Thursday, May 21, 2009

Offline NT Password & Registry Editor, Bootdisk / CD

Forgot your Windows NT/2k/XP/Vista admin password?

Reinstall? Oh no... But not any more...
  • This is a utility to (re)set the password of any user that has a valid (local) account on your Windows NT/2k/XP/Vista etc system.
  • You do not need to know the old password to set a new one.
  • It works offline, that is, you have to shutdown your computer and boot off a floppydisk or CD or another system.
  • Will detect and offer to unlock locked or disabled out user accounts!
  • There is also a registry editor and other registry utilities that works under linux/unix, and can be used for other things than password editing.
NT stores its user information, including crypted versions of the passwords, in a file called 'sam', usually found in \windows\system32\config. This file is a part of the registry, in a binary format previously undocumented, and not easily accessible. But thanks to a German(?) named B.D, I've now made a program that understands the registry.

This site provides CD and floppy images for end users to easily edit their forgotten passwords. But it also provides full source code and binary builds of the tools to allow others to use as they like for other purposes. Registry format documentation also available.

Latest release is 080802 (2008-08-02)

The following is available for download and information:

Offline NT Password & Registry Editor, Bootdisk / CD

  • If you have the CD, all drivers are included.

    I've put together a single floppy or CD which contains things needed to edit the passwords on most systems. The CD can also be installed on a USB drive, see readme.txt on the CD.

    The bootdisk should support most of the more usual disk controllers, and it should auto-load most of them. Both PS/2 and USB keyboard supported.

    Tested on: NT 3.51, NT 4 (all versions and SPs), Windows 2000 (all versions & SPs), Windows XP (all versions, also SP2 and SP3), Windows Server 2003 (all SPs), Vindows Vista 32 and 64 bit, and some say it works on Server 2008 (32 & 64 bit)

    If used on users that have EFS encrypted files, and the system is XP or Vista, all encrypted files for that user will be UNREADABLE! and cannot be recovered unless you remember the old password again
    If you don't know if you have encrypted files or not, you most likely don't have them. (except maybe on corporate systems)

    How to use?

    If you use the floppy, you need one or more of the driver floppies, too.


    1. Get the machine to boot from CD (or floppy)
    2. Floppy version need to swap floppy to load drivers.
    3. Load drivers (usually automatic, but possible to run manual select)
    4. Disk select, tell which disk contains the Windows system. Optionally you will have to load drivers.
    5. PATH select, where on the disk is the system?
    6. File select, which parts of registry to load, based on what you want to do.
    7. Password reset or other registry edit.
    8. Write back to disk (you will be asked)
    DON'T PANIC!! - Most questions can usually be answered with the default answer which is given in [brackets]. Just press enter/return to accept the default answer.

    What can go wrong?

    Lots of things can go wrong, but most faults won't damage your system.

    The most critical moment is when writing back the registry files to NTFS.

    The most common problem is that the computer was not cleanly shut down, and my disk won't write correctly back. (it says: read only filesystem). If so, boot into Windows Safe Mode (F8 before windows logo appears) and shut down from the login window. You may have to do that twice in a row.

    Also, see the FAQ for help with other common problems.

    For linux-knowledged people, you may do things manually if the scripts fail, you have shells on tty1-tty4 (ALT F1 - ALT F4).

    Bootdisk history


    • Now uses NTFS-3g as NTFS filesystem driver.
    • This hopefully removes some problems regarding dirty and "bad flags" NTFS volumes.
    • You will be asked if you like to force your way and continue anyway if the disk has been uncleanly shut down.
    • There exists a small chance of problems with the very latest written files before the unclean shutdown if you select to force it.
    • Safest is still to boot into windows and shut down properly if that is possible with an unclean volume.
    • Path select now hopefully better at detecting default suggestion and to actually find it...
    • Newer kernel, and probably newer and better drivers.
    • No changes to the passord/registry edit program (chntpw) since last release.
    • Sorry, did not have the time to finish the floppy version yet.


