Windows XP passwords recovery

How many times have you forgotten your Windows Xp user or administrator account password even if it is just by a few characters. We are all human and when our brains get overwhelmed we tend to forget very basic stuff. The following is an overview on how you can recovery your password using Bootdisk/Cd Password Recovery.

First you need to download the bootdisk/cd image and create the boot cd. Unzip the downloaded ZIP file and you will have an ISO file which can be burnt on CD. Once the Cd is burnt you should have files like initrd.gz, vmlinuz, syslinux and some other files. Your boot cd is now ready for some password recovery.

Insert the created boot cd into your cd drive and boot from it. Some systems are preset to boot from the cd drive and will boot up the cd automatically. However there are some systems that will need you to pop up the boot menu where you will select your cd drive as your boot option. If your system does not have a boot menu prompt then you will have to change your boot order from BIOS.

Changing the boot order will depend on the computer make, some you need to press F2, Esc, F11, F10, Del to get into the BIOS and change the boot order. If you do not know what you are doing then stop, because messing up with your BIOS settings can stop your computer from booting.

Once you manage to get the cd to boot you will have the following on your display:

ISOLINUX 3.51 2007-06-10 Copyright (C) 1994-2007 H. Peter Anvin

* *
* Windows NT/2k/XP/Vista Change Password / Registry Editor / Boot CD *
* *
* (c) 1998-2007 Petter Nordahl-Hagen. Distributed under GNU GPL v2 *
* *
* *
* More info at: *
* Email : *
* *
* CD build date: Sun Sep 23 14:15:35 CEST 2007 *

Press enter to boot, or give linux kernel boot options first if needed.
Some that I have to use once in a while:
boot nousb - to turn off USB if not used and it causes problems
boot irqpoll - if some drivers hang with irq problem messages
boot nodrivers - skip automatic disk driver loading


When you get here just press ENTER, unless you are Linux guru and can edit kernel options. The display will then output some lines about your hardware, you need not to worry about this:

Loading vmlinuz..................
Loading scsi.cgz.........................

Loading initrd.cgz..........
Linux version (root@athene) (gcc version 4.1.1 20060724 (prerelease) (4.1.1-3mdk)) #2 Sun Sep 9 16:59:48 CEST 2007
BIOS-provided physical RAM map:
BIOS-e820: 0000000000000000 - 000000000009f800 (usable)
BIOS-e820: 000000000009f800 - 00000000000a0000 (reserved)
BIOS-e820: 00000000000ca000 - 00000000000cc000 (reserved)
BIOS-e820: 00000000000dc000 - 0000000000100000 (reserved)
BIOS-e820: 0000000000100000 - 00000000316f0000 (usable)
BIOS-e820: 00000000316f0000 - 00000000316ff000 (ACPI data)
BIOS-e820: 00000000316ff000 - 0000000031700000 (ACPI NVS)
BIOS-e820: 0000000031700000 - 0000000031800000 (usable)
BIOS-e820: 00000000fec00000 - 00000000fec10000 (reserved)
BIOS-e820: 00000000fee00000 - 00000000fee01000 (reserved)
BIOS-e820: 00000000fffe0000 - 0000000100000000 (reserved)
792MB LOWMEM available.
Zone PFN ranges:
DMA 0 -> 4096
Normal 4096 -> 202752
early_node_map[1] active PFN ranges


Serial: 8250/16550 driver $Revision: 1.90 $ 4 ports, IRQ sharing enabled
serial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
Floppy drive(s): fd0 is 1.44M
FDC 0 is a post-1991 82077
RAMDISK driver initialized: 16 RAM disks of 32000K size 1024 blocksize
USB Universal Host Controller Interface driver v3.0
Initializing USB Mass Storage driver...
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
serio: i8042 KBD port at 0x60,0x64 irq 1
serio: i8042 AUX port at 0x60,0x64 irq 12
usbcore: registered new interface driver usbhid
drivers/hid/usbhid/hid-core.c: v2.6:USB HID core driver
Using IPI Shortcut mode
BIOS EDD facility v0.16 2004-Jun-25, 1 devices found
Freeing unused kernel memory: 144k freed
Booting ntpasswd
Mounting: proc sys
Ramdisk setup complete, stage separation..
In stage 2
Spawning shells on console 2 - 6
Initialization complete!

** Preparing driver modules to dir /lib/modules/
input: AT Translated Set 2 keyboard as /class/input/input0

Now with most of the generic linux boot done it will need to load drivers for you hardware. There will be messages on your display as the cd tries various drivers for your hardware. Once the driver loading is done you will see the following message and we need to proceed:

Driver load done, if none loaded, you may try manual instead.

