http://rhadimas.wordpress.com/2006/10/15/reset-windows-password-w-knoppix/
knoppix@Knoppix:~$ wget http://ftp.au.debian.org/debian/pool/main/c/chntpw/chntpw_0.99.5-0+nmu1_i386.deb
Extract only the chntpw binary
knoppix@Knoppix:~$ alien --to-tgz chntpw_0.99.5-0+nmu1_i386.deb
knoppix@Knoppix:~$ tar xvzf chntpw-0.99.5.tgz ./usr/sbin/chntpw
knoppix@Knoppix:~$ mv ./usr/sbin/chntpw ./
Repair and mount a badly unmounted NTFS volume.
knoppix@Knoppix:~$ sudo ntfsfix /dev/hda1
knoppix@Knoppix:~$ sudo mount -o rw /dev/hda1 /media/hda1/
Change the password for the particular user.
knoppix@Knoppix:~$ cd /media/hda1/WINNT/system32/config/
knoppix@Knoppix:/media/hda1/WINNT/system32/config$ /home/knoppix/chntpw -u mini SAM
chntpw version 0.99.5 070923 (decade), (c) Petter N Hagen
Hive <SAM> name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf>
File size 24576 [6000] bytes, containing 5 pages (+ 1 headerpage)
Used for data: 185/14976 blocks/bytes, unused: 5/5344 blocks/bytes.
* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length : 0
Password history count : 0
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 03e8 | ASPNET | | |
| 01f5 | Guest | | dis/lock |
| 01f4 | mini | ADMIN | dis/lock |
---------------------> SYSKEY CHECK <-----------------------
SYSTEM SecureBoot : -1 -> Not Set (not installed, good!)
SAM Account\F : 1 -> key-in-registry
SECURITY PolSecretEncryptionKey: -1 -> Not Set (OK if this is NT4)
***************** SYSKEY IS ENABLED! **************
This installation very likely has the syskey passwordhash-obfuscator installed
It's currently in mode = -1, Unknown-mode
SYSTEM (and possibly SECURITY) hives not loaded, unable to disable syskey!
Please start the program with at least SAM & SYSTEM-hive filenames as arguments!
RID : 0500 [01f4]
Username: mini
fullname:
comment : Built-in account for administering the computer/domain
homedir :
User is member of 1 groups:
00000220 = Administrators (which has 1 members)
Account bits: 0x0210 =
[ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
[X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) |
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |
Failed login count: 6, while max tries is: 0
Total login count: 1370
- - - - User Edit Menu:
1 - Clear (blank) user password
2 - Edit (set new) user password (careful with this on XP or Vista)
3 - Promote user (make user an administrator)
4 - Unlock and enable user account [probably locked now]
q - Quit editing user, back to user select
Select: [q] > 1
Password cleared!
Hives that have changed:
# Name
0 <SAM>
Write hive files? (y/n) [n] : y
0 <SAM> - OK
knoppix@Knoppix:~$ cd
knoppix@Knoppix:~$ umount /media/hda1