chntpw

List all users in the SAM file

$ chntpw -l [path/to/sam_file]

$ chntpw -u [username] [path/to/sam_file]

$ chntpw -i [path/to/sam_file]

chntpw [options] [samfile]
chntpw -i [samfile]

samfile
    The path to the Windows SAM file. This is usually /path/to/windows/system32/config/SAM on a mounted Windows partition.

-i
    Interactive mode. Presents a menu for user selection and actions.

-l
    List all local users in the SAM file.

-u
    Specify a particular username to operate on. Used with other options.

-N
    Do not change password (used for other operations like clearing, enabling, disabling).

-E
    Clear (blank) the password for the specified user.

-d
    Disable (lock out) the specified user account.

-e
    Enable the specified user account (if disabled).

-v
    Verbose output, showing more details about operations.

-L
    List all user accounts with their Relative ID (RID), including disabled accounts.

-r
    Remove the password for a user account (same as -E).

-c
    Change password for a user. Requires interactive input.

-s
    Specify the path to the SYSTEM hive file (required for decryption).

-C
    Specify the path to the SECURITY hive file (required for decryption).

The chntpw command is a utility designed for offline modification of the Security Account Manager (SAM) database file in Windows NT/2000/XP/Vista/7/8/10 operating systems. Its primary purpose is to reset or clear local Windows user passwords, enable or disable user accounts, and promote/demote users between administrator and standard user groups. It works by directly accessing and modifying the SAM file, which typically resides in C:\Windows\System32\config\SAM on a Windows installation. Because it operates offline, it bypasses the need for the user to be logged into the Windows operating system, making it an invaluable tool for forgotten passwords or managing user accounts on unbootable systems. Users typically run chntpw from a Linux live environment (e.g., a bootable USB drive or CD) after mounting the Windows partition containing the SAM file. It is a powerful tool for system recovery and administration, but requires careful use due to its direct interaction with critical system files.

Offline Access Required: chntpw operates only when the Windows system is offline and its disk can be mounted.
Data Corruption Risk: Improper use or power failure during operation can corrupt the SAM file, potentially rendering Windows unbootable. Always back up critical files (SAM, SYSTEM, SECURITY hives) before use.
Encrypted Drives: It cannot access or modify SAM files on encrypted drives (e.g., BitLocker, VeraCrypt) unless the drive is first unlocked and mounted.
Local Accounts Only: chntpw only affects local Windows accounts and cannot reset passwords for domain accounts.
Password Hashes: It clears or resets the password; it does not reveal the original password.
UAC and Modern Windows: On Windows 7 and newer, UAC (User Account Control) might behave unexpectedly after a password reset, sometimes requiring a temporary password or further configuration to restore full functionality.

The SAM file is typically found at C:\Windows\System32\config\SAM on a Windows installation. You will also often need the SYSTEM and SECURITY hive files (C:\Windows\System32\config\SYSTEM and C:\Windows\System32\config\SECURITY) for chntpw to function correctly, especially for decrypting the SAM file's contents.

To use chntpw, you typically boot your computer from a Linux live CD/USB (e.g., Ubuntu, Kali Linux, SystemRescueCd). Once in the live environment, you mount the Windows partition (e.g., /dev/sda1 to /mnt/windows) and then specify the full path to the SAM file, like /mnt/windows/Windows/System32/config/SAM.

Before any operation, it is highly recommended to create backups of the SAM, SYSTEM, and SECURITY hive files. Copying them to a safe location (e.g., another drive or USB) can prevent data loss in case of corruption.

Developed by Petter Nordahl-Hagen, chntpw was created as a robust solution for a common problem: forgotten Windows passwords. Its development focused on providing a direct, offline method to manipulate the Windows SAM database, making it a staple in IT troubleshooting and recovery toolkits. Despite the evolution of Windows security, its core functionality remains vital for scenarios where traditional password recovery methods are unavailable or impractical.

passwd(1), usermod(8), useradd(8), userdel(8)