Recovering a Forgotten Administrator Password

You may be relieved to know that there is no built-in utility that will help you recover a forgotten administrator password. After all, if there were then anyone with access to your system could effect a security breach. But what if it's your system, and you're the one who can't remember a forgotten password?

As you may have guessed, there are some third-party tools that are designed to help in such a situation. I have personally tried some, and the two I'm recommending in this tip worked flawlessly on my Windows 7 PC. If you don't want to use a third-party tool, then your only real choices are to keep guessing what your password is or take the draconian step of re-installing Windows. Personally, I'd choose the third-party route.

Both options require that you create a boot disk with the appropriate software on it. Therefore, you need to procure a couple of empty CDs that you'll write to. Then you can download the tools. The first is called 'ophcrack' and can be downloaded from this site:

http://ophcrack.sourceforge.net/download.php

Go to the website and scroll down until you see the download for "ophcrack Vista/7 LiveCD". This will download an .iso file which you need to burn to one of your CDs; label the CD "ophcrack." We'll go over using 'ophcrack' shortly, but let's go get the second tool first.

The second password tool is called 'chntpw' and can be downloaded from here:

http://pogostick.net/~pnh/ntpasswd/

Go to the website and scroll down until you see the "Download" section. Under there you'll find a link to 'cd140201.zip', which is the file you want to download. When you unpack the zip file you'll see that it contains a file called 'cd140201.iso'. Burn that file to your second CD and label it "chntpw."

Now that we're done with the preliminaries, load your ophcrack CD into the drive and (re)start your computer. Depending on your system configuration, you may need to press a special function key to tell your computer to boot from the CD instead of the hard drive. (This is what you want to do: boot from the CD that contains opbcrack.)

You'll see a lot of text scroll by as ophcrack loads, but shortly it will display a GUI screen that responds to the mouse. The first thing to do is to click the Tables button to install the password configuration tables. Select what tables to install from the path "/media/hda/tables", then click the Crack button. The rest is now automatic. It will load the tables into memory and then it tries to discover the passwords for all enabled accounts. It took ophcrack 5 minutes and 12 seconds to find an administrative password on my system. I let it continue for another 10 minutes to see if would find any more, but I eventually clicked Stop and Exit (after all, one is all you need). I was then presented with a menu of what to do next. Using the arrow keys I highlighted "Reboot" and pressed Enter. As the computer was restarting I ejected the CD so that the system would come up normally.

The chntpw tool is different from ophcrack in a couple of ways. For one thing, it does not have a GUI interface. And for another, chntpw doesn't try to crack and display the current passwords; instead, it provides the means for you to clear a password so that you can login without one.

It's possible that ophcrack will not come up with any passwords, so it's good to have chntpw as a backup. Load that CD into the drive and restart your system. After it has booted and chntpw has taken control you'll go through several prompts. The first prompt asks you to select the partition where the Windows installation is located. Press Enter to accept the default. Next you're prompted to specify which part of the registry is to be loaded. Again press Enter to accept the default.

Now you're at the main interactive menu, which lets you select whether to deal with user data and passwords or registry data. Press Enter to accept the default. You're then presented with a table of usernames and whether they have administrator rights. Type the RID of an administrator username that isn't locked, and press Enter.

You've finally reached the Edit User menu. type "1" (without the quotes) to clear the selected username's password and press Enter. That clears the password. Eject the CD and restart the system. After Windows comes up you'll be able to login under the username whose password you cleared without having to specify its (now-cleared) password. Once logged in, you can, of course, use the normal Windows tools to set the password to whatever you wish.

 This tip (13088) applies to Windows 7, 8, and 10.