Offline NT Password & Registry Editor, Bootdisk / CD

Note july 2005: I have problems catching up with my mail for the last 2-3 months, and will probably
have more problems for a few months more. You may get late response, or no response at all if you
mail me. Sorry!
I've put together a single floppy or CD which contains things needed to edit the passwords on most
systems.
The bootdisk supports standard (dual)IDE controllers (built in), a lot of SATA-controllers, and most
SCSI-controllers with the drivers supplied in a seperate archive below. PS/2 keyboard or USB-
keyboard supported (mouse not required) It does not need any other special hardware, it will run on 486
or higher, with at least 32MB (I think) ram or more. Unsupported hardware: MCA, EISA, i2o may not
work.
Tested on: NT 3.51, NT 4 (all versions and SP), Windows 2000 (all versions), Windows XP (all
versions, also SP2), Windows Server 2003 (at least Enterprise).
DANGER WILL ROBINSON!
If used on users that have EFS encrypted files, and the system is XP, all encrypted files for that
user will be UNREADABLE! and cannot be recovered unless you remember the old password
again If you don't know if you have encrypted files or not, you most likely don't have them. (except maybe on corporate
systems)
Please see the Frequently Asked Questions and the version history below before emailing questions
to me. Thanks!
Also take a look at Grenier's DOS port
How to fix it if you lost your admin password for your ActiveDirectory. Thanks to John Simpson.
Other ways to recover lost password etc at MCSE World

How to use?
Yes, long text. Please read it all and the FAQ before mailing me questions

If you have the CD, all drivers are included. If you use the floppy, and you need the SCSI-drivers set,
either prepare a floppy with the scsi-drivers .zip file unzipped (in \scsi), or put a selection of the drivers
you need in the \scsi folder on the main floppy, there should be enough space for maybe a couple of
drivers. In the latter case you don't need to carry around and swap floppies.

Overview
1 Disk select, tell which disk contains the Windows system. Optionally you will have to load
drivers.
2 PATH select, where on the disk is the system?
3 File select, which parts of registry to load, based on what you want to do.
4 Password reset or other registry edit.
 5 Write back to disk (you will be asked)
DON'T PANIC!! - Most questions can usually be answered with the default answer which is
given in [brackets]. Just press enter/return to accept the default answer.

1. DISK SELECT
Which disk contains your Windows system?
=========================================================
. Step ONE: Select disk where the Windows installation is
=========================================================
Disks:
Disk /dev/ide/host0/bus0/target0/lun0/disc: 2147 MB, 2147483648 bytes
NT partitions found:
1 : /dev/ide/host0/bus0/target0/lun0/part1 2043MB Boot

Please select partition by number or

a = show all partitions, d = automatically load new disk drivers
m = manually load new disk drivers
l = relist NTFS/FAT partitions, q = quit
Select: [1]

• For most machines only one disk and parition is listed, if so, just go with selection 1 (default)
• Otherwise select partition
• If no disks or not all disks are shown, you may need to load disk drivers, for SCSI-controllers
(or some IDE-raid controllers). Select d to go to the driver select menu for auto-probe (based
what's found on the PCI bus)
• If auto-probe won't work, you may have to load something manually, select m to do that (like
the old system)

2. HOW TO MANUALLY LOAD DRIVERS

Try auto-probe (d) first, only do this if you have to manually try to load some or all drivers.
Select: [1] m
==== DISK DRIVER / SCSI DRIVER select ====
You may now insert or swap to the SCSI-drivers floppy
Press enter when done:
Found 1 floppy drives
Found only one floppy, using it..
Selected floppy #0
Mounting it..
Floppy selection done..
SCSI-drivers found on floppy:

1 BusLogic.o.gz
2 aic7xxx.o.gz
3 sym53c8xx.o.gz
[ ... ]

SCSI driver selection:

a - autoprobe for the driver (try all)
s - swap driver floppy
q - do not load more drivers
or enter the number of the desired driver

