1CHNTPW(8) System Manager's Manual CHNTPW(8)
2
6 chntpw - utility to overwrite passwords of Windows systems
7
9 chntpw [options] <samfile> [systemfile] [securityfile] [otherreghive]
10 [...]
11
13 This manual page documents briefly the chntpw command. This manual
14 page was written for the Debian distribution because the original pro‐
15 gram does not have a manual page.
16 chntpw is a utility to view some information and reset user passwords
18 in a Windows NT/2000 SAM userdatabase file used by Microsoft Windows
19 Operating System (in NT3.x and later versions). This file is usually
20 located at \WINDOWS\system32\config\SAM on the Windows file system. It
21 is not necessary to know the previous passwords to reset them. In
22 addition it contains a simple registry editor and ahex-editor with
23 which the information contained in a registry file can be browsed and
24 modified.
25 This program should be able to handle both 32 and 64 bit Microsoft Win‐
27 dows and all versions from NT3.x up to Win8.1.
28
32 -h Show a summary of options.
33 -u username
35 Username or username ID (RID) to change. The default is 'Admin‐
36 istrator'.
37 -l List all users in the SAM database and exit.
39 -i Interactive Menu system: list all users (as per -l option) and
41 then ask for the user to change.
42 -e Registry editor with limited capabilities (but it does include
44 write support). For a slightly more powerful editor see reged
45 -d Use buffer debugger instead (hex editor)
48 -L Log all changed filenames to /tmp/changed. When this option
50 is set the program automatically saves the changes in the hive
51 files without prompting the user.
52 Be careful when using the -L option as a root user in a multi‐
54 user system. The filename is fixed and this can be used by
55 malicious users (dropping a symlink with the same name) to over‐
56 write system files.
57 -N Do not allocate more information, only allow the editing of
60 existing values with same size.
61 -E Do not expand the hive file (safe mode).
63 -v Print verbose information and debug messages.
65
72 ntfs-3g /dev/sda1 /media/win ; cd /media/win/WINDOWS/system32/config/
73 Mount the Windows file system and enters the directory \WIN‐
74 DOWS\system32\config where Windows stores the SAM database.
75 chntpw SAM system
77 Opens registry hives SAM and system and change administrator
78 account. This will work even if the name has been changed or it
79 has been localized (since different language versions of NT use
80 different administrator names).
81 chntpw -l SAM
83 Lists the users defined in the SAM registry file.
84 chntpw -u jabbathehutt SAM
86 Prompts for password for jabbathehutt and changes it in the SAM
87 registry file, if found (otherwise do nothing).
88
91 This program uses undocumented structures in the SAM database. Use with
92 caution (i.e. make sure you make a backup of the file before any
93 changes are done).
94 Password changing is only possible if the program has been specifically
96 compiled with some cryptographic functions. This feature, however, only
97 works properly in Windows NT and Windows 2000 systems. It might not
98 work properly in Windows XP, Vista, Win7, Win8 and later systems.
99 In the Debian distribution this feature is not enabled.
101
104 reged, samusrgrp, sampasswd
105 If you are looking for an automated procedure for password recovery,
107 you might want to check the bootdisks (can be used in CD and USB
108 drives) provided by the upstream author at http://pogo‐
109 stick.net/~pnh/ntpasswd/
110 You will find more information available on how this program works,
112 including in-depth details on how the registry works, in the text files
113 /usr/share/doc/chntpw/README.txt and /usr/share/doc/chntpw/MANUAL.txt
114
117 This program was written by Petter N Hagen.
118 This manual page was written by Javier Fernandez-Sanguino
120 <jfs@debian.org>, for the Debian GNU/Linux system (but may be used by
121 others).
122 13th March 2010 CHNTPW(8)