How to reset a Windows password with Linux

Lost your Windows login? The chntpw utility can save the day.
Register or Login to like
How to build cross-platform console apps with .NET Core CC BY-SA 4.0

If you (or someone you know) ever forget your Windows password, you'll be glad to know about chntpw, a neat Linux utility that you can use to reset a Windows password. For this how-to, I created a Windows virtual machine and set the password to pass123 on my user account, Archit-PC. I also created a Live USB with Fedora 27 using the Fedora Media Writer application.

Here are the steps, along with screenshots, to guide you through the quick and super easy process of resetting your Windows password with chntpw.

1. Attach the Live USB to your PC and restart from the login screen, as shown below:

Windows login screen

2. Boot from the Live USB and click on Try Fedora:

Booting into Fedora

Fedora install screen

3. Log out from live-user and log into root. This step is not necessary, but I prefer to use the root user to bypass any permission issues:

Logging in as root

4. Install the chntpw utility with the following command (you'll need a live internet connection for this):

sudo dnf install -y chntpw

Installing chntpw

5. Check which partition should be mounted by sfdisk -l ...:

Checking which partition to load with sfdisk

and mount that partition (e.g., /dev/sda2) with the following command:

sudo mount /dev/sda2 /mnt/Microsoft/

outpust screenshot: sudo mount /dev/sda2 /mnt/Microsoft/

Change the current directory to the config directory:

cd /mnt/Microsoft/Windows/System32/config/

Changing to config

Also, check the user records in the Security Account Manager (SAM) database:

Checking SAM database

6. Edit the SAM database with the command:

sudo chntpw -i SAM

Then type 1 (for Edit user data and passwords):

Select 1 for Edit user data and passwords

And type your user account name (i.e., Archit-PC in this example) for the username:

Enter your username

7. Type 1 to clear the user password or 2 to set a new password for the Archit-PC user, then quit and save the changes:

Edit user menu

Confirmation that password was cleared

8. Reboot to Windows. If you selected 1 above, you'll see there's no password required to log in. Just click Sign in and you will be logged in:

Windows login screen

Logged into Windows

That's all there is to it! I hope this will be helpful if you ever need to reset a Windows password.

OpenStack enthusiast. Linux and Networking guy. Just trying to give my two cents in this billion-trillion dollar "Open Source" world.


It really worked

Spotted a small glitch. Looks like the screenshot that supposed to illustrate the execution of a mounting command, sudo mount /dev/sda2 /mnt/Microsoft/, is wrong. For me it shows the result of the execution of a chntpw command, sudo chntpw -i SAM.

While I love Fedora clonezillia has chntpw already there.
I have clonezilla on my pxe boot arsenal.

This is great! Thanks for sharing. I have used Linux to rescue a number of crashed/trashed Windows computers. This is the most complete description I have ever seen of how to use chntpw.

Superb beginning of the day :) thanks for this post :+1

"3. Log out from live-user and log into root. This step is not necessary, but I prefer to use the root user to bypass any permission issues:

Logging in as root

4. Install the chntpw utility with the following command (you'll need a live internet connection for this):
sudo dnf install -y chntpw"

You are saying log in as root. You don't need sudo if you are already root.

Thanks John, that’s correct. I used this command so that a person using live-user can also execute it without any modifications, hope this makes sense. :)

In reply to by John Smith (not verified)

Thanks for the tip, might come handy! BTW you don't need to use sudo if you're already working as root.

Thanks for the great tutorial. More grease to your elbows.

This only works if your Windows drive is not encrypted. If you have encrypted it using the storage option of Windows, you won't even be able to mount the volume correctly and edit its content from an external tool to clear the password stored in the SAM registry file, you first need the password.
It may also not work if the encryption password comes from the TPE module which won't allow you to boot from the external drive which was not first allowed to run as it was not signed.
But anyway it's good to signal users that their Windwos password is not a real protection for their data, and that it can be easily cleared in most cases: suppose your PC is stolen (or seized by the police/justice...), they know what they can do easily to enter your drive and get access to all the contents.
Also clearing a password this way may invalidate all access tokens that allow you to use some remote sites or storage that will need a new authorization, because the SAM database will no longer have the necessary access tokens.Your PC will then be "disconnected" from a secure corporate domain and you'll need to contact the domain admin to reauthorize your PC (and fbefore they accept to reconnect you they'll want to inspect your PC, and may force you to resintall it completely).
So don't do that to bypass the protections that have been set in a corporate domain against such personal use of a PC you don't really own and have no right to adminsiter yourself.

I thought we can just rename cmd to sethc and press ctrl alt del when reboot windows...

Creative Commons LicenseThis work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License.