SCSI driver select: [q]

 • Select a for auto-probe, it will try to load all drivers, and stop when one loads properly. Some
drivers may need more driver modules, so you may have to redo the auto-probe several times.
• Or if you know what you want, just enter it's number or name.
SCSI driver select: [q] a
[ BusLogic.o.gz ]
Using /tmp/scsi/BusLogic.o
PCI: Found IRQ 11 for device 00:10.0

[.... lots of driver / card info ...]

scsi0: *** BusLogic BT-958 Initialized Successfully ***

scsi0 : BusLogic BT-958
Vendor: FooInc Model: MegaDiskFoo Rev: 1.0
Type: Direct-Access ANSI SCSI revision: 02

[ ... ]

Attached scsi disk sda at scsi0, channel 0, id 0, lun 0

SCSI device sda: 8388608 512-byte hdwr sectors (4295 MB)
Partition check:
/dev/scsi/host0/bus0/target0/lun0: p1
Driver BusLogic.o.gz loaded and initialized.

• You may then quit the selection with q or try for more drivers.
• When you quit, you will get back to the disk select (see above) and hopefully see more disks.

3. PATH AND FILE SELECT

Where's the Windows system located?
On the selected partition/disk, the main files for windows can theoretically be anywhere. And we must
find the registry files to be able to edit them. There are however some usual places:
• winnt35/system32/config - Windows NT 3.51
• winnt/system32/config - Windows NT 4 and Windows 2000
• windows/system32/config - Windows XP/2003 and often Windows 2000 upgraded from
Windows 98 or earlier.
These usual paths will be checked, and if found, they will be suggested as the default.
Selected 1
Mounting on /dev/ide/host0/bus0/target0/lun0/part1
NTFS volume version 3.1.
Filesystem is: NTFS

=========================================================
. Step TWO: Select PATH and registry files
=========================================================
What is the path to the registry directory? (relative to windows disk)
[windows/system32/config] :
-r-------- 1 0 0 262144 Jan 12 18:01 SAM
-r-------- 1 0 0 262144 Jan 12 18:01 SECURITY
-r-------- 1 0 0 262144 Jan 12 18:01 default
-r-------- 1 0 0 8912896 Jan 12 18:01 software
-r-------- 1 0 0 2359296 Jan 12 18:01 system
dr-x------ 1 0 0 4096 Sep 8 11:37 systemprofile
-r-------- 1 0 0 262144 Sep 8 11:53 userdiff
Select which part of registry to load, use predefined choices
or list the files with space as delimiter
1 - Password reset [sam system security]
2 - RecoveryConsole parameters [software]
q - quit - return to previous
[1] :

• If the directory is correct, something like the above will be listed (it may vary a bit..)
• You may then choose some canned answers based on what you want to do.
• Password reset is the default, and most used.
• Option 2, RecoveryConsole is for setting 2 parameters that the Windows 2000 and newer
RecoveryConsole (boot from CD, select Recovery and console mode) uses. One of the
parameters allows RecoveryConsole to be run without it prompting for the admin password. If
you do not know what RecoveryConsole is, don't bother. Or go search the net..
• Or if you want to do manual edit of registry, select your hives to load. Enter all names on one
line with space between.
We select 1 to edit passwords..

4. PASSWORD RESET
Everything is set and ready, let's roll!
=========================================================
. Step THREE: Password or registry edit
=========================================================
chntpw version 0.99.2 040105, (c) Petter N Hagen

[.. some file info here ..]