    • Newer kernel, and probably newer and better drivers.
    • Windows Dynamic Disks now supported, but maybe not all combinations of mirrors etc. It recognizes the partition layout at least.
    • Should now be possible to load extra drivers (drivers?.zip) from USB the same way as with floppy. Or maybe not. Did not test it that much.
    • Fixed a lot of bugs in the registry handling, did not affect password reset much, but did affect larger registry edits.
    • You still may experience hangs when the NTFS disk is mounted, it will hang after saying "NTFS version x.xx" or such. If there is disc activity, just wait, it may take a while.


    • Patched up NTFS driver to get rid of hang on mount in many cases (after selecting disk). Got many problem reports on this. At the same time someone on the NTFS-for-linux mailinglist mentioned it, and Anton Altaparmakov made a patch very quick. Thank you Anton!
    • Nice if people experiencing the hang in 2007-09-23 can mail me and tell if the fix worked or not. Thanks!
    • NOTE: It may still take up to a minute or two to select the disk.
    • Floppy version had a script bug making it crash in the first menu. Fixed.
    • CCISS driver (HP/Compaq DLxxx etc) had different device paths. Hacked in support for it, may not be 100% still.


    • Floppy version is back! (requires 3 floppies to get all drivers, but you can compose your own driver set so you only need 2)
    • Yes, VISTA is supported (even more)
    • Disk select now indicates which disks are removable, ie are USB keys for instance.
    • Check for "read-only" NTFS mount, you get instructions on what to do if there are problems with the disk so changes won't be saved.
    • Missed out on some IDE/ATA and SATA drivers last time, better now.. I hope.
    • User can be added to the administraror group, making them administrators.
    • Stupid typo in readme.txt on CD fixed, on how to make USB bootable.


    • Now with Vista support!
    • Newer drivers, better probe/loader. Should be able to auto-load all relevant drivers for PCI based disk hardware.
    • Better manual selection of drivers (if you need to load ISA drivers for example)
    • CD only release at this time. If anyone need me to continue floppy releases, please mail me.
    • USB drive can be made out of the files on the CD, see readme.txt on the CD.


    • New CD release (sorry, when yet again rewiring the driver stuff, I did not have time to make floppy stuff work)
    • Contains disk driver updates (SATA maybe more working now)?
    • New driver auto-probe and load. Better now?
    • NTFS updates, writes should be more safe, I hope, working more often.
    • No changes to the password routines themselves.


    • Driver update only, with a few fixes to the autoprobe, too.
    • Some popular drivers like aacraid, megaraid and some SATA-drivers were problematic or missing, now hopefully here.
    • Note that most SATA-drivers also need the libata.ko.gz file, autprobe loads it if needed.
    • The driver archive are too big to include all drivers on a floppy so remove some you're sure you don't need. Remember to always keep pcitable.gz and moddep.gz if you want autoprobe to work.
    • The CD of course includes all drivers.
    • The manual try-all-drivers load is buggy, and won't try to load all drivers, it will stop after each that has not been tried before. But specifying a single driver directly still works.
    • No changes to password edit routines

    (earlier history removed)

    • First public release.


    Note: Some links may be offsite.

    CD release, see below on how to use

    • (~3MB) - Bootable CD image. (md5sum: 33ecd38263f935b82e7b2e3e9f5de563)
    • (~3MB) - Previous release, Bootable CD image. (md5sum: 1c6f5af7c682b7ee5d01935bc11f37f6)

    Bootable USB drive may be made from the files on the CD. See readme.txt on the CD.

    Floppy release, see below on how to use them

    • (~1.4M) - Bootdisk image (md5sum: 37889e4c540504e59132bdcdfe7f9bb7)
    • (~310K) - Disk drivers (mostly PATA/SATA) (md5sum: 72ac1731c6ba735d0ac2746a30dbc3ee)
    • (~1.2M) - Disk drivers (mostly SCSI) (md5sum: 30172bec657c85a5f1a0b43601452fb7)

    NOTE: Versions before 0704xx will corrupt the disk on VISTA!


