lib/captive/ cp /mnt/hda1/windows/system32/drivers/ntoskrnl.exe /var/lib/captive/ 3. I run previously provided command with a small difference I changed my uid lowercase as my shell showed: mount -t captive-ntfs -o uid=knoppix,gid=knoppix /dev/hda1 /mnt/hda1 and it worked. I hope that this comment will help other newbies like me. I assume that this post was placed it was assumed that the user should run knoppix utilities captive ntfs as a root. |
I've needed this once, and I used a "distro" called Ophcrack. Couldn't be simpler, just boot from the cd and the password for windows admin was recovered in less than 5 minutes. Didn't require any clicking at all. All automatic:) And the computer didn't even have a fast cpu.
|
Great Pos.
I follow the instruction and made the pw reset.
I have a further questions about rest the password remotely. Can Knoppix remotely change user's password? Another word, can we change any user's account while the OS(windows) is running? Thanks. |
Can this method be used on vista?
|
Quote:
|
Quote:
|
All times are GMT -5. The time now is 04:29 AM. |