I recently had to recover a password for a friend who purchased a Windows 8 Computer, however forgot the password that he had created for his account. He did not have a recovery CD, so I figured I would attempt to recover the password. This account was linked to his online Microsoft account, therefore I asked him to go online from another computer and try to recover his online password however, he was unable to do that also. Anyhow, it’s really easy to recover, delete or change your Windows Password.
I take no responsibility if you mess up your computer, and please do not use this for illegal purposes.
Quick Background about Windows Passwords
Computer systems that require authentication generally store passwords in a database that can either be “hashed” or plaintext. In general, almost all use hash tables these days. The way hashes work is when a user creates a password, it is hashed and the cryptic value is saved in a table. Then when the user enters his/her password to re-login, the plaintext value (password), entered by the user, is hashed again and compared to the value in the hash table/database to see if it matches.
There is technically no way to “decrypt” a hashed value, instead the plaintext password must be guessed and the corresponding hashed value would be compared to the hashed value saved as the password for that user. The hashing function is a one-way formula. It can be used to convert plaintext into a hash, however the function cannot be reversed.
A Windows computer uses a Syskey to encrypt its passwords even further with 128-bit RC4 encryption key. This key is called the “bootkey” and can be found in the C:\Windows\repair directory. There are tools (bkhive) designed to extract the bootkey form the System file. Then you can use a utility such as samdump2 and feed it the decrypted bootkey to get your hash value.
If you were to look at a dumped hashed password, it would look something like:
There are lots of tools that exist to extract and attempt to brute force the password of the Windows SAM file. Software often uses plaintext words and converts them to hash, and compares them to the hash value in the SAM file. The cracking software can also utilize pre-hashed passwords (also known as Rainbow Tables), which in turn can make the cracking quicker. However since I’m not really showing you how to crack passwords, just reset them, we will not be concentrating on these tools.
To read more about Rainbow Tables see http://kestas.kuliukas.com/RainbowTables/.
I was initially going to use Ophcrack to crack the password, however the owner said that he would be happy if I could just reset/delete the password altogether, but retain the files on the computer.
Ophcrack is a free Windows password cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of the method. It comes with a Graphical User Interface and runs on multiple platforms. –http://ophcrack.sourceforge.net/
If you must recover the password, for whatever reason, Ophcrack is a very well-known (and old) tool to crack/recover passwords and they even offer a live CD to boot. As you will see below, the easiest method to delete/reset a password is by booting into another OS (such as Linux) from the same computer, via USB, and access the Windows SAM file.
Anyhow, instead of using Ophcrack to attempt to crack the password, I went ahead and tried other approaches because I had physical access to the machine, and as stated earlier, the owner did not care whether the password was deleted/reset. Saved me a lot of time.
Windows SAM file
The SAM FILE is a file located in C:\Windows\System32\config (can also be found under the Windows registry HKEY_LOCAL_MACHINE > SAM) directory of the machine and stores the user account information. However direct access to the file is locked while running Windows so it isn’t really that easy to access the data. The SAM file is locked by the kernel once the user boots into Windows, and while there are ways to dump (see pwdump) whats in the memory, they are not covered here.
Although there are multiple tools that you can use to recover your Windows 7/8/10 password, ever since Microsoft has allowed you to use your Microsoft online account instead of local account, some tools may or may not work. You might just be better off doing an online password reset.
LM Hash vs NTLM Hash
Windows generally uses 2 different types of hashes: LAN Manager (LM) and NT LAN Manager (NTLM). LM hashes were only used up until Windows NT. Windows XP uses both LM and NTLM, however Windows 7 and above use NTLM hashes exclusively. These days, LM hashes can be brute forced within minutes, so Microsoft needed stronger hashes. The time it takes to crack NTLM hashes can take years or even a lifetime, depending on how long the password is. That being said, cracking NTLM passwords can also be done in minutes if the password length is small. So as you can see, it’s probably quicker to just reset the password if you have physical access to machine.
One tool that I have used before is named chntpw. It is free and works great. I think it is probably easier just to hook up a live Linux distro (boot from a USB drive) to your Windows 7/8/10 PC and run a tool like chntpw and change/delete the password versus trying to guess it by brute forcing, if you have physical access to the machine.
If you don’t have chntpw, open terminal and run:
apt-get install chntpw
If you don’t have a Live Linux distro, I recommending creating that first because you will need it to access the SAM file and use the tool. Any Linux distro will do but if you want to install Kali, you can read my tutorial on creating a Kali Linux persistent USB. Ubuntu and Mint Linux distros would work just as well.
There’s a great tutorial, with pictures, on their website: http://www.chntpw.com/guide/, so I don’t feel like it’s really necessary to write one here.
Basically, after installing chntpw, you run the following command to get the list of users in your SAM file:
chntpw –l <sam file>
Once you know which user you want to modify, you type:
chntpw –u <user> <sam file>
From here you can select whether you want to delete the password (1) or change the password (2).
After you are done, save the changes, restart your machine, and eject the USB so it doesn’t boot back into Linux.
If you prefer a GUI tool, PCUnlocker has to be one of the easiest to use, however only the trial version is free.
Creating a PCUnlocker bootable flash drive is as easy as downloading the ISO and burning the image using a tool such as Rufus.
Rufus is a very small tool, that allows you to make a bootable USB, and doesn’t require installation, which is why I like to use it. Click the button highlighted in red below and load the PCUnlocker ISO and hit “Start”.
Once you create the bootable image of PCUnlocker, you need to restart your computer and make sure it boots off the USB drive (or CD drive, depending on which method you used to copy the bootable image). This can be done by changing the Bios settings and/or hitting the F12 key (some computers may require you to press another key) during start up and pick the USB drive, or CD.
Bios settings with CD-Rom first
Since I opted to create a bootable USB instead of a CD, I changed my BIOS to boot from “Removable devices”.
If done correctly, you should see an old Windows version boot up (instead of Windows 7/8/10) and PCUnlocker software should launch.
Under step 1:Select “Reset Local Admin/User Password”
Under step 2: Select the path to your SAM file. It should already be there, however if not, the path should be “C:\Windows\system32\config\SAM”
Under step 3: Select the account to reset the password for.
*Note, if using an online Microsoft account, you should be able to see the email you registered under the “Description” section of list of accounts in PCUnlocker.
Then, just select “Reset Password” and “Restart” your machine.
Unplug the bootable USB you created/ or remove the bootable CD so you can boot back into your Windows 8/10 OS. Once you get back to the login screen, simply enter “Password123” as your account password and Log in. From here, I would recommend changing your password.
In summary, it is very easy to recover a lost Windows password if you have local access to the machine. If you do not have local access, it would require more steps which haven’t been covered in this article. Ophcrack, chntpw and PCUnlocker are all great tools. The whole process took about 5 minutes and is very easy to do. Instead of formatting your computer and losing all your files, give this a try. Well worth it.