* SAM policy limits:

Failed logins before lockout is: 0
Minimum password length : 0
Password history count : 0

<>========<> chntpw Main Interactive Menu <>========<>

Loaded hives: <sam> <system> <security>

1 - Edit user data and passwords

2 - Syskey status & change
3 - RecoveryConsole settings
- - -
9 - Registry editor, now with full write support!
q - Quit (you will be asked if there is something to save)

What to do? [1] -> 1

===== chntpw Edit User Info & Passwords ====

RID: 01f4, Username: <Administrator>

RID: 01f5, Username: <Guest>, *disabled or locked*
RID: 03e8, Username: <HelpAssistant>, *disabled or locked*
RID: 03eb, Username: <pnh>, *disabled or locked*
RID: 03ea, Username: <SUPPORT_388945a0>, *disabled or locked*

Select: ! - quit, . - list users, 0x<RID> - User with RID (hex)

or simply enter the username to change: [Administrator]
Here you can enter the username you want to reset the password for. NOTE: It is case-sensitive, write it
exact as listed (without the < and > of course)
Or if the name uses some characters that cannot be displayed, enter it's ID number (RID), like this:
0x1f4 would select administrator.
We select the default, which is administrator.
RID : 0500 [01f4]
Username: Administrator
fullname:
comment : Built-in account for administering the computer/domain
homedir :

Account bits: 0x0210 =

[ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
[X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) |
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |

Failed login count: 0, while max tries is: 0

Total login count: 3

* = blank the password (This may work better than setting a new password!)
Enter nothing to leave it unchanged
Please enter new password: *

Some information is displayed. Also, if the account is locked, you will be asked if you wish to unlock it
(not shown here)
We go for the blank password option (*) WHICH IS HIGLY RECOMMENDED over setting a
new one.
Please enter new password: *
Blanking password!

Do you really wish to change it? (y/n) [n] y

Changed!

Select: ! - quit, . - list users, 0x - User with RID (hex)

or simply enter the username to change: [Administrator] !

! brings us back to the main menu here.

<>========<> chntpw Main Interactive Menu <>========<>

Loaded hives:

1 - Edit user data and passwords

2 - Syskey status & change
3 - RecoveryConsole settings
- - -
9 - Registry editor, now with full write support!
q - Quit (you will be asked if there is something to save)

What to do? [1] -> q

5. WRITING OUT THE CHANGES
Everything has been done, time to commit the changes.
Hives that have changed:
# Name
0 - OK

=========================================================
. Step FOUR: Writing back changes
=========================================================
About to write file(s) back! Do it? [n] : y

THIS IS YOUR LAST CHANCE! If you answer y here there will be a write to disk!
Writing sam

NOTE: A disk fixup will now be done.. it may take some time

Mounting volume... OK

Processing of $MFT and $MFTMirr completed successfully.

NTFS volume version is 3.1.

Setting required flags on partition... OK

Going to empty the journal ($LogFile)... OK

NTFS partition /dev/ide/host0/bus0/target0/lun0/part1 was processed successfully.

NOTE: Windows will run a diskcheck (chkdsk) on next boot.
NOTE: this is to ensure disk intergity after the changes

***** EDIT COMPLETE *****

You can try again if it somehow failed, or you selected wrong

New run? [n] : n

That was all. The disk fixup is only run on NTFS filesystems, and will force chkdsk next time windows
boots.
Please answer n here and then reboot, CTRL-ALT-DEL. Remember to remove the floppy or CD.

What can go wrong?

