TechRepublic : A ZDNet Tech Community

Microsoft Windows

Host: Mark Kaelin
Contact

Misplaced passwords can render Windows systems useless. Minus a valid username and password, Windows boxes, and the data they contain, are essentially off limits.

The situation arises frequently. Users leave. Past consultants fail to document deployments. IT professionals quit.

Without documentation, accessing critical Windows systems and data becomes problematic. Despite numerous aspersions from the open source community, Microsoft’s NTFS file system delivers decent performance and security.

However, a free open source program often makes quick work of cracking Windows passwords. The Offline NT Password & Registry Editor presents a potential option for obtaining access to locked-out Windows NT-based systems. Here’s how you can use it to recover lost passwords on your Windows systems.

The Offline NT Password & Registry Editor

Offline NT Password & Registry Editor is a free Linux-based utility, which as the name suggests, works offline. The code creates its own boot environment. Once you burn the ISO image to a CD-ROM, you’ll have a tool at your disposal for resetting Windows NT, 2000, XP and Vista account passwords. You wont even have to know any of the current account user names or passwords on the system to make it work.

Instead, the utility detects user accounts and enables resetting the password to a value you decide. The application will even reset locked or disabled user accounts.

When you first boot the utility, you’ll see the screen shown in Figure A.

Figure A

The Offline NT Password & Registry Editor presents this menu upon booting.

Recognize The Dangers

As the name suggests, the utility edits the Windows registry. Further, the application edits the registry in a completely unsupported and warranty- and Microsoft-support voiding way.

In other words, the password-cracking software is used at your own risk. The Offline NT Password & Registry Editor could easily render a system unbootable. The unauthorized program could also destroy existing data resident on a Windows system.

This is especially true if the Encrypting File System (EFS) has been used to protect sensitive data. In fact, if you use it to change the password on an account that’s used EFS to protect files, it’s unlikely those files can ever be recovered.

But, left to no other option, you may find the software is just what’s needed to break into a system for which passwords have been lost or misplaced.

Driver Issues

Using the Offline NT Password & Registry Editor requires that you place the CD in the system in question and reboot it. Once the utility starts, its initial boot screen will appear. Users should pay particular attention to the warning that appears stating, “This software comes with absolutely no warranties! The author can not be held responsible for any damage caused by the (mis) use of this software.” Again, the utility should only be used as a last resort.

But faced with using options of last resort is often where computer professionals find themselves. When such situations arise, and all other means of accessing the data (including removing the hard disk from the existing system and attempting to recover its data from another system) prove fruitless, the offline editor may well work.

In my experience, the most common issue I encounter is the lack of driver support for SATA controllers. The Offline NT Password & Registry Editor is frequently updated with bug fixes, and driver support is among the regular improvements the utility receives. That said, you may encounter situations where drivers need to be manually loaded as you can see in Figure B.

Figure B

The Offline NT Password & Registry Editor attempts to auto-load drivers based on information it discovers while booting.

When the program fails to locate active Windows installations, you can attempt to manually load disk drivers by entering m at the provided command prompt. Upon selecting M, you’ll be presented with an extensive menu of potential drivers, as shown in Figure C.

Figure C

You can select the drivers you need.

The password-resetting software doesn’t always recognize installed hard disks, as can be seen here. In this case, the utility doesn’t possess the necessary drivers to connect to a RAID installation. It’s for that reason that the software reports disk partitions don’t contain valid partition tables in this image.

Resetting Passwords

Once driver issues are resolved (in many cases the program’s auto-detection works without any trouble), you can connect to the system’s registry and make the necessary edits. With the proper drivers, the offline editor displays installed disks and resident disk partitions. You need to select the specific Windows installation you wish to edit by entering its partition number at the provided command prompt as shown in Figure D.

Figure D

Select the partition with Windows on it.

The offline editor breaks into several steps the process of resetting Windows passwords. Step One involves specifying the Windows installation and partition.

