Removing Windows Passwords

This just removes the password from a local Windows account. We are assuming the OS or C:\ partition is sda1 in this case. Verify that with lsblk.

We are using the chntpw package, install it if you do not have it. My custom kali ISOs always have this.

These first commands clean the disk and mount it up. Once you are in the config dir the fun begins.

ntfsfix /dev/sda1
mount /dev/sda1 /mnt
cd /mnt/Windows/System32/config
┌[local][groot@kali][/mnt/Windows/System32/config]
┕ chntpw -l SAM
chntpw version 1.00 140201, (c) Petter N Hagen
Hive <SAM> name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c <lh>
File size 65536 [10000] bytes, containing 7 pages (+ 1 headerpage)
Used for data: 340/32880 blocks/bytes, unused: 22/11952 blocks/bytes.

| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f5 | AccountGuestRenamed            |        | dis/lock |
| 01f7 | DefaultAccount                 |        | dis/lock |
| 01f4 | Rinzler                        | ADMIN  | dis/lock |

Now you will see all the usernames of local users. Target your user based on this name.

┌[local][groot@kali][/mnt/Windows/System32/config]
┕ chntpw -u Rinzler SAM
chntpw version 1.00 140201, (c) Petter N Hagen
Hive <SAM> name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c <lh>
File size 65536 [10000] bytes, containing 7 pages (+ 1 headerpage)
Used for data: 340/32880 blocks/bytes, unused: 22/11952 blocks/bytes.

================= USER EDIT ====================

RID     : 0500 [01f4]
Username: Rinzler
fullname: 
comment : Built-in account for administering the computer/domain
homedir : 

00000220 = Administrators (which has 7 members)

Account bits: 0x0211 =
[X] Disabled        | [ ] Homedir req.    | [ ] Passwd not req. | 
[ ] Temp. duplicate | [X] Normal account  | [ ] NMS account     | 
[ ] Domain trust ac | [ ] Wks trust act.  | [ ] Srv trust act   | 
[X] Pwd don't expir | [ ] Auto lockout    | [ ] (unknown 0x08)  | 
[ ] (unknown 0x10)  | [ ] (unknown 0x20)  | [ ] (unknown 0x40)  | 

Failed login count: 0, while max tries is: 3
Total  login count: 0

- - - - User Edit Menu:
 1 - Clear (blank) user password
 2 - Unlock and enable user account [probably locked now]
 3 - Promote user (make user an administrator)
 4 - Add user to a group
 5 - Remove user from a group
 q - Quit editing user, back to user select

Now you are presented a menu. Choose 1 to remove his password and then choose 2 if the account is locked as well. Choose Q once down and then y to write the file back. Reboot and you are done. You should be able to enter no password or a blank password to get into the account.