    How to make the CD

    Unzipped, there should be an ISO image file (cd??????.iso). This can be burned to CD using whatever burner program you like, most support writing ISO-images. Often double-clikcing on it in explorer will pop up the program offering to write the image to CD. Once written the CD should only contain some files like "initrd.gz", "vmlinuz" and some others. If it contains the image file "cd??????.iso" you didn't burn the image but instead added the file to a CD. I cannot help with this, please consult you CD-software manual or friends.

    The CD will boot with most BIOSes, see your manual on how to set it to boot from CD. Some will auto-boot when a CD is in the drive, some others will show a boot-menu when you press ESC or F10/F12 when it probes the disks, some may need to have the boot order adjusted in setup.

    How to make the floppy

    The unzipped image (bdxxxxxx.bin) is a block-to-block representation of the actual floppy, and the file cannot simply be copied to the floppy. Special tools must be used to write it block by block.

    • Unzip the bd zip file to a folder of your choice.
    • There should be 3 files: bdxxxxxx.bin (the floppy image) and rawrite2.exe (the image writing program), and install.bat which uses rawrite2 to write the .bin file to floppy.
    • Insert a floppy in drive A: NOTE: It will lose all previous data!
    • Run (doubleclick) install.bat and follow the on-screen instructions.
    • Thanks to Christopher Geoghegan for the install.bat file (some of it ripped from memtest86 however)

    Or from unix:

    dd if=bd??????.bin of=/dev/fd0 bs=18k

    How to make and use the drivers floppy

    • Simply copy the zip file onto an empty floppy.
    • Depending on your hardware you may only need one of the driver sets or the other, or maybe both.
    • To use, insert one of the driver floppies when asked for it after booting, the zip file will be unzipped to memory.
    • If no drivers matched (no harddisk found), you can select 'f' from the main menu to load the other driver set.
    • Then select 'd' to auto-start the new drivers (if it matches your hardware)
    • Sometimes it fails detecting the floppy change and you get an error, just select 'f' again, it works the second time.
    • For more advanced users that uses this often, it is possible to unzip just the drivers you need and zip them up into a new zip archive. The zip file name must start with "drivers", the rest is ignored. (it unzips drivers*.zip)

    Other places to go for password and disk recovery

    Bootdisk credits and license

    Most of the stuff on the bootdisk is either GPL, BSD or similar license, you can basically do whatever you want with all of it, the sourcecode and licenses can be found at their sites, I did not change/patch anything.

    The "chntpw" program (password changer, registry editor) is licensed under GNU GPL v2. COPYING.txt

    Stuff I used, big thanks:

  • Utility/library update information, documentation, source code
  • Frequently asked questions - Please read before asking questions about the passoword reset CD/floppy

  • The changes does not take effect.
    I get some errors like "read-only filesystem" and such.

    • The current version does not like to write to the NTFS filesystem if windows was not shut down cleanly.
    • Shut down windows from the login page, or from the start menu.
    • If there is no way to shutdown from the login-page, try this:
      1. Boot windows into Safe Mode (press a lot on F8 before the windows logo screen appears)
      2. The login screen in safe mode should usually have a shutdown option, so shut it down!
      3. You may have to do this TWICE! quite often..

    Why can't I access my encrypted (EFS) files after resetting the password?

    • Because in XP and possibly later service packs in win2k the password itself is used to encrypt the keys needed for EFS.
    • Sorry, there is no way to recover the files once the password has been reset.

    The .bin-file inside the .zip won't fit on a floppy.

    • You didn't read the bottom of the bootdisk download page
    • Click on the install.bat after extracting the .zip file, and follow the on screen prompts.

    The keyboard does not work! I can't answer the questions!!

    • If you have a USB keyboard either your USB controller or your keyboard is not supported with the rather generic drivers I use. Nothing I can do at the moment, sorry! Try a PS/2 keyboard if possible.
    • If the keyboard is PS/2 and won't work, I do not have a solution. Sorry.

    When loading the floppy it stops with "boot failed."

    • Bad floppy. Or bad bootloader (some versions are known to give up easy)
    • Use another floppy or a new version of the ldlinux.sys file (go allthewebbing for it for instance. grab one from a linux distros bootdisks. I did.)
    • Or get the CD image from the download page.

    I have the CD in my CD drive, but it starts on the haddrive.

    • Check your BIOS manual on how to boot from CD, or if the CD-ROM is on a SCSI-card, check the cards manual.
    • For those of you without manuals: Try hitting ESC or F10 or F12 for bootmenu right after the RAM-count.
    • Or enter BIOS setup and change the boot order. Either you can figure that one out from the menus, or you really need the manual.
    • I don't remember when BIOS-folks started implementing the CD boot (El Torito) standard, but it was around 1995? Older computers won't CD boot.
    • But BIOS-programmers never actually READ the bloody standard, so you may have a buggy one that only boots some CDs.
    • If it boots (first banner page), the same problems as for the floppy may show, please read on..

    The floppy stuff crashes with "VFS: Unable to mount root.." and panic etc.

    • The are several ways of getting the size of the memory out of the BIOS at boot.
    • It probably selected the wrong one, and 16MB is a bit too little.
    • Strangely, this most often happens on big brand machines, like Compaq and DELL.
    • At boot, hold down LEFT SHIFT key until "Boot: " prompt appears.
    • Then enter:
      • boot mem=128M
    • but substitute with how much memory you have (or a bit less to be safe)
    • If this doesn't help, there is probably not support for your motherboard, CPU or BIOS.

    It cannot find any NT disks or paritions.

    • Some controllers require more than one driver. Usually the auto-load should take care of dependencies, but it does not hurt to try auto-load (d) again.
    • It's either caused by unsupported controller or filesystem driver problems.
    • See next questions..
    • Please don't ask about inclusion of new drivers. I'm often short on time, get lot's of mail, and it's difficult to put in things I cannot test.
    • If you really insist on asking for new drivers, you must at least provide me with correct info on controller card or chip brandname, type, model etc, and a link to website(s) with drivers for linux. If there also are docs for using it on linux, I need that, too. However, as I get a lot of mail, I cannot guarantee an answer or that your needed driver will be included.
    • There are however several other things to try:
      • Try to build Grenier's DOS floppies
      • Move harddisk to another machine as secondary, then try Grenier's chntpw.exe
      • Install new NT/2k/XP in another dir than \winnt etc, then login with new install to access the old ones sam file. Either rename it (will leave admin with blank pass) or use chntpw.exe on it.
    • You could boot a live linux CD (like Ubuntu or others), it will allow access to the windows disk. Then run the "chntpw.static" program included in the source zip file on the source download page
    • Or why not look at The password recovery page at MCSE World

    How to load a 3rd party driver

    • There is a menu selection for it. Put file(s) drivers*.zip on a floppy or on a USB stick (may be a different one from the one you boot from). The zips should contain *.ko files. The files will be automatically unzipped and ready for auto-load or manual menu selection.
    • I do not know how easy or difficult it will be to actually get the drivers to load into my kernel. There may be versions incompatibilities.

    It hangs when mounting the windows disk

    • Hangs when it says something like "NTFS volume version 3.xx"
    • If there is disk activity, just wait. Took more than 10 minutes in one of my tests once.
    • If there is no disc activity, what a few minutes, then reset and try again.
    • If it still hangs, try to boot windows into safe mode first, then shut down etc. See other faq entries about that.

    It seems to change the password, but NT won't agree.

    • The NTFS code wasn't that great after all (probably didn't write things properly)
    • My code wasn't that great after all. (it didn't change or changed in the wrong place. The V struct is still marked "here be dragons..")
    • Try blanking the password instead (menu selection 1), this may straighten things out. In fact, reports indicate: BLANKING RECOMMENDED!
    • If it still won't work, see the previous solution.
    • Blanking will probably be the only option in newer releases.