With the disk and partition selected, the utility then prompts users to specify the registry directory path to edit. The default is WINDOWS\system32\config. In most cases this default entry is correct. You need only press the [Enter] key to specify the default value.

Next users are prompted to enter the task they wish to perform, as shown in Figure E. The offline editor provides three options: Password reset, RecoveryConsole parameters, and Quit. To reset passwords, enter 1 at the command prompt.

Figure E

Administrators should enter 1, for password reset, when prompted.

Upon selecting the password reset option, you’ll then be prompted to specify the action to perform. The options are:

  • Edit user data and passwords
  • Syskey status & change
  • RecoveryConsole settings
  • Registry editor
  • Quit

To reset passwords, select 1 – Edit user data and passwords.

The utility will then display user information and password status. Specify the user account for which you wish to reset the password by typing the user account name and pressing Enter.

Once you specify the user the utility requests that you supply a new password as seen in Figure F. In my experience, supplying a blank password usually works best. The utility’s publisher also recommends blanking the password.To supply a blank password, type an asterisk (*) and press [Enter].

Figure F

The password-cracking utility prompts administrators to specify the user account and provide a new password.

Upon specifying the new password (or blanking it out), the program prompts you to confirm you wish to make the change. Type a [Y] and press [Enter] to confirm you wish to complete the edit.

At this point it’s tempting to reboot the system and attempt to log in to the user account with the new (or blanked out) password. However, one last step remains. You must instruct the Offline NT Password & Registry Editor to actually write the edits to the Windows system registry.

The process becomes less than intuitive here. To complete the process, you must enter the quit command. Typing an exclamation point [!] and pressing [Enter] quits the program. Previously in the process, [Q] is used to quit the process, so make note of the difference here.

After you do so, the utility will present a Main Interactive Menu. Several choices are presented:

  • Edit user data and passwords
  • Syskey status & change
  • RecoveryConsole settings
  • Registry editor
  • Quit

To complete the password reset operation, enter [Q] to quit.

The program then prompts you to complete step four, which involves writing the edits to the Windows registry. To complete the password reset registry edit, type [Y] and press [Enter]. The program will write the change to Windows SAM file and display an Edit Complete confirmation. At this point you can reboot the Windows system and, if the utility worked as designed, log into the user account using the password (or blanked password) you specified as part of step three.

Linux to the rescue

As you can see, if you don’t have an administrator password for your system, all is not lost. The Offline NT Password & Registry Editor possesses the ability to penetrate locked out systems and restore access to user accounts and data. However, the utility can just as easily destroy a Windows system’s data. For that reason, the tool should only be used as a last resort (and only on systems for which you possess complete ownership and/or administrative authority).

Erik EckelErik Eckel earned a bachelor's degree from the University of Louisville and completed Sullivan College's Microsoft Engineer program. He holds MCP, MCP+I, MCSE and Network+ certifications. He's worked with computers and Internet technologies for 15 years and has written and edited best-selling computer books for such publishers as Coriolis, O'Reilly and TechRepublic. He is managing partner with Louisville Geek. Read his full bio and profile.

