Offline NT Password and Registry Editor - сброс пароля Windows

Для сброса пароля учетной записи пользователя в операционной системе Windows можно воспользоваться утилитой Offline NT Password and Registry Editor.
На данный момент программа протестирована на следующих версиях:
NT 3.51, NT 4, Windows 2000, Windows XP, Windows 2003 Server, Vista, Windows 7 и Server 2008.
Она должна работать со всеми пакетами обновлений (SP) и выпусками (Server, Professional, Home), а так же с 64-битными версиями.

 Для того чтобы создать загрузочную USB-flash необходимо:

1. Распаковать файлы из архива на флэшку
- файлы на флэшке должны лежать в корне, а не в каталоге
- для установки нет необходимости форматировать носитель или удалять файлы
2. Установить загрузчик (необходимы права администратора)
- запустить с командной строки файл "syslinyx.exe", например:
J: \ syslinux.exe -ма J:
J - это буква, присвоенная вашему съемному носителю (замените ее на вашу)
параметр -ma можно убрать, если установщик выдает ошибку

Обратите внимание на то, что вам придется поменять настройки BIOS для загрузи с usb.

Официальная страница разработчика http://pogostick.net/~pnh/ntpasswd/

Архив утилиты Offline NT Password and Registry Editor http://pogostick.net/~pnh/ntpasswd/usb110511.zip

Процесс сброса пароля происходит следующим образом.
После загрузки вы должны увидеть это:

  ISOLINUX 3.51 2007-06-10  Copyright (C) 1994-2007 H. Peter Anvin
  ***************************************************************************
  *                                                                         *
  *  Windows NT/2k/XP/Vista Change Password / Registry Editor / Boot CD     *
  *                                                                         *
  *  (c) 1998-2007 Petter Nordahl-Hagen. Distributed under GNU GPL v2       *
  *                                                                         *
  * DISCLAIMER: THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTIES!          *
  *             THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY DAMAGE       *
  *             CAUSED BY THE (MIS)USE OF THIS SOFTWARE                     *
  *                                                                         *
  * More info at: http://pogostick.net/~pnh/ntpasswd/                       *
  * Email       : pnh@pogostick.net                                         *
  *                                                                         *
  * CD build date: Sun Sep 23 14:15:35 CEST 2007                            *
  ***************************************************************************
  Press enter to boot, or give linux kernel boot options first if needed.
  Some that I have to use once in a while:
  boot nousb          - to turn off USB if not used and it causes problems
  boot irqpoll        - if some drivers hang with irq problem messages
  boot nodrivers      - skip automatic disk driver loading
  boot:

Здесь достаточно просто нажать клавишу "Enter".

Затем будет показано сообщение об установленном на вашем компьютере оборудовании.

  Loading vmlinuz..................
  Loading scsi.cgz.........................
  Loading initrd.cgz..........
  Ready.
  Linux version 2.6.22.6 (root@athene) (gcc version 4.1.1 20060724 (prerelease) 
(4.1.1-3mdk)) #2 Sun Sep 9 16:59:48 CEST 2007
  BIOS-provided physical RAM map:
   BIOS-e820: 0000000000000000 - 000000000009f800 (usable)
   BIOS-e820: 000000000009f800 - 00000000000a0000 (reserved)
   BIOS-e820: 00000000000ca000 - 00000000000cc000 (reserved)
   BIOS-e820: 00000000000dc000 - 0000000000100000 (reserved)
   BIOS-e820: 0000000000100000 - 00000000316f0000 (usable)
   BIOS-e820: 00000000316f0000 - 00000000316ff000 (ACPI data)
   BIOS-e820: 00000000316ff000 - 0000000031700000 (ACPI NVS)
   BIOS-e820: 0000000031700000 - 0000000031800000 (usable)
   BIOS-e820: 00000000fec00000 - 00000000fec10000 (reserved)
   BIOS-e820: 00000000fee00000 - 00000000fee01000 (reserved)
   BIOS-e820: 00000000fffe0000 - 0000000100000000 (reserved)
  792MB LOWMEM available.
  Zone PFN ranges:
    DMA             0 ->     4096
    Normal       4096 ->   202752
  early_node_map[1] active PFN ranges
 ...
  Serial: 8250/16550 driver $Revision: 1.90 $ 4 ports, IRQ sharing enabled
  serial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
  Floppy drive(s): fd0 is 1.44M
  FDC 0 is a post-1991 82077
  RAMDISK driver initialized: 16 RAM disks of 32000K size 1024 blocksize
  USB Universal Host Controller Interface driver v3.0
  Initializing USB Mass Storage driver...
  usbcore: registered new interface driver usb-storage
  USB Mass Storage support registered.
  serio: i8042 KBD port at 0x60,0x64 irq 1
  serio: i8042 AUX port at 0x60,0x64 irq 12
  usbcore: registered new interface driver usbhid
  drivers/hid/usbhid/hid-core.c: v2.6:USB HID core driver
  Using IPI Shortcut mode
  BIOS EDD facility v0.16 2004-Jun-25, 1 devices found
  Freeing unused kernel memory: 144k freed
  Booting ntpasswd
  Mounting: proc sys
  Ramdisk setup complete, stage separation..
  In stage 2
  Spawning shells on console 2 - 6
  Initialization complete!
  ** Preparing driver modules to dir /lib/modules/2.6.22.6
  input: AT Translated Set 2 keyboard as /class/input/input0

Далее происходит загрузка драйверов дисков.

  ** Will now try to auto-load relevant drivers based on PCI information
  ---- AUTO DISK DRIVER select ----
  --- PROBE FOUND THE FOLLOWING DRIVERS:
  ata_piix
  ata_generic
  mptspi
  --- TRYING TO LOAD THE DRIVERS
  ### Loading ata_piix
  scsi0 : ata_piix
  scsi1 : ata_piix
  ata1: PATA max UDMA/33 cmd 0x000101f0 ctl 0x000103f6 bmdma 0x00011050 irq 14
  ata2: PATA max UDMA/33 cmd 0x00010170 ctl 0x00010376 bmdma 0x00011058 irq 15
  ata2.00: ATAPI: VMware Virtual IDE CDROM Drive, 00000001, max UDMA/33
  ata2.00: configured for UDMA/33
  scsi 1:0:0:0: CD-ROM            NECVMWar VMware IDE CDR10 1.00 PQ: 0 ANSI: 5
  sr0: scsi3-mmc drive: 1x/1x xa/form2 cdda tray
  Uniform CD-ROM driver Revision: 3.20
  ### Loading ata_generic
  ### Loading mptspi
  Fusion MPT base driver 3.04.04
  Copyright (c) 1999-2007 LSI Logic Corporation
  Fusion MPT SPI Host driver 3.04.04
  PCI: Found IRQ 9 for device 0000:00:10.0
  mptbase: Initiating ioc0 bringup
  ioc0: 53C1030: Capabilities={Initiator}
  scsi2 : ioc0: LSI53C1030, FwRev=01032920h, Ports=1, MaxQ=128, IRQ=9
  scsi 2:0:0:0: Direct-Access     VMware,  VMware Virtual S 1.0  PQ: 0 ANSI: 2
   target2:0:0: Beginning Domain Validation
   target2:0:0: Domain Validation skipping write tests
   target2:0:0: Ending Domain Validation
   target2:0:0: FAST-40 WIDE SCSI 80.0 MB/s ST (25 ns, offset 127)
  sd 2:0:0:0: [sda] 83886080 512-byte hardware sectors (42950 MB)
  sd 2:0:0:0: [sda] Write Protect is off
  sd 2:0:0:0: [sda] Cache data unavailable
  sd 2:0:0:0: [sda] Assuming drive cache: write through
  sd 2:0:0:0: [sda] 83886080 512-byte hardware sectors (42950 MB)
  sd 2:0:0:0: [sda] Write Protect is off
  sd 2:0:0:0: [sda] Cache data unavailable
  sd 2:0:0:0: [sda] Assuming drive cache: write through
   sda: sda1
  sd 2:0:0:0: [sda] Attached SCSI disk

Эти сообщения драйверов о марке, модели и размерах найденных дисков.

 

  -------------------------------------------------------------
  Driver load done, if none loaded, you may try manual instead.
  -------------------------------------------------------------
  ** If no disk show up, you may have to try again (d option) or manual (m).

Все драйвера загружены.

Начинается процесс поиска учетных записей и сброса пароля. Здесь нет ничего страшного и обычно достаточно соглашаться с предложенными программой вариантами.

  *************************************************************************
  * Windows Registry Edit Utility Floppy / chntpw                         *
  * (c) 1997 - 2007 Petter N Hagen - pnh@pogostick.net                    *
  * GNU GPL v2 license, see files on CD                                   *
  *                                                                       *
  * This utility will enable you to change or blank the password of       *
  * any user (incl. administrator) on an Windows NT/2k/XP/Vista           *
  * WITHOUT knowing the old password.                                     *
  * Unlocking locked/disabled accounts also supported.                    *
  *                                                                       *
  * It also has a registry editor, and there is now support for           *
  * adding and deleting keys and values.                                  *
  *                                                                       *
  * Tested on: NT3.51 & NT4: Workstation, Server, PDC.                    *
  *            Win2k Prof & Server to SP4. Cannot change AD.              *
  *            XP Home & Prof: up to SP2                                  *
  *            Win 2003 Server (cannot change AD passwords)               *
  *            Vista 32 and 64 bit                                        *
  *                                                                       *
  * HINT: If things scroll by too fast, press SHIFT-PGUP/PGDOWN ...       *
  *************************************************************************
  =========================================================
  There are several steps to go through:
  - Disk select with optional loading of disk drivers
  - PATH select, where are the Windows systems files stored
  - File-select, what parts of registry we need
  - Then finally the password change or registry edit itself
  - If changes were made, write them back to disk
  DON'T PANIC! Usually the defaults are OK, just press enter
               all the way through the questions

Шаг 1: Выбор диска, на котором установлена Windows

  =========================================================
  ¤ Step ONE: Select disk where the Windows installation is
  =========================================================
  Disks:
  Disk /dev/sda: 42.9 GB, 42949672960 bytes
  Candidate Windows partitions found:
   1 :        /dev/sda1   40958MB BOOT

Здесь найден один диск с одним разделом

  Please select partition by number or
   q = quit
   d = automatically start disk drivers
   m = manually select disk drivers to load
   f = fetch additional drivers from floppy / usb
   a = show all partitions found
   l = show propbable Windows (NTFS) partitions only
  Select: [1]

Наш выбор 1.

 Selected 1
  Mounting from /dev/sda1, with filesystem type NTFS
  NTFS volume version 3.1.

На выбран устройстве смонтирована файловая система NTFS.

Шаг 2: Указываем директорию реестра

  =========================================================
  ¤ Step TWO: Select PATH and registry files
  =========================================================
  What is the path to the registry directory? (relative to windows disk)
  [WINDOWS/system32/config] :

Показана директория по умолчанию и здесь достаточно просто согласиться и получаем список интересующих файлов.

 

  -rw-------    2 0        0          262144 Feb 28  2007 BCD-Template
  -rw-------    2 0        0         6815744 Sep 23 12:33 COMPONENTS
  -rw-------    1 0        0          262144 Sep 23 12:33 DEFAULT
  drwx------    1 0        0               0 Nov  2  2006 Journal
  drwx------    1 0        0            8192 Sep 23 12:33 RegBack
  -rw-------    1 0        0          524288 Sep 23 12:33 SAM
  -rw-------    1 0        0          262144 Sep 23 12:33 SECURITY
  -rw-------    1 0        0        15728640 Sep 23 12:33 SOFTWARE
  -rw-------    1 0        0         9175040 Sep 23 12:33 SYSTEM
  drwx------    1 0        0            4096 Nov  2  2006 TxR
  drwx------    1 0        0            4096 Feb 27  2007 systemprofile
  Select which part of registry to load, use predefined choices
  or list the files with space as delimiter
  1 - Password reset [sam system security]
  2 - RecoveryConsole parameters [software]
  q - quit - return to previous
  [1] :

Выбираем 1 для сброса пароля.

Шаг 3: Внесение изменений в учетные записи

Происходит копирование параметров SAM (диспетчер учетных записей безопасности) во временную папку.

  Selected files: sam system security
  Copying sam system security to /tmp
  =========================================================
  ¤ Step THREE: Password or registry edit
  =========================================================
  chntpw version 0.99.5 070923 (decade), (c) Petter N Hagen
  Hive  name (from header): <\SystemRoot\System32\Config\SAM>
  ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c 
  Page at 0x44000 is not 'hbin', assuming file contains garbage at end
  File size 524288 [80000] bytes, containing 11 pages (+ 1 headerpage)
  Used for data: 288/250904 blocks/bytes, unused: 15/23176 blocks/bytes.
  Hive  name (from header): 
  ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c 
  Page at 0x8b4000 is not 'hbin', assuming file contains garbage at end
  File size 9175040 [8c0000] bytes, containing 2117 pages (+ 1 headerpage)
  Used for data: 96982/6224016 blocks/bytes, unused: 4381/2830032 blocks/bytes.
  Hive  name (from header): <emRoot\System32\Config\SECURITY>
  ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c 
  Page at 0x6000 is not 'hbin', assuming file contains garbage at end
  File size 262144 [40000] bytes, containing 5 pages (+ 1 headerpage)
  Used for data: 334/17312 blocks/bytes, unused: 7/3008 blocks/bytes.
  * SAM policy limits:
  Failed logins before lockout is: 0
  Minimum password length        : 0
  Password history count         : 0
  ======== chntpw Main Interactive Menu ========
  Loaded hives:   
    1 - Edit user data and passwords
    2 - Syskey status & change
    3 - RecoveryConsole settings
        - - -
    9 - Registry editor, now with full write support!
    q - Quit (you will be asked if there is something to save)
  What to do? [1] ->

Выбираем интересующий нас пункт под цифрой 1 и получаем список всех локальных учетных записей, зарегистрированных в нашем Windows.

  ===== chntpw Edit User Info & Passwords ====
  | RID -|---------- Username ------------| Admin? |- Lock? --|
  | 03e8 | admin                          | ADMIN  |          |
  | 01f4 | Administrator                  | ADMIN  | dis/lock |
  | 03ec | grumf1                         |        |          |
  | 03ed | grumf2                         |        |          |
  | 03ee | grumf3                         |        |          |
  | 01f5 | Guest                          |        | dis/lock |
  | 03ea | jalla1                         | ADMIN  | *BLANK*  |
  | 03eb | jalla2                         |        | *BLANK*  |
  | 03e9 | petro                          | ADMIN  | *BLANK*  |

В крайней правой колонке Lock?отображается статус пароля. Отсутствует / заблокирован (dis/lock) или пустой (*BLANK*). Колонка Admin? показывает нам принадлежит ли учетная запись к группе администраторов. Мы выбираем учетную запись admin, что позволит нам завладеть учетной записью администратора компьютера. Для этого нам необходимо ввести RID или имя учетной записи.

Select: ! - quit, . - list users, 0x - User with RID (hex)
  or simply enter the username to change: [Administrator] admin
  RID     : 1000 [03e8]
  Username: admin
  fullname:
  comment :
  homedir :
  User is member of 1 groups:
  00000220 = Administrators (which has 4 members)

Пользователь состоит в группе 220 - группа администраторов.

   Account bits: 0x0214 =
  [ ] Disabled        | [ ] Homedir req.    | [X] Passwd not req. |
  [ ] Temp. duplicate | [X] Normal account  | [ ] NMS account     |
  [ ] Domain trust ac | [ ] Wks trust act.  | [ ] Srv trust act   |
  [X] Pwd don't expir | [ ] Auto lockout    | [ ] (unknown 0x08)  |
  [ ] (unknown 0x10)  | [ ] (unknown 0x20)  | [ ] (unknown 0x40)  |
  Failed login count: 0, while max tries is: 0
  Total  login count: 3

Показана информация о статусе учетной записи.

  - - - - User Edit Menu:
   1 - Clear (blank) user password
   2 - Edit (set new) user password (careful with this on XP or Vista)
   3 - Promote user (make user an administrator)
  (4 - Unlock and enable user account) [seems unlocked already]
   q - Quit editing user, back to user select
  Select: [q] > 1 
  Password cleared!

Если бы учетная запись была заблокирована, то для разблокирования нужно выбрать 4. Но так как с пользователем все в порядке, то мы выбираем 1 и просто удаляем пароль.

  Select: ! - quit, . - list users, 0x - User with RID (hex)
  or simply enter the username to change: [Administrator] !

Затем возвращаемся в главное меню при помощи выбора символа "!"

======== chntpw Main Interactive Menu ========
  Loaded hives:   
    1 - Edit user data and passwords
    2 - Syskey status & change
    3 - RecoveryConsole settings
        - - -
    9 - Registry editor, now with full write support!
    q - Quit (you will be asked if there is something to save)
    What to do? [1] -> q

Выбираем "q" для выхода.

Шаг 4. Записываем изменения. Отвечаем "y" для записи внесенных изменений

  Hives that have changed:
   #  Name
   0   - OK
  =========================================================
  ¤ Step FOUR: Writing back changes
  =========================================================
  About to write file(s) back! Do it? [n] : y
  Writing  sam

Редактирование завершено

  ***** EDIT COMPLETE *****
  You can try again if it somehow failed, or you selected wrong
  New run? [n] : n
  =========================================================
  * end of scripts.. returning to the shell..
  * Press CTRL-ALT-DEL to reboot now (remove floppy first)
  * or do whatever you want from the shell..
  * However, if you mount something, remember to umount before reboot
  * You may also restart the script procedure with 'sh /scripts/main.sh'
  (Please ignore the message about job control, it is not relevant)
  BusyBox v1.1.0-pre1 (2005.12.30-19:45+0000) Built-in shell (ash)
  Enter 'help' for a list of built-in commands.
  sh: can't access tty; job control turned off

Выбираем "n" и завершаем работу с программой.

3 thoughts on “Offline NT Password and Registry Editor - сброс пароля Windows

  1. Егор

    Огромное спасибо!
    А ведь помогло! Утилита реально работает.
    Windows 7 Домашняя расширенная

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *