Removing Windows Passwords
This just removes the password from a local Windows account. We are assuming the OS or C:\ partition is
sda1 in this case. Verify that with
We are using the
chntpw package, install it if you do not have it. My custom kali ISOs always have this.
These first commands clean the disk and mount it up. Once you are in the config dir the fun begins.
ntfsfix /dev/sda1 mount /dev/sda1 /mnt cd /mnt/Windows/System32/config
┌[local][groot@kali][/mnt/Windows/System32/config] ┕ chntpw -l SAM chntpw version 1.00 140201, (c) Petter N Hagen Hive <SAM> name (from header): <\SystemRoot\System32\Config\SAM> ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c <lh> File size 65536  bytes, containing 7 pages (+ 1 headerpage) Used for data: 340/32880 blocks/bytes, unused: 22/11952 blocks/bytes. | RID -|---------- Username ------------| Admin? |- Lock? --| | 01f5 | AccountGuestRenamed | | dis/lock | | 01f7 | DefaultAccount | | dis/lock | | 01f4 | Rinzler | ADMIN | dis/lock |
Now you will see all the usernames of local users. Target your user based on this name.
┌[local][groot@kali][/mnt/Windows/System32/config] ┕ chntpw -u Rinzler SAM chntpw version 1.00 140201, (c) Petter N Hagen Hive <SAM> name (from header): <\SystemRoot\System32\Config\SAM> ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c <lh> File size 65536  bytes, containing 7 pages (+ 1 headerpage) Used for data: 340/32880 blocks/bytes, unused: 22/11952 blocks/bytes. ================= USER EDIT ==================== RID : 0500 [01f4] Username: Rinzler fullname: comment : Built-in account for administering the computer/domain homedir : 00000220 = Administrators (which has 7 members) Account bits: 0x0211 = [X] Disabled | [ ] Homedir req. | [ ] Passwd not req. | [ ] Temp. duplicate | [X] Normal account | [ ] NMS account | [ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act | [X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) | [ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) | Failed login count: 0, while max tries is: 3 Total login count: 0 - - - - User Edit Menu: 1 - Clear (blank) user password 2 - Unlock and enable user account [probably locked now] 3 - Promote user (make user an administrator) 4 - Add user to a group 5 - Remove user from a group q - Quit editing user, back to user select
Now you are presented a menu. Choose
1 to remove his password and then choose
2 if the account is locked as well. Choose
Q once down and then
y to write the file back. Reboot and you are done. You should be able to enter no password or a blank password to get into the account.