Print/View all Posts Comments on this blog

You should be ashamed of yourself!!!!!!! ThumbsUp2 | 03/15/08
Chill, dude NickNielsen | 03/15/08
The chance to kill Dumphrey | 03/17/08
And don't I know it! NickNielsen | 03/17/08
I ha d a similar experience Dumphrey | 03/19/08
Regarding your knee-jerk reaction Joe_R | 03/15/08
Whoa...dude... Forum Surfer | 03/17/08
Thanks A Tons for the Solution raju.rawat@... | 03/19/08
Agreed : It works if you know what you are doing pouigardens@... | 03/19/08
_ curso9d@... | 06/25/08
Absolutely! Betageek52@... | 07/03/09
Informational Lifesaver skipedie@... | 03/19/08
Your ire is misplaced thinker999 | 03/19/08
This is a needed utility Richard.Mlodoch@... | 03/19/08
YOU SHOULD BE ASHAMED OF YOURSELF verd@... | 03/19/08
Actually T-Up is NOT out of line w2ktechman | 03/19/08
No, just over the top and slightly clueless cashdj@... | 04/03/08
Actually T-UP is out of line Keystones | 11/04/08
Chill Dude is very right.... adnikauto | 03/19/08
Thumbs down to Thumbsup.... Timbo Zimbabwe | 03/19/08
really w2ktechman | 03/19/08
A machine where the Admin password was unknown Neon Samurai | 03/20/08
And that is an excellent point The Scummy One | 03/20/08
Cheers, Neon Samurai | 03/20/08
:) Another Excellent point The Scummy One | 03/20/08
Scummy, would that classify Dumphrey | 03/20/08
Depends, which time :^0 The Scummy One | 03/20/08
I once decided to "clean" my computer out Dumphrey | 03/21/08
I watched a friend put a math-co chip in backwards long ago Neon Samurai | 03/21/08
So when he tried 2 +2, he got zero? =) NT Dumphrey | 03/21/08
at 20:00 with owner's TV and lights on and three dogs barking? Neon Samurai | 03/22/08
RFLMAOPMP! Locrian_Lyric | 03/19/08
Changing passwords DNSB | 03/21/08
Oh, Yeah... Betageek52@... | 07/03/09
Shouts & Yells..POST SOME MORE..Let (ThumbsUp) sue us..lol raju.rawat@... | 03/19/08
RE: You should be ashamed of yourself!!!!!!! michaelsaltmarsh@... | 03/19/08
Where have you been ? butkus@... | 03/19/08
If you can touch it Endoscopy | 03/20/08
It takes longer too boot a machine than it does to recover it's passwords Neon Samurai | 03/20/08
Are you a professional? Photogenic Memory | 03/20/08
Alternative... Penguin_me | 03/20/08
Ophcrack DNSB | 03/21/08
Unable To Unlock Admin PW even w/ battery out rodan1@... | 11/08/09
Thumbie, thanks for being a professional jdclyde | 03/20/08
Your ethical standards != to the reality of the job Photogenic Memory | 03/20/08
Not sure exactly where your coming from Adam jdclyde | 03/20/08
Where are you working? Endoscopy | 03/20/08
If maliciously done by an "IT person" jdclyde | 03/20/08
Anyone who wanders by? DNSB | 03/21/08
It is impossible to make anything fool-proof . . . patrick.moran@... | 09/02/08
That's for sure. Betageek52@... | 07/03/09
Just an average guy another avg joe | 05/24/09
some of us "that have jumped all over".. Neon Samurai | 03/20/08
There is a difference though, Samurai jdclyde | 03/20/08
I think I've also posted similar elsewhere as we do mostly agree Neon Samurai | 03/21/08
Wow! PSer | 03/20/08
What? cashdj@... | 04/03/08
Cashdj, are you dumb or just stupid? jdclyde | 04/03/08
Really? DNSB | 04/04/08
Clearly, you have no idea what you're talking about cashdj@... | 04/04/08
Lighten Up, ThumbsUp2 lenny@... | 03/20/08
And I suppose it follows... static0001@... | 03/20/08
I think your confusing Hackers with criminals Neon Samurai | 03/20/08
Thank you for caring Mark W. KaelinTechrepublic Moderator | 03/20/08
May I make a suggestion The Scummy One | 03/20/08
Excellent commentary, Mark! TiggerTwo | 03/20/08
Ethics, period santeewelding | 03/20/08
Fleshing out the topic jdclyde | 03/20/08
You are welcome PSer | 03/21/08
A slight difference jdclyde | 03/21/08
Leave it to you ... PSer | 03/21/08
It pleases me to no end jdclyde | 03/21/08
U 2 PSer | 03/21/08
Some feedback, sweetie TiggerTwo | 03/21/08
It helps me... bobp@... | 08/21/09
There's a lesson there NickNielsen | 08/21/09
Of Course I won't do anything else for him. bobp@... | 08/22/09
Full Disk Encryption forsail79@... | 03/21/08
You are way off the mark reisen55@... | 03/21/08
In a perfect world ... cashdj@... | 04/03/08
Take a couple of deep breaths and calm down... DNSB | 03/21/08
RE: You should be ashamed of yourself!!!!!!! aag_uk@... | 03/23/08
Time for a reality check johno73 | 03/25/08
You have got to be kidding me cashdj@... | 04/03/08
Forgetfulness is one of our weakness. nusyaputera@... | 04/07/08
The only idiot... reynolds@... | 04/29/08
You're a professional. Bizzo | 04/29/08
And the biggest problem jdclyde | 04/29/08
Stolen laptop DNSB | 04/30/08
"Locksmith" from Winternals did (does) the same thing patrick.moran@... | 04/29/08
Sorry, I prefer the venti w2ktechman | 04/29/08
IT Pros have Winternals - Must have for Virus removal pandppc@... | 06/25/08
Wrong Planet michageo | 06/24/08
Oh, Boy. Betageek52@... | 07/03/09
Chill out DUDE!!! tmccarty8@... | 06/24/08
some people could need it curso9d@... | 06/25/08
On Linux Floppy Disk reisen55@... | 06/28/08
This program is nothing new Pyrotech_z | 08/28/08
easy dude shadfurman | 08/29/08
When a Client can't remember the password... bobp@... | 08/21/09
?? zynn | 01/15/10
set a BIOS password also Neon Samurai | 01/15/10
Excuse me... Betageek52@... | 01/16/10
This is a great little utility NickNielsen | 03/15/08
It saved my bacon! mkb091d | 03/19/08
But if it saved you the trouble of reloading Windows? DNSB | 03/21/08
I've used it with success NickNielsen | 03/21/08
RE: Reset lost Windows passwords with Offline Registry Editor Fred 65 | 03/15/08
RE: Reset lost Windows passwords with Offline Registry Editor amdbuilder@... | 03/15/08
Agreed: Physical access means owned gshollingsworth | 03/17/08
RE: Reset lost Windows passwords with Offline Registry Editor noah.gordon@... | 03/16/08
RE: Reset lost Windows passwords with Offline Registry Editor fbramwell@... | 03/16/08
opportunity catseverywhere@... | 03/18/08
I keep a copy of a nifty utility... Forum Surfer | 03/18/08
ooops Forum Surfer | 03/18/08
Not hard to find The Listed 'G MAN' | 03/19/08
Request copy / name / link of Nifty Utility macghee@... | 03/19/08
Reinstall Windows every year? tmalonemcse@... | 03/18/08
I Agree uberg33k50 | 03/19/08
Yes, every year Forum Surfer | 03/20/08
It used to be three to six months for my install Neon Samurai | 03/20/08
opportunity rickferd | 03/19/08
clarification catseverywhere@... | 03/19/08
Thanks for the clarification tmalonemcse@... | 03/19/08
Completely off topic question Neon Samurai | 03/20/08
CompTIA catseverywhere@... | 03/21/08
Thanks for the input Neon Samurai | 03/21/08
SSCP catseverywhere@... | 03/22/08
clairified rickferd | 03/20/08
Clean install does not save other programs pandppc@... | 06/25/08
Disagree on the time... Forum Surfer | 06/26/08
