│   │   │   │   │   │   │   │   │ 

Administrator Password in Windows XP: how to reset it if you forget (Part 3a)

Linux boot disks: (1) Offline NT Password and Registry Editor 050303

This is an updated version of the article. An older version of this article discussing Offline NT Password and Registry Editor 040116 can be found here. A newer version than 050303 has now been released (driver updates only) so I won't keep testing newer ones.


Topics on this page:

Methods to reset the Administrator or administrative user password: individual methods in detail (continued from Part 2)

[5] Linux boot disks



Methods to reset the Administrator or administrative user password: individual methods in detail

(continued from Part 2)


5. Linux boot disks

5.1a. Offline NT Password and Registry Editor 050303

This is a downloadable free Linux boot floppy or CD by Petter Nordahl-Hagen (homepage). It can reset the Administrator and the other user account passwords. It also can edit some settings with regard to the passwords like: failed logon before lockout, minimum password length and password history count. Note that various versions are still available on the internet, sometimes under different names and disguise. Use the latest version from the author's homepage.

I've only tried blanking the password (the instructions advised doing this rather than resetting another password) and that is sufficient for the purpose of being able to login. Read the instructions and FAQ on the author's website carefully.

the following illustrates the process of resetting the Administrator password using the CD. This time the programme ran without a hitch in VMWare (actually it booted directly from the iso on the hard disk) running Windows XP SP2. I've not tested it on SATA drives.

I have cut up the screenshots (and paste adjoining shots together to avoid splitting) for clarity and divide the the procedure into smaller steps for you to follow. The STEP ONE to STEP FOUR titles mentioned in the headings below actually refer to the onscreen headings.


(1). Initial Loading Screens

The first two screens load and scroll quickly and the programme pauses at the third screen when user input is required. To save space I've not included the first two screenshots here but they are just filled with plain text. In the third screen it tells you that:

HINT: If things scroll by too fast, press SHIFT-PGUP/PGDOWN...

so just bear this in mind.

In the bottom half of the screen you'll see five consecutive logical steps outlined that the programme goes through (fig. 1).

- Disk select with optional loading of disk drivers
- PATH select, where are the Windows systems files stored
- File-select, what parts of registry we need
- Then finally the password change or registry edit itself
- if changes were made, write them back to disk


Programme pauses at the third screen.

Fig. 1. Programme pauses at the third screen.


(2). Step ONE: Select disk where the Windows installation is

You will be presented with a list of all the disks and partitions that can be detected, using Linux nomenclature. This also includes the size in MB and "Boot" if it is a bootable partition. In the example below only one partition is available (fig. 2).

Step One.

Fig. 2. Step ONE.


(3). Please select partition by number

The first (and only) choice is offered in this example and the prompt already presents [1]  by default. If the choice is correct, press ENTER. If your setup is different, make your choice accordingly (fig. 2 above).

The next lines shows choice 1 is selected and the partition mounted. NTFS volume version 3.1 is not quite accurate but can be ignored.


(4). * Step TWO: Select PATH and registry files

In figure 3,

What is the path to the registry directory? (relative to windows disk) [WINDOWS/system32/config]:

The default as shown is the correct choice. Press ENTER.

Step Two.

Fig. 3. Step Two.


(5). Select which part of registry to load, use predefined choices

In the next question: simply accept the default choice [1] and press ENTER (fig. 3 above).


(6). Step THREE: Password or registry edit

The chunk of text (immediately below the Step THREE heading) listing the hive and offsets can be ignored unless you are interested in these details. But have a look at the three security settings listed in the next block of text showing

* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length: 0
Password history count: 0

(fig. 4). These settings can be found in Windows XP Professional's Local Security Policy Microsoft Management Console (mmc) snap-in.

Step three, SAM policy limits

Fig. 4. Step three, SAM policy limits


(7). <====<> chntpw Main Interactive Menu <>====<>

This menu first shows the options for loaded hives (fig. 5).

What to do? [1] ->

Option 1 (presented by default) is the correct choice. Press ENTER.


(8). ===== chntpw Edit User Info & Passwords ====

Next, under this subheading is a list of all the accounts that can be detected in SAM. The built-in Administrator account is the first listed. Other entries would depend on your setup. Note that here my own account <Kilian> is listed but the information *disabled or locked* is incorrect as my account is neither disabled or locked. This can be ignored.

