Winpass is a bash wrapper script for chntpw supplied with Trinity Rescue Kit that resets MS Windows NT based (= NT, XP, Vista, Seven, 2003, 2008) local passwords. If you forgot your password, you can have it removed with winpass.

By default winpass without any arguments will reset the builtin administrator account of a locally installed Windows, but you can specify other accounts as well at the commandline. In fact, you can add any parameter from chntpw which will be parsed to the commandline. So winpass -l will list all usernames found in the SAM (=Windows user and password database). Should you have troubles that metacharacters are present in the username (such as the Ø or something), you can still use the HEX reference to the username listed next to it. Be sure to prepend that with a ‘0x’. More info on that can be found in the chntpw manual.

Winpass does not reset any Active Directory passwords

-l
list usernames contained in the SAM of the local computer and exit
-i
interactively run chntpw. This option lists the local usernames and gives you the option to choose from them
-e, regedit
run as registry editor. To get a list of commands in the editor, type “?”
-u “username”
optional username if the user you wish to reset is not “Administrator”. Be sure to add quotes for the username if it contains whitespaces
–restore
restore the original SAM file, thus restoring the original password/user situation from before the first time winpass was ever run. Should you somehow have messed up the user accounts, you can go back to the original situation with this option. Since build 338 the option to overwrite the backup when winpass is run multiple times has been disabled to prevent yes-men users answering yes to every question being asked. Removing the backup must now be done manually. You can find it in general under /sda1/WINDOWS/system32/config/SAM

 

Example:

Here’s an example of resetting the password for user “John Doe”. Note the double quotes around the username.

[root@trk]:(~)# winpass -u “John Doe”
Searching and mounting all filesystems on local machine
Remounting NTFS partitions with ntfs-3g
Result of mounting:
/dev/hda1 on /hda1 type fuseblk (rw,allow_other,blksize=4096)
Windows NT/2K/XP installation(s) found in:
1: /hda1/WINDOWS
Make your choice or ‘q’ to quit [1]: 1
Ok, continue
chntpw version 0.99.6 080526 (sixtyfour), (c) Petter N Hagen
Hive <SAM> name (from header): <SystemRootSystem32ConfigSAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c
Page at 0x8000 is not ‘hbin’, assuming file contains garbage at end
File size 262144 [40000] bytes, containing 7 pages (+ 1 headerpage)
Used for data: 317/24808 blocks/bytes, unused: 6/3640 blocks/bytes.


Hive <SECURITY> name (from header): <SystemRootSystem32ConfigSECURITY>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c
Page at 0x10000 is not ‘hbin’, assuming file contains garbage at end
File size 262144 [40000] bytes, containing 15 pages (+ 1 headerpage)
Used for data: 1108/53920 blocks/bytes, unused: 11/7040 blocks/bytes.

 


* SAM policy limits:
Failed logins before lockout is: 3
Minimum password length : 7
Password history count : 7
| RID -|———- Username ————| Admin? |- Lock? –|
| 01f4 | Administrator | ADMIN | |
| 03eb | ASPNET | ADMIN | |
| 01f5 | Guest | ADMIN | dis/lock |
| 03e8 | HelpAssistant | | dis/lock |
| 03f0 | John Doe | ADMIN | |
| 03ea | SUPPORT_388945a0 | | dis/lock |


———————> SYSKEY CHECK <———————–
SYSTEM SecureBoot : -1 -> Not Set (not installed, good!)
SAM AccountF : 1 -> key-in-registry
SECURITY PolSecretEncryptionKey: 1 -> key-in-registry
Syskey not installed!


RID : 1008 [03f0]
Username: John Doe
fullname: John Doe
comment :
homedir :


User is member of 2 groups:
00000221 = Users (which has 4 members)
00000220 = Administrators (which has 7 members)


Account bits: 0x0010 =
[ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
[ ] Pwd don’t expir | [ ] Auto lockout | [ ] (unknown 0x08) |
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |


Failed login count: 0, while max tries is: 3
Total login count: 0


– – – – User Edit Menu:

1-Clear(blank)userpassword

2-Edit(setnew)userpassword(carefulwiththisonXPorVista)

3-Promoteuser(makeuseranadministrator)
(4 – Unlock and enable user account) [seems unlocked already]

q-Quiteditinguser,backtouserselect
Select: [q] > 1
Password cleared!


Hives that have changed:

#Name

0<SAM>-OK


Backup file already exists. Not touching this file. Please be aware that ‘winpass –restore’ would restore the very original file from before winpass was ever run
Writing /hda1/WINDOWS/system32/config/SAM
[root@trk]:(~)#

For the full documentation, refer to the online manpage:

http://trinityhome.org/manpages/man8/winpass.8.html

regedit

This is actually the same script as winpass, but called in this way it copies all registry hives and opens them (sam, security, system and software). Only drawback is that it cannot know which user registry to open, since they are located in different directories. Because chntpw is not scriptable, I cannot read registry hives from a shell script to determine the location of userhives.

Once running, refer to the documentation of chntpw/regedit on how to use it.