Lots of things can go wrong, but most faults won't damage your system.
The most critical moment is when writing back the registry files to NTFS. Sometimes it emits errors,
even if the new data in fact has been written. The most common problem seen during 2004 is that it
does not change the password, or even messes it up so it is impossible to log in with that user. This
does not happen often, however. Unfortunately, I haven't found the exact cause yet.
Also, see the FAQ for help with common problems.
For linux-knowledged people, you may do things manually if the scripts fail, you have shells on tty1-
tty4 (ALT F1 - ALT F4).
Bootdisk history
2005-03-03
• New CD release (sorry, when yet again rewiring the driver stuff, I did not have time to make
floppy stuff work)
• Contains disk driver updates (SATA maybe more working now)?
• New driver auto-probe and load. Better now?
• NTFS updates, writes should be more safe, I hope, working more often.
• No changes to the password routines themselves.
2005-03-03
• Driver update only, with a few fixes to the autoprobe, too.
• Some popular drivers like aacraid, megaraid and some SATA-drivers were problematic or
missing, now hopefully here.
• Note that most SATA-drivers also need the libata.ko.gz file, autprobe loads it if needed.
• The driver archive are too big to include all drivers on a floppy so remove some you're sure you
don't need. Remember to always keep pcitable.gz and moddep.gz if you want autoprobe to
work.
• The CD of course includes all drivers.
• The manual try-all-drivers load is buggy, and won't try to load all drivers, it will stop after each
that has not been tried before. But specifying a single driver directly still works.
• No changes to password edit routines
2004-12-05
• NEW! BETTER! driver probe system! It now uses PCI info to find drivers to load. Select 'd'
from the disk menu if needed, and it should do it's job automatically.
• This should make SATA and other drivers which require multiple driver modules load
correctly! Sorry about the mess earlier.
• PCI-to-driver mapping database and some tools by Mandrakesoft. Thanks!
• NOTE: The disk drivers archive (sc041205.zip) has now grown too large to unzip to a single
floppy, so just leave out things you don't need. Read more about this at the bottom of the page.
• All drivers are of course included on the CD as earlier.
2004-08-18
• Fixed some critical bugs when doing registry edit (key/value add/del/expand), see main
page for more details
• More drivers: Some SATA drivers, hope they work.
• More drivers: Hopefully more up to date scsi/raid-drivers.
• NOTE: You may have to load more than one driver to get your disks to work, just repeat
autoprobe until it can't load more drivers.
• There MAY now be (some) support for Windows Dyamic Disks, but I have NOT tested it.
Reports welcome, but I probably can not help each of you individually.
• Keyboard was reported not working on some laptops, hopefully OK now.
• USB keyboard works? I don't have anything to test with.
• No special changes to the basic password edit stuff.
• Some more commands in registry editor, + better support for large registries. See main page.
9. aug 2004: (version 040116 and earlier) Some rather serious bugs have been discovered in the
allocation routines, which are used when adding or deleting values or keys in the registry editor.
In best case, they leak space, in worst case, it may corrupt the file.
NOTE: This does not generally affect password changing, since password reset just overwrites a
few bytes in place, it does not reallocate space.
SUMMARY: Password edit OK. Regedit may not be. Fixed in newer versions.
040219:
Sorry, but the 040116 version seems to have a problem with keyboard on some laptops (keyboard does
not work). I do not have a fix for it yet.
040114:
• Completely NEW system on the floppy/CD. New menues, and walkthrough. Also new docs, see
above :)
• Support for setting the entry that makes RecoveryConsole skip prompt for admin password has
been added.
• And since the new floppy stuff is just that, new, there may be glitches. Please tell me if there is
anything serious! Thanks!
• For the linux techies, floppy now uses uClibc (reduced size libc) and BusyBox binaries
properly, and also devfs which gives more logical and dynamic device paths (makes it easier to
see what has been found). Some of the floppy design/build has been ripped from floppyfw by
Thomasez.
(earlier history removed)
9705xx
• First public release.

Download
Note: Some links may be offsite.

• cd060213.zip (~3MB) - Bootable CD image, with newer drivers. (md5sum:

ca9393cd64d41b8953d2066c496a1d10)
• bd050303.zip (~1.1MB) - Bootdisk image, date 050303 (md5sum:
4c85bc15286e69f9fd347e07711636eb)
• sc050303.zip (~1.4MB) - SCSI-drivers (050303) (only use newest drivers with newest bootdisk,
this one works with bd050303) (md5sum: 745a1889b6580bc8f1bfb565e73666d3)
• cd050303.zip (~3MB) - Bootable CD image with same version and drivers as floppies above.
(md5sum: 0990b34b2c158666de26efc0db6edf18)
Previous version is 041205 or 041217 and may sometimes be found here (also my site)
Mirror(s), in case you have problems getting the files from here.
I cannot guarantee that they are updated or that they havent changed anything!
• ListSoft's mirror
NOTE THAT THE BOOTDISK CONTAINS CRYPTHOGRAPHIC CODE, and that it may be
ILLEGAL to RE-EXPORT it from your country.
How to make the floppy
The unzipped image (bdxxxxxx.bin) is a block-to-block representation of the actual floppy, and the file
cannot simply be copied to the floppy. Special tools must be used to write it block by block.
• Unzip the bd zip file to a folder of your choice.
• There should be 3 files: bdxxxxxx.bin (the floppy image) and rawrite2.exe (the image writing
program), and install.bat which uses rawrite2 to write the .bin file to floppy.
• Insert a floppy in drive A: NOTE: It will lose all previous data!
• Run (doubleclick) install.bat and follow the on-screen instructions.
• Thanks to Christopher Geoghegan for the install.bat file (some of it ripped from memtest86
however)
Or from unix:
dd if=bd??????.bin of=/dev/fd0 bs=18k

How to make and use the drivers floppy

NOTE: Not all files will fit on a floppy, so leave out what you think you do not need!
• Format (or delete all contents) on a floppy
• Unzip the drivers you think you may need to it
• Files with names ending in .ko.gz should end up in a directory called scsi
• Be sure to also include the files moddep.gz and pcitable.gz, they are the dependency list,
and pci mappings.
• To use, at the disk select menu, select 'd' to auto-load, and you will be asked to swap to the
drivers floppy when needed.

How to make the CD

Unzipped, there should be an ISO image file (cd??????.iso). This can be burned to CD using whatever
burner program you like, most support writing ISO-images. Often double-clikcing on it in explorer will
pop up the program offering to write the image to CD. Once written the CD should only contain some
files like "initrd.gz", "vmlinuz" and some others. If it contains the image file "cd??????.iso" you didn't
burn the image but instead added the file to a CD. I cannot help with this, please consult you CD-
software manual or friends.
The CD will boot with most BIOSes, see your manual on how to set it to boot from CD. Some will
auto-boot when a CD is in the drive, some others will show a boot-menu when you press ESC or
F10/F12 when it probes the disks, some may need to have the boot order adjusted in setup.

Bootdisk credits and license

Most of the stuff on the bootdisk is either GPL, BSD or similar license, you can basically do whatever
you want with all of it, the sourcecode and licenses can be found at their sites, I did not change/patch
anything.
However, the chntpw binary is (c) 2004 Petter N Hagen, and is restricted somewhat, see COPYING.txt
Thus distribution of the floppy image is restricted by this if it contains that binary.
Stuff I used, big thanks:
• Linux kernel
• NTFS for linux project
• BusyBox - Lots of commands in one binary :)
• uClibc - A reduced size / embedded libc.
• Some bootdisk ideas and layout from floppyfw thanks to ThomasEZ for that (and his great
firewall..)
How to use
1. Insert floppy or CD.