Working on customer's pcs is my JOB - not a hobby pandppc@... | 07/16/08
Hear Here (LOL) Betageek52@... | 07/03/09
RE: Reset lost Windows passwords with Offline Registry Editor orvinabbott@... | 03/19/08
Alternative to retrieving data mulder@... | 03/19/08
Data recovered first orvinabbott@... | 03/19/08
This may draw some ire from some of you (if not all) Betageek52@... | 07/03/09
what mobo? catseverywhere@... | 03/19/08
Now, where is that default "we don't answer password hack quesiton" jdclyde | 03/19/08
yertiz, jd....! gadgetgirl | 03/19/08
I wonder how we report to Beth jdclyde | 03/19/08
I think the sad part is w2ktechman | 03/19/08
Yes, I saw the pathetic response Thumbs got from "IT Pros" jdclyde | 03/19/08
JD... Betageek52@... | 07/03/09
This falls under "editorial" Beth Blakely | 03/19/08
Some clerification is all jdclyde | 03/19/08
Honestly w2ktechman | 03/19/08
Wait and see jdclyde | 03/19/08
Let them search for them Dumphrey | 03/20/08
Grubby little mitts? macghee@... | 03/19/08
It DID occur to me, but did theft never come to your mind Mac? jdclyde | 03/19/08
re: yertiz, jd....! macghee@... | 03/19/08
cool jdclyde | 03/19/08
It's reset, not hack/crack a password arjanh@... | 03/20/08
That isn't the point jdclyde | 03/20/08
A LOCK does not keep out a Thief only keep an honest man .HONEST michael.stiltz@... | 03/20/08
Ok, this makes little sense The Scummy One | 03/20/08
Agreed PSer | 03/21/08
I think a better way to phrase this Dumphrey | 03/21/08
Actually, the higher quality the lock jdclyde | 03/21/08
I dated a lady for a few years Dumphrey | 03/21/08
The standard BnE is two min or less and locks have nothing to do with it Neon Samurai | 03/21/08
That was mostly my point Neon Dumphrey | 03/21/08
Stolen laptops aren't the issue here arjanh@... | 03/31/08
WINTERNALS ERD COMMANDER reisen55@... | 03/19/08
Funny thing w2ktechman | 03/19/08
Thanks Reisen! macghee@... | 03/19/08
ERD Endoscopy | 03/20/08
Microsoft Diagnostics and Recovery Toolset Dumphrey | 03/20/08
RE: WINTERNALS ERD COMMANDER lbindustries1@... | 03/20/08
WINTERNALS ERD is the Best reisen55@... | 06/14/09
Is it free? Photogenic Memory | 06/15/09
RE: Is it free? HAL 9000 | 06/15/09
ERD download site bobp@... | 08/21/09
RE: Reset lost Windows passwords with Offline Registry Editor rb4711 | 03/19/08
My 2 Cents Craig_B | 03/19/08
Reset lost Windows passwords with Offline Registry Editor garylgilbert@... | 03/19/08
not for a domain account w2ktechman | 03/19/08
domain Endoscopy | 03/20/08
Odd.... DNSB | 03/21/08
RE: Reset lost Windows passwords with Offline Registry Editor NickinSD2004 | 03/19/08
No "Mark as SPAM" for blogs? jdclyde | 03/19/08
Yes, You can request removal of a blog ... techfoulks | 03/19/08
RE: Reset lost Windows passwords with Offline Registry Editor jim.nielsen@... | 03/19/08
Problems/Dilemma's w2ktechman | 03/19/08
This is a good tool... Crash84 | 03/19/08
I use this tool as well The Scummy One | 03/19/08
RE: Reset lost Windows passwords with Offline Registry Editor rstitt@... | 03/19/08
Catch 22 Jacky Howe | 03/19/08
Looks like a few of us w2ktechman | 03/19/08
We Jacky Howe | 03/19/08
Even Beth said that w2ktechman | 03/19/08
I Jacky Howe | 03/19/08
LOL -- but I do agree w2ktechman | 03/19/08
Good position :) Jacky Howe | 03/19/08
ROFLMAO w2ktechman | 03/19/08
Guys... seriously... Beth Blakely | 03/20/08
Sponsored links rather humourous DNSB | 03/21/08