    I'm told that the account is locked, even if I know it is not.

    • Ok, then the code to identify lockout is not good enough. Sorry for that.
    • Happens sometimes when there are failed logins on a user, even if it is not in fact locked out.
    • Just ignore it, you may still clear the password if you wish.

    I'm not told that the account is locked out, even Windows says it is. How can I reset it?

    • Oops, probably more to the lockout stuff than I know about.
    • You can try resetting it (selection 4 from the user menu), but it may not help.
    • May have something to do with Security / Group policies, which editing of is not supported yet.
    • Unless you'd like to play with the registry editor yourself and figure it out. I cannot give lessons in registry edit.

    The user promotion (putting user into admin group) did not work: I cannot log in!

    • Some users (like Guest often) are prevented from login by "Security policies". Does it say something like that when trying?
    • Sorry, but my program cannot change policy settings. (yet?)
    • It does not even know how to check them.
    • Sorry, nothing to do..

    The user promotion (putting user into admin group) worked, but I cannot put user back into other groups in windows!

    • This is known to happen sometimes.
    • Try the local user part of "computer management" in "administrative tools", it is more detailed than the stupid control panel applet.
    • But that may not work, either.
    • Sorry, have no other known workarond. I told you it was experimental!

    I tried it on Win2k/2k3 PDC (Active Directory), and it didn't change the password.

    • ActiveDirectory (AD) is a completely different database.
    • There is no support for directly changing passwords in AD.
    • To clear things up: The Active Directory SERVER itself is not directly supported, but workstations (w2kprof) and servers (w2k server) that is just MEMBERS of the domain can have their LOCAL passwords changed by the utility.
    • But..
    • John Simpson has made instructions on how to reset that pesky lost administrator password in AD.
    • Many thanks goes to John for this!
    • And I may as well in a future relase make a frontend for the screensaver trick he uses, so it will be even easier.

    What is the 'Can't access tty...' error message when I quit the floppy/cd procedure?

    • It's from the shell, and has nothing whatsoever to do with the password edit.
    • My scripts don't allocate the terminal correctly.
    • Only thing it means is that ctrl-c to break etc won't work on console 1. Should work on console 2-4 (ALT-F2 and so on)
    • Please don't ask about this in mail AGAIN!

    My language uses characters in the usernames that are not readable with the floppy, and i cannot enter/search for them, thus not edit.

    • There is no support for the full unicode character set. Perhaps never will.
    • Select user with the RID (user ID) instead.
    • At the username prompt, enter the RID in hex, just as it is listed in the user listing. 0xfa0 for instance.

    What about support? and I just paid $$ for it on eBay!

    • Yes, some people sell it on eBay.
    • Most of them didn't bother to ask me, but I haven't cared too much about it, at least not yet.
    • If the price is reasonably low (for media, shipping etc), they offer some kind of help and support if customers need it, that's good, and no problem for me.
    • Please do not blaim me if eBay sellers can't deliver or it doesn't work, or you feel ripped off. Leave feedback on eBay instead.
    • I give my tool away for free here, because I do not have the time for real support.
    • Usually I go through my mail 1 or 2 times a week, and I usually end up replying about 40-50% of it.
    • What I answer depends on my mood that day, what the problems are, and how they are presented.
    • Mails with questions for which an answer can be found here in the FAQ or on the other webpages will not be answered.
    • Questions for drivers will almost never be answered. They take too much time to figure out. Sorry.
    • And.. I understand English, Norwegian, Swedish and Danish.
    • My answers are either in English or Norwegian. (as appropriate :-)
    • Thank you all for a lot of positive feedback or small tips for improvement, I appreciate it :-) even if I often don't reply to you. :-(

    Can I donate money?

    • Not a the moment, I have closed the donations. There are several reasons I will not talk about.
    • But a big thank you to all that have donated, especially to some I guess I have missed a personal reply to!

    All credits Goes to Original



0 Responses to “ ”