Chntpw (also known as Offline NT Password & Registry Editor) is a small Windows password removal utility.
chntpw [OPTIONS] <samfile> [systemfile] [securityfile] [otherreghive] [...]
-h This message -u <user> Username to change, Administrator is default -l list all users in SAM file -i Interactive. List users (as -l) then ask for username to change -e Registry editor. Now with full write support! -d Enter buffer debugger instead (hex editor), -v Be a little more verbose (for debuging) -L For scripts, write names of changed files to /tmp/changed -N No allocation mode. Only same length overwrites possible (very safe mode) -E No expand mode, do not expand hive file (safe mode)
Clearing Windows Password :
First Mount Windows in Linux , We already did it so ,we need to move into that directory :
cyborg@cyborg:~$ cd /mnt/ntfs/Windows/System32/config/
Edit SAM file:
cyborg@cyborg:/mnt/ntfs/Windows/System32/config$ chntpw -i SAM chntpw version 0.99.6 110511 , (c) Petter N Hagen Hive <SAM> name (from header): <\SystemRoot\System32\Config\SAM> ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf> File size 262144  bytes, containing 7 pages (+ 1 headerpage) Used for data: 248/52368 blocks/bytes, unused: 13/41616 blocks/bytes. * SAM policy limits: Failed logins before lockout is: 0 Minimum password length : 0 Password history count : 0 <>========<> chntpw Main Interactive Menu <>========<> Loaded hives: <SAM> 1 - Edit user data and passwords - - - 9 - Registry editor, now with full write support! q - Quit (you will be asked if there is something to save) What to do?  -> 1 ===== chntpw Edit User Info & Passwords ==== | RID -|---------- Username ------------| Admin? |- Lock? --| | 01f4 | Administrator | ADMIN | dis/lock | | 01f5 | Guest | | dis/lock | | 03e8 | ztrela1 | ADMIN | | Select: ! - quit, . - list users, 0x<RID> - User with RID (hex) or simply enter the username to change: [Administrator] ztrela1 RID : 1000 [03e8] Username: ztrela1 fullname: comment : homedir : User is member of 1 groups: 00000220 = Administrators (which has 2 members) Account bits: 0x0214 = [ ] Disabled | [ ] Homedir req. | [X] Passwd not req. | [ ] Temp. duplicate | [X] Normal account | [ ] NMS account | [ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act | [X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) | [ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) | Failed login count: 0, while max tries is: 0 Total login count: 60 - - - - User Edit Menu: 1 - Clear (blank) user password 2 - Edit (set new) user password (careful with this on XP or Vista) 3 - Promote user (make user an administrator) (4 - Unlock and enable user account) [seems unlocked already] q - Quit editing user, back to user select Select: [q] > 1 Password cleared! Select: ! - quit, . - list users, 0x<RID> - User with RID (hex) or simply enter the username to change: [Administrator] ! <>========<> chntpw Main Interactive Menu <>========<> Loaded hives: <SAM> 1 - Edit user data and passwords - - - 9 - Registry editor, now with full write support! q - Quit (you will be asked if there is something to save) What to do?  -> q Hives that have changed: # Name 0 <SAM> Write hive files? (y/n) [n] : y 0 <SAM> - OK