The forum posters can still choose how to respond too though Neon Samurai | 03/20/08
^^^^^ SWEET BISCUIT ^^^^^ Beth Blakely | 03/20/08
I have my moments :) Neon Samurai | 03/20/08
NT Dumphrey | 03/20/08
I would agree to the forums posts The Scummy One | 03/20/08
My primary objection to his original post is the blatant hate Neon Samurai | 03/20/08
Here may be why The Scummy One | 03/20/08
yeah, I agree The Scummy One | 03/20/08
That's two of us :) Jacky Howe | 03/19/08
he he he michaelsaltmarsh@... | 03/20/08
Make that three! Dumphrey | 03/20/08
Yessir! The Scummy One | 03/20/08
Well, if thats the worst I hear this week end, Dumphrey | 03/21/08
TR staffer versus Visitors Neon Samurai | 03/20/08
RE: Reset lost Windows passwords with Offline Registry Editor kokophone@... | 03/20/08
RE: Reset lost Windows passwords with Offline Registry Editor gerardhalloy@... | 03/20/08
Forgot a few problems Endoscopy | 03/20/08
don't forget NirSoft's utilities JBNForeman@... | 03/20/08
The pointy haired managers have got to be happy with this one Neon Samurai | 03/20/08
Add guys get to wear Suits?!?! Dumphrey | 03/20/08
Thanks for the info paul53103 | 03/21/08
Try Hobbes NickNielsen | 03/21/08
VERY good point! Ethical_Loner | 03/21/08
There are indeed ethical marketing people Dumphrey | 03/21/08
I've had that same conspiracy theory talk with friends Neon Samurai | 03/21/08
When I was in school Dumphrey | 03/21/08
I remember that little app Neon Samurai | 03/22/08
Saves Time! kwilson@... | 04/09/08
Didn't work. steve@... | 04/22/08
Really? have you save (write-SAM) before quit? nusyaputera@... | 04/29/08
Changes wil not save bruce.chynoweth@... | 06/16/08
_ curso9d@... | 06/25/08
. T_J_B | 06/25/08
T_J_B michaellashinsky@... | 06/27/08
I just used this tool a couple of days ago. Minion | 05/21/09
RE: Reset lost Windows passwords with Offline Registry Editor shadymoon@... | 06/11/09
RE: Reset lost Windows passwords with Offline Registry Editor thyssens@... | 06/13/09
Because it is faster seanferd | 06/13/09
It's a tossup Neon Samurai | 06/13/09
I'd have to agree with your assessment seanferd | 06/13/09
I'm itching to get hands on Hiren's boot disk Neon Samurai | 06/13/09
Not used it much, but it's pretty cool seanferd | 06/13/09
Hiren 9.9 vs. 10 bobp@... | 01/16/10
Yes, its faster... thyssens@... | 08/22/09
Blank the password, FTW ron.dondelinger@... | 07/09/09
It depends on the tables you use with it Neon Samurai | 07/10/09
RE: Reset lost Windows passwords with Offline Registry Editor amateur_girl | 11/17/09

What do you think?

Essential Topics Click Here

White Papers, Webcasts, and Downloads

Recent Entries

TR on Twitter

Archives

TechRepublic Blogs


IT Professional's Guide to Policies and Procedures, Third Ed
Whether you're creating policies for management, training, personnel, support, privacy, Internet/e-mail usage, security, or inventory, you'll meet the needs of your entire enterprise with this one download!
Buy Now
500 Things Every Technology Professional Needs to Know
Did you know Microsoft's RegClean does not work with XP but you can use shareware to clean your registry? Did you know most wireless access points don't have encryption enabled by default? Did you know there are 500 tidbits of information contained in TechRepublic's 500 Things Every Technology Professional Needs to Know that will help you become a successful IT professional.
Buy Now

SmartPlanet

Click Here