Bypassing Windows Logon Passwords

Bypassing Windows Logon Passwords


So I had a friend who had an old laptop sitting around collecting dust at home. He knew I was into computers and asked me if I wanted it. And you know a techie…. when someone throws out free hardware you just can’t complain or say no!!

However, he realized he did not remember his password, and wanted to see what files still were on the machine before he let me have it. He was sure he backed all files up awhile back when he got his new laptop. But, he wanted to be sure, and knowing I am a Security Analyst wondered if I could help him out. So, I went ahead and was able to obtain his password so he could login to delete or save any data he still wanted.

After I completed the task to recover the password, I decided it would make a great blog article to write about.

So here it is……

History Lessons

All Windows machines have a SAM file which hosts local user credentials. We will look at modifying this file to gain access to the machine.

If you have ever wondered where your username and passwords were stored… well now know!!

The SAM file

Windows SAM File

Windows SAM File

Why Would I Need To Recover A Password?

Why would someone need to use this tutorial?

I’ve written it up because sometimes people do actually forget their password. Now, they are locked out of their machine and may have some important files on there.

In no way do I suggest users use this tutorial for malicious or illegal purposes. It is strictly for educational purposes for those users that need to gain access back to their own windows machines.

Tools Required

The tool used for this tutorial can be obtained here –>

Additionally, you will also require a 4GB USB stick. (This is so you can boot Kali off of the USB and run it as a live OS)

What to expect

In this tutorial you will learn how to do any of the following:

  • Reset a Windows Password (Either as a blank password or your own created password)
  • Modify an existing local account so it gains “local administrator” privileges.
  • Unlock a locked out user account

The Tutorial

You will need to boot the tool via USB.

Load it in Live Forensic Mode.


Once the OS loads do the following:

Open the “My Computer” Window.

Find the hard drive and open it by double clicking on it (every

Find the hard drive name. (Every hard drive will have a different name)

Open up a terminal window

We now need to locate the Windows SAM file, which contains the usernames and password of all the local accounts on the machine.

Navigate to the following path: (it will be different for each user as every user will have a different hard drive name)


Screenshot from 2016-12-18 16_46_09

Screenshot from 2016-12-18 16_46_09

Navigate to the path where the SAM file is located () as your working directory.

Run the following command

chntpw -l SAM

Screenshot from 2016-12-18 16_47_32

Screenshot from 2016-12-18 16_47_32

The above command will list out all of the usernames that are on that specifc Windows system. The tool is able to go through the SAM file and obtain the usernames and local accounts.

chntpw -u “Administrator” SAM

Screenshot from 2016-12-18 16_49_29

Screenshot from 2016-12-18 16_49_29

At this stage we can see (below) there is a local account called “Win Lui”. This is the account that is being targeted for to obtain the password.

In the next section, option 1 is selected to “clear” the password or enter in a blank password for that associated user account.

Screenshot from 2016-12-18 16_49_59

Screenshot from 2016-12-18 16_49_59

Next we save the change made to the SAM file and confirm that the change was made without any errors or issues.

Screenshot from 2016-12-18 16_50_45

Screenshot from 2016-12-18 16_50_45

I used a well known tool called John The Ripper. It’s a great tool for password cracking

Cracking The Password

Now the last step allowed you to insert a blank password for a specific username. Another option and an additional step would be to use a tool to crack the passwords in the SAM file.

I’ve listed the steps below in my screenshot.

Screenshot from 2016-12-18 18_28_00

Screenshot from 2016-12-18 18_28_00

You take a DUMP of the SAM file and the information within that file. And, you use a password cracking tool such as John the ripper to find the password.

As we can see the password for the account is displayed as “winpeg”.

Screenshot from 2016-12-18 18_28_53

Screenshot from 2016-12-18 18_28_53

Reboot the machine and pull out the USB as it will no longer be needed.

Logon with the account. If you entered a blank password, then no password will be needed. If you entered a newly assigned password, then enter in the new password.

You should now be able to log into the machine with the assigned username.

Completed Task

And there you have it!

You now have access to your account and machine once again. I hope this helps out those users that get locked out of their machines.

If you find any other interesting methods to obtain passwords please feel free to share them in the comments section below.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.