12 - Reset a Windows User password


This method uses grub4dos and the ISO file for the Offline NT Password and Registry Editor latest release 110511 (2011-05-11). It clears or resets a users password.

Unique hits joomla visitors

This is just a quick guide on how to make a bootable USB drive (e.g. flash memory pen drive) which will allow you to boot from it and reset a Windows XP/Vista/7 user account password. This is useful if a user has forgotten their Windows user password or you need to boot a system in an emergency and you do not know the users password (e.g. a member of staff has left work and you need to gain access to their work PC).

FIRST WARNING: There is a very small but real possibility that this operation could make the target computer inaccessible (especially if you don't know what you are doing!). I suggest you make a backup of the disk first if the data on that disk is really important.

SECOND WARNING: If a drive volume has been encrypted (Encrypted File System or EFS) , as the encryption key is based on the user password, if you reset the user password you will NEVER be able to access the files on tah encrypted volume again. For this reason do NOT use this to reset the password if you think a volume may use an encypted filesystem. Beware!!! Resetting a user's or administrator's password on some systems (like Windows XP) might cause data loss, especially EFS-encrypted files and saved passwords from within Internet Explorer. To protect yourself against EFS-encrypted file loss you should always export your Private and Public key, along with the keys for the Recovery Agent user. If you are unsure, try ophcrack first to see if you can find out the users password - ophcrack is non-invasive and will not alter any files on the target system.

Note: As you can see from the description below - it is easy to clear a users Windows password. It is even easier to access files on an unencrypted system. For this reason Windows PCs that need to be secure should use an encrypted filesystem - however be warned that should an emergency arise and you really need to access the files on that system - you can't unless you know the password (that is why it is called 'Secure')! So before you use an Encypted File system or a product such as TrueCrypt or RM EasiLock/DesLock, think about what data is stored on that PC and what would happen if you needed to access that data but did not know the password (e.g. Mrs Jones got run over by a bus and only she knew the password to your accounts computer).
  1. Create a bootable USB drive using RMPrepUSB (download from this website):
    Select your USB drive then set 1=MAX, 2=WinInst, 3=WinPE,4=FAT32 (or NTFS) + Boot as HDD, untick the Copy Files box - then click 6 Prepare Drive 
  2. Click on Install grub4dos button (choose Yes=PBR (and repeat again and choose No=MBR for max compatibility)
  3. Download the Offline NT Password and Registry Editor ISO file and copy the iso file to the USB Drive using cd version cd110511.iso
  4. Using Notepad, create a menu.lst file on the USB drive with the following contents:

    title Windows Password reset
    find --set-root /cd110511.iso
    map /cd110511.iso (0xff)
    map --hook
    chainloader (0xff)


    Your USB drive should now contain 3 files: menu.lst, cd110511.iso and grldr 

  5. Eject the drive (using RMPrepUSB, or right-click - Eject or Safely Remove Hardware from system tray). You can check it boots correctly first using RMPrepUSB F11 (run QEMU).



To use the USB pen to reset a user account password:
  1. Switch on the target PC/notebook and boot from the USB drive (change BIOS boot order settings if required)
  2. At the grub4dos menu, just press {Enter} to select the Windows Password reset option
  3. When the system boots, press {Enter} again as prompted.



  4. STEP 1 - The 'Candidate Windows partitions found:' text will inform you if it found any possible Windows installations. Enter the number of the partition that the Windows installation that you wish to reset (e.g. '1').
  5. You should now be asked to enter the path to the registry - it is normally already set for you - e.g.: What is the path to the registry directory? (relative to windows disk) [WINDOWS/system32/config] : Windows/system32/config is the usual place for the Windows registry and SAM files - you will be warned if this cannot be found.
  6. Press {Enter} (or change the path as required and press {Enter})
  7. STEP 2 - You will now be prompted for which part of the registry you want - type '1' for Password Reset.
  8. STEP 3 - Type '1' for Password edit.
  9. A list of users will now be displayed:
    The Locked column indicates a disabled account (dis/locked) or one with no password set (BLANK). Accounts with Admin rights are shown in the Admin? column.
  10. Type in the name of the user account you want to reset the password on. Note that the Administrator account (RID=01fd) on Vista and Windows 7 is normally disabled, so choose a different Admin account.
  11. Type '1' to clear (blank) the user password.
  12. Type '!' to finish the editing - you now need to save the changes to disk and make the change permanent...
  13. Type 'q' to quit and press 'y' to save the changes.
  14. Type 'n' if you don't want to do another edit - ignore the message 'sh: can't access tty; job control turned off', remove the USB drive and and press CTRL-ALT-DEL to reboot and test the changes.

Note: The Offline NT and Password Registry Editor is also included on the Ultimate Boot CD (UBCD) under the menu Hard Disk - Data Recovery.