2. Let the machine boot from the floppy or CD. You may need to change boot sequence from
BIOS

3. You'll see
4. ****************************************************************
5. * This utility will enable you to change the password of almost
6. * any user (incl. administrator) on an Windows NT/2k/XP installation
7. * WITHOUT knowing the old password.
8. *
9. * The program is now able to actually parse/follow the internal
10.* registry structure completely.
11.* There is now support for adding and deleting keys and values.
12.* Tested on: NT3.51 & NT4: Workstation, Server, PDC.
13.* Win2k Prof & Server to SP3. Cannot change AD.
14.* XP Home & Prof: up to SP1
15.* Now also works with syskey, read warnings if applicable.
16.*
17.* You may either let the scripts try to figure out your configuration,
18.* or you may do it manually from the shell prompts.
19.*
20.* Good luck!
21.
22.Press return/enter to continue Enter
23.* In /etc/main.rc....
24.Calling scsi.rc to probe for SCSI controllers
25.Mounting floppy to fetch drivers from /scsi on it
26.SCSI-drivers found on floppy:
27.
28.BusLogic.o.gz aic7xxx.o.gz
29.
30.Do you have your NT disks on a SCSI controller?
31. y - this will autoprobe for the driver
32. n - no, skip SCSI, I have IDE drives
33. or give the scsi-driver modules name (without the .o or .gz)
34. + optional parameters to go directly for a known driver
35.
36.Probe for SCSI-drivers: [n]Enter
37.
38.Calling part.rc to select partition
39.Partitions found on the disk(s):
40. Device Boot Start End Blocks Id System
41./dev/hda1 * 1 1859 14932386 7 HPFS/NTFS
42.
43.Probable NT partitions:
44./dev/hda1 * 1 1859 14932386 7 HPFS/NTFS
45.Wnat partition contains your NT installation?
46.[/dev/hda1] : Enter
47.FAT: Did not find valid FSINFO signature.
48.Found signature1 0x66024a1e signature2 0xc88b6602 sector=4.
49.VFS: Can't find a valid FAT filesystem on dev 03:01.
50.mount: wrong fs type, bad option, bad superblock on /deb/hda1,
51. or too many mounted fil systems
52./dev/hda1 is NTFS.
53.Trying to mount as readwrite on /mnt
54.NTFS volume version 3.0.
55.Success. Mounted NTFS /deb/hda1 on /mnt
56.Calling path.rc. to select path
57.What is the full path to the registry directory?
58.[winnt/system32/config] : Enter
59.-rw------- 1 0 0 65536 Jan 15 09:00 AppEvent.Evt
60.-rw------- 1 0 0 65536 Jan 15 09:00 default
61.-rw------- 1 0 0 65536 Jan 15 09:00 default.LOG
62.-rw------- 1 0 0 65536 Jan 15 09:00 default.sav
63.-rw------- 1 0 0 65536 Jan 15 09:00 netlogon.ftl
64.-rw------- 1 0 0 65536 Jan 15 09:00 SAM
65.-rw------- 1 0 0 65536 Jan 15 09:00 SAM.LOG
66.-rw------- 1 0 0 65536 Jan 15 09:00 SecEvent.Evt
67.-rw------- 1 0 0 65536 Jan 15 09:00 SECURITY
68.-rw------- 1 0 0 65536 Jan 15 09:00 SECURITY.LOG
69.-rw------- 1 0 0 65536 Jan 15 09:00 software
70.-rw------- 1 0 0 65536 Jan 15 09:00 software.LOG
71.-rw------- 1 0 0 65536 Jan 15 09:00 software.sav
72.-rw------- 1 0 0 65536 Jan 15 09:00 SysEvent.Evt
73.-rw------- 1 0 0 65536 Jan 15 09:00 system.sav
74.-rw------- 1 0 0 65536 Jan 15 09:00 TempLey.LOG
75.-rw------- 1 0 0 65536 Jan 15 09:00 userdiff
76.-rw------- 1 0 0 65536 Jan 15 09:00 userdiff.LOG
77.Which hives (files) do you want to edit (leave default for
78.password setting, separate multiple names with spaces)
79.[sam system security] : Enter
80.Copying sam system security to /tmp
81.
82.Now running chntpw
83.chntpw version 0.99.0 030112, (c) Petter N Hagen
84.Hive's name (from header) (\SystemRoot\System32\Config\Sam)
85.ROOT KEY at offset: 0x001020
86.
87.File size 32768 [8000] bytes, containing 7 pages (+ 1 headerpage)
88.Used, for data: 319/26472 blocks/bytes, unused: 6/1976 blocks/bytes.
89.Hive's name (from header): (SYSTEM)