To choose the Administrator account (presented by default), press ENTER at the line that begins with:

or simply enter the username to change: [Administrator].


(8a). If the Administrator password is not blank:

The rest of the text shows the information about this account. This is why you are using the programme to blank the password.

chntpw Main Interactive Menu

Fig. 5. chntpw Main Interactive Menu


(8b). If the Administrator password is blank:

If, however, in the above step the Administrator password is already blank when you run the programme, it correctly identifies this fact (fig. 6). You would not normally run the programme if the password is blank but you can blank the password of another account.

Blank Administrator password reported

Fig. 6. Blank Administrator password reported


(9). login count information

The next few lines show more security settings relating to login count for this account. The text output differs depending on whether the account password is blank or not.

If the password is not blank this is what you see (fig. 7):

login count information

Fig. 7. login count information


If the Administrator password is blank, there are extra lines again reporting this fact (fig. 8).

login count information and blank password warning.

Fig. 8. login count information and blank password warning.


(10). Please enter new password:

To answer the next question, choose the option to blank the password is what I tried and worked on several occasions. Therefore type * and press ENTER.

Do you really wish to change it? (y/n) [n]

If you wish to proceed, press y to confirm and ENTER (fig. 9).

Options and confirmation to change the password

Fig. 9. Options and confirmation to change the password


(11). Select: ....or simply enter the username to change: [Administrator]

This question comes up again, If you do not wish to do anything else, type ! to quit (fig. 9 above).

After this you are presented with the menu again. If you do not wish to do anything else, in this question:

What to do? [1] ->

type q and ENTER to quit.


(12). STEP FOUR: Writing back changes

In the question:

About to write file(s) back! Do it? [n]

type y to proceed (fig. 10).

Step Four: writing files and quit.

Fig. 10. Step Four: writing files and quit.


The various NTFS-fs error messages can be ignored. It does not seem to affect the operation, as shown in the messages further down.

(13). New run? [n] :

To quit the programme, accept the default [n] to the question:and press ENTER.


(14). Press CTRL-ALT-DEL to reboot now (remove floppy first).

This instruction applies to CD as well.


(15). NTFS partition /dev....was processed successfully.

NOTE: Windows will run a diskcheck <chkdsk> on next boot.
NOTE: this is to ensure disk intergity
[sic] after the changes

Note this message about chkdsk on next reboot in the last screen. In several trials that I've done chkdsk ran without any problems immediately on reboot.

When using the Administrator account to logon, the password is found to be blank. Creating a new password after logon is straight forward.




This CD version runs in VMWare without problems.

Just accepting the default options would suffice for changing the Administrator password alone on the first partition.

It correctly blanks the several different Administrator passwords and includes blanking the blank password. I've not tested resetting a new password. After rebooting you have to re-create a new password.

The programme loads and runs speedily (even in VMWare).

Check disk (chkdsk) runs without any problems afterwards.

Compared to some other commercial tools, this is free and it does its job.

There are a few minor errors and criticisms:

Compared to other tools, the user interface can be a little unintuitive to the novice and users unfamiliar with Linux nomenclature.

There is perhaps too much text on the screen and this can be intimidating to some users who are not interested in details. When the text scrolls on the screen it can be a bit difficult to follow what is happening at first.

NTFS volume version 3.1 is not quite accurate but can be ignored and does not affect the operation.

It incorrectly identifies my own user account to be disabled and locked every time.

There are some error messages at the end but which can be ignored.

There is a minor spelling mistake in the text message (integrity) towards the end.

"Press CTRL-ALT-DEL to reboot now (remove floppy first)" - this applies to CD as well.



To be continued in other parts.

Go to TOP

Go to Part 4



Copyright 2003-2005 by Kilian. All my articles including graphics are provided "as is" without warranties of any kind. I hereby disclaim all warranties with regard to the information provided. In no event shall I be liable for any damage of any kind whatsoever resulting from the information. The articles are provided in good faith and after some degree of verification but they may contain technical or typographical errors. Links to other web resources may be changed at any time and are beyond the control of the author. Articles may be added, removed, edited or improved at any time. No support is provided by the author.

This is not an official support page for any products mentioned. All the products mentioned are trademarks of their companies.

Created 24 Mar 2005; last updated 21 June 2006