** If no disk show up, you may have to try again (d option) or manual (m).

Don’t worry much because you can later load more drivers as required. Once the boot up process is done and the program has scanned you Hard Disk Drives for Windows installations it will display some information that looks like below. In this case one drive has found with a Windows installation.

* Windows Registry Edit Utility Floppy / chntpw *
* (c) 1997 - 2007 Petter N Hagen - *
* GNU GPL v2 license, see files on CD *
* *
* This utility will enable you to change or blank the password of *
* any user (incl. administrator) on an Windows NT/2k/XP/Vista *
* WITHOUT knowing the old password. *
* Unlocking locked/disabled accounts also supported. *
* *
* It also has a registry editor, and there is now support for *
* adding and deleting keys and values. *
* *
* Tested on: NT3.51 & NT4: Workstation, Server, PDC. *
* Win2k Prof & Server to SP4. Cannot change AD. *
* XP Home & Prof: up to SP2 *
* Win 2003 Server (cannot change AD passwords) *
* Vista 32 and 64 bit *
* *
* HINT: If things scroll by too fast, press SHIFT-PGUP/PGDOWN ... *

There are several steps to go through:
- Disk select with optional loading of disk drivers
- PATH select, where are the Windows systems files stored
- File-select, what parts of registry we need
- Then finally the password change or registry edit itself
- If changes were made, write them back to disk

DON'T PANIC! Usually the defaults are OK, just press enter
all the way through the questions

¤ Step ONE: Select disk where the Windows installation is

Disk /dev/sda: 42.9 GB, 42949672960 bytes

Candidate Windows partitions found:
1 : /dev/sda1 40958MB BOOT

Being that in my example it found only one partition just select 1.

Please select partition by number or
q = quit
d = automatically start disk drivers
m = manually select disk drivers to load
f = fetch additional drivers from floppy / usb
a = show all partitions found
l = show propbable Windows (NTFS) partitions only
Select: [1]

On the menu above you will just select 1 or the number corresponding to the partition that contains your windows installation. The other items on the menu are outside the scope of this tutorial. Try them at your own risk. You can find more information on how to use them here

Selected 1

Mounting from /dev/sda1, with filesystem type NTFS

NTFS volume version 3.1.

It was an NTFS filesystem, and it mounted successfully.

¤ Step TWO: Select PATH and registry files
What is the path to the registry directory? (relative to windows disk)
[WINDOWS/system32/config] :

The registry is usually located in C:WINDOWSsystem32/config or C:WINNTsystem32/config (note that this may be changed during the installation of Windows). However, this should not worry you if the correct partition is selected. If this is the case then the default prompt will be adjusted to match if it can find one of the usual variants. Just accept the defaults and a filtered directory listing showing most of the interesting registry files.

-rw------- 2 0 0 262144 Feb 28 2007 BCD-Template
-rw------- 2 0 0 6815744 Sep 23 12:33 COMPONENTS
-rw------- 1 0 0 262144 Sep 23 12:33 DEFAULT
drwx------ 1 0 0 0 Nov 2 2006 Journal
drwx------ 1 0 0 8192 Sep 23 12:33 RegBack
-rw------- 1 0 0 524288 Sep 23 12:33 SAM
-rw------- 1 0 0 262144 Sep 23 12:33 SECURITY
-rw------- 1 0 0 15728640 Sep 23 12:33 SOFTWARE
-rw------- 1 0 0 9175040 Sep 23 12:33 SYSTEM
drwx------ 1 0 0 4096 Nov 2 2006 TxR
drwx------ 1 0 0 4096 Feb 27 2007 systemprofile

Select which part of registry to load, use predefined choices
or list the files with space as delimiter
1 - Password reset [sam system security]
2 - RecoveryConsole parameters [software]
q - quit - return to previous
[1] :

Don’t get into too much information just select choice 1 for password edit. But if you so desire you can load one of the registry files and do a manual edit on them. Please don’t try to manually edit registry files unless you know what you are doing. In case you refuse to heed my warning and proceed to manually edit these registry files it will be at your own risk.

If you choose 1 for password edit some files will be copied to memory and edit application will be launched to help you make the changes.

Selected files: sam system security
Copying sam system security to /tmp

¤ Step THREE: Password or registry edit
chntpw version 0.99.5 070923 (decade), (c) Petter N Hagen
Hive name (from header):
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c
Page at 0x44000 is not 'hbin', assuming file contains garbage at end
File size 524288 [80000] bytes, containing 11 pages (+ 1 headerpage)
Used for data: 288/250904 blocks/bytes, unused: 15/23176 blocks/bytes.

Hive name (from header):
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c
Page at 0x8b4000 is not 'hbin', assuming file contains garbage at end
File size 9175040 [8c0000] bytes, containing 2117 pages (+ 1 headerpage)
Used for data: 96982/6224016 blocks/bytes, unused: 4381/2830032 blocks/bytes.

Hive name (from header):
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c
Page at 0x6000 is not 'hbin', assuming file contains garbage at end
File size 262144 [40000] bytes, containing 5 pages (+ 1 headerpage)
Used for data: 334/17312 blocks/bytes, unused: 7/3008 blocks/bytes.

* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length : 0
Password history count : 0

======== chntpw Main Interactive Menu ========

Loaded hives:

1 - Edit user data and passwords
2 - Syskey status & change
3 - RecoveryConsole settings
- - -
9 - Registry editor, now with full write support!
q - Quit (you will be asked if there is something to save)

What to do? [1] ->

The demo above shows selection 1 for password edit, but you can also do other things. Please do not try to do the other things unless you know what you are doing. In this tutorial I will only guide you through the steps to recover your password. Any other sections that are available on the menu and do not concern password recovery will not be mentioned.

Now we proceed to changing our “admin” users password..

===== chntpw Edit User Info & Passwords ====

| RID -|---------- Username ------------| Admin? |- Lock? --|
| 03e8 | admin | ADMIN | |
| 01f4 | Administrator | ADMIN | dis/lock |
| 01f5 | Guest | | dis/lock |

The information above is a list of all local users on the machine. You may see more users here than in the overly user-friendly control panel, for example XP has some help and support built in users.

The users marked “ADMIN” are members of the administrators group, which means they have admin rights, if you can login to one of them you can get control of the machine.

The built in (at install time in all windows versions) administrator is always RID 01f4. This example is from Vista, and Vista by default has this locked down (the installer instead asks and makes another user the regular use administrator, in this case RID 03e8)

The “lock?” column show if the user account is disabled or locked out (due to many logon attempts for example) or BLANK if the password seems to be blank.

We select to edit the “admin” user (this was the user made administrator by the Vista installer)

Select: ! - quit, . - list users, 0x - User with RID (hex)
or simply enter the username to change: [Administrator] admin

Once you have selected the user you want to change its password the following menu will pop up asking you what you want to do:

- - - - User Edit Menu:
1 - Clear (blank) user password
2 - Edit (set new) user password (careful with this on XP or Vista)
3 - Promote user (make user an administrator)
(4 - Unlock and enable user account) [seems unlocked already]
q - Quit editing user, back to user select
Select: [q] > 1
Password cleared!

Select 1 to clear/reset/blank the password as indicated in the demo above.

Select: ! - quit, . - list users, 0x - User with RID (hex)
or simply enter the username to change: [Administrator] !

The exclamation point ! quits out (it’s SHIFT 1 on the US keyboard layout used on the boot CD)

Then we get back to the main menu, and select to quit..

======== chntpw Main Interactive Menu ========

Loaded hives:

1 - Edit user data and passwords
2 - Syskey status & change
3 - RecoveryConsole settings
- - -
9 - Registry editor, now with full write support!
q - Quit (you will be asked if there is something to save)

What to do? [1] -> q

Hives that have changed:
# Name
0 - OK

¤ Step FOUR: Writing back changes
About to write file(s) back! Do it? [n] : y

At this point you have made changes to your Windows installation and must agree in order for the changes to be saved. If you do not agree and answer N your changes will not be saved. This is a good point to go back in case you made some errors and edited the wrong part. Please note this the last chance in case you change your mind!

Writing sam

Only changed files of the registry are actually written back. If you forgot something, you may run again, else press CTRL-ALT-DEL to reboot and boot you computer as you would normally.

***** EDIT COMPLETE *****

You can try again if it somehow failed, or you selected wrong
New run? [n] : n

* end of scripts.. returning to the shell..
* Press CTRL-ALT-DEL to reboot now (remove floppy first)
* or do whatever you want from the shell..
* However, if you mount something, remember to umount before reboot
* You may also restart the script procedure with 'sh /scripts/'

SNETTSCOM is an IT company. We excel at providing solutions in systems integration, consultancy, outsourcing, applications development, networking and security. Aside from this, SNETTSCOM also specializes in creative design and marketing.