90.ROOT KEY at offset: 0x001020
91.
92.File size 2555904 [270000] bytes, containing 584 pages (+ 1 headerpage)
93.Used, for data: 44209/2524072 blocks/bytes, unused: 19/9048 blocks/bytes.
94.Hive's name (from header): (SYSTEM)
95.ROOT KEY at offset: 0x001020
96.
97.File size 49152 [c000] bytes, containing 11 pages (+ 1 headerpage)
98.Used, for data: 859/42568 blocks/bytes, unused: 5/2136 blocks/bytes.
99.Hello, this is SAM!
100.Failed logins before lockout is : 0
101.Minimum password length : 0
102.Password history count : 0
103.
104.()========() chntpw Main Interactive Menu ()========()
105.Loaded hives: (sam) (system) (security)
106. 1 - Edit user data and passwords
107. 2 - Syskey status & change
108. - - -
109. 9 - Registry editor, now with full write support!
110. q - Quit (you will be asked if there is something to save)
111.
112.What to do? [1] -> Enter
113.
114.==== chntpw Edit User Info & Passwords ====
115.
116.RID: 03f2, Username: (ACTUser)
117.RID: 03f2, Username: (Administrator)
118.RID: 03f2, Username: (ASPNET)
119.RID: 03f2, Username: (Guest), disabled or locked*
120.RID: 03f2, Username: (IUSR_HOGE-SRV)
121.RID: 03f2, Username: (IWAM_HOGE-SRV)
122.RID: 03f2, Username: (SQLDebugger)
123.RID: 03f2, Username: (hoge)
124.RID: 03f2, Username: (VUSER_HOGE-SRV)
125.RID: 03f2, Username: (VUSER_HOGE-SRV1)
126.
127.Select: ! - quit, . - list users, 0x(RID) - User with RID (hex)
128.or simple enter the username to change: [Administrator] Enter
129.RID : 032f
130.Username: Administrator
131.fullname:
132.comment :
133.homedir :
134.
135.Account bits: 0x0215 =
136.[ ] Disabled | [ ] Homedir req. | [ ] passwd not req. |
137.[ ] Temp. duplicate | [X] Normail account | [ ] NMS account |
138.[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
139.[X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) |
140.[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |
141.
142.Failed login count: 0, while max tries is : 0
143.Total login.count: 7
144.Account is disabled
145.Crypted NT pw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
146.Crypted LM pw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
147.MD4 hash : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
148.LANMAN hash : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
149.
150.* = blank the password (EXPERIMENTAL! but may fix problems)
151.Enter nothing to leave it unchanged
152.Please enter new password: *
153.Blanking password. This may actually fix things if previous password-preset
154.did not work. Or it may even make things worse. Happy joy!
155.
156.Do you really wish to change it? (y/n) [n] y
157.
158.Select: ! - quit, . - list users, 0x(RID) - User with RID (hex)
159.or simple enter the username to change: [Administrator] !
160.
161.()========() chntpw Main Interactive Menu ()========()
162.Loaded hives: (sam) (system) (security)
163. 1 - Edit user data and passwords
164. 2 - Syskey status & change
165. - - -
166. 9 - Registry editor, now with full write support!
167. q - Quit (you will be asked if there is something to save)
168.
169.What to do? [1] -> q
170.
171.Hives that have changed:
172. # Name
173. 0 (sam)
174.Write hive files? (y/n) [n] : y
175.Calling write.rc to select write back sam file
176.About to write file(s) back! Do it? [n] y
177.Writing sam
178.* end of scripts.. returning to the shell..
179.* Press CTRL-ALT-DELL to reboot now (remove floppy first)
180.* or do whatever you want from the shell..
181.* However, if you mount something, remember to umount before reboot
182.* You may also restart the script procedure with 'sh /scripts/main.rc'
183.#
184.Remove the floppy and restart. Now you can log in without password (or whatever you set)