Offline NT pw & reg-editor, bootdisk

Offline NT Password & Registry Editor, Bootdisk

I've put together a single floppy which contains things needed to edit the passwords on most systems. It uses Linux as the OS, because it's freely distributable, easy to program, and supports compressed bootdisks/ramdisks.

The bootdisk supports standard (dual)IDE controllers, and most SCSI-controllers with the drivers supplied in a seperate archive below. It does not need any other special hardware, it will run on 486 or higher, with 16mb ram or more.

There's full FAT filesystem support, including long filenames (VFAT) but only limited NTFS support through Martin von Löwis NTFS utilities for Linux.

If there's problems with accessing the disks using this bootfloppy move the harddrive to another NT-machine to access the sam-file, and try out
Grenier's DOS port

How to use?

2000-04-01: WARNING: Turning syskey off on Win2k IS UNSAFE! (read below)
HINT: Just press return/enter to accept default prompts in [brackets]
WARNING: There's NO SUPPORT FOR STRIPES/MIRRORS in the NTFS driver. Trying it on stripes/mirrors MAY DESTROY THE STRIPESET! Thanks to Joe Ashley from the UK for pointing this out.
SCSI: Copy the appropriate SCSI-modules (drvname.o.gz) from the SCSI-zip-file to the "scsi"-directory on the floppy if you need scsi-support. (the floppy is FAT, use windows, dos or whatever) There's just too many drivers to include them all in the main package. As an alternative you may put lots of them on another (otherwise empty) floppy in a dir named "scsi", and switch floppies at the instruction-banner-prompt (before the scsi-promt).
Shut down machine and insert floppy.
Let the machine boot from the floppy, some computers may require adjustments in the BIOS setup to allow booting from floppy.
Some banners and loading-messages will appear, hardware information etc.
(switch to scsi-driver floppy here if needed, see above)
Available SCSI-drivers will be listed (if any, see above), and it will now prompt for SCSI-controller drivers, you may:
1. answer 'y' to probe all available drivers in the "scsi" dir on the floppy. It will stop probing once it manages to initialize one controller.
2. answer 'n' to skip searching for SCSI cards. Use this if you only have IDE-disks.
3. or at the prompt, enter the linux module name (without the .o or .o.gz ending) of the driver, and optionally parameters for it, to go directly for one.
Next comes a list of all found partitions on all disks, followed by a list of what it thinks is NTFS partitions.
At the prompt to select a partition, the first bootable NTFS partition will be the default selection. (First bootable FAT if no NTFS found) You may however select another partition (also a FAT partition) by giving its full name (like /dev/hda1 , or /dev/sda1). SCSI: sdDP -> D=disk a b c d etc, P=parition number 1 2 3 4 etc. IDE: hdDP -> D=a or b (primary IDE), c or d (secondary IDE), P=partition number.
The partition will be mounted, and the type (NTFS or FAT) will be stated.
Then you must select the full path (relative to the partition) of the registry directory. This is usually 'winnt\system32\config', which is the default selection.
Then select files to copy to temp area in ramdisk. For password editing the default is 'sam' (essential, it's the password database), 'system' (contains some info on syskey), and 'security' (additional syskey info in Win2k). If syskey is not active, only 'sam' is changed when editing passwords. If you instead want to edit something in the registry, select the hive you want, 'system' is proper for services, hardware settings etc.
You can then select between:
1. Password editing (default selection)
2. Registry editing. (see regedit.txt)
Now it has everything it needs, so the 'chntpw' utility will be started, working on the files in /tmp. There:
1. Some nice statistics of the registry hive will be displayed.
2. All usernames in the file will be listed.
3. A check for SYSKEY is done, if it's found to be enabled (it is by default in Win2k RC-something and up) you will be asked if you wish to disable it. You do not have to disable it unless you have lost the key-floppy or passphrase. It seems pretty safe to disable it on NT4, but will cause trouble in Win2k (see main page or syskey.txt)
4. You will then be prompted for the user which you want to change the password of. (default selection is administrator, it recognizes admin-account with changed name or localized names, too) It will continue to prompt for a username until '!' is given. Re-list the users with '.'
5. Some information on the user will be shown (and still with some debug info) before the prompt for new password.
6. Enter the new password, max 14 chars (it will show on the screen). Or enter nothing to keep unchanged.
7. Then confirm the change (this is for the change to the file, which at this point is located as a temp file in the ramdisk, writeback comes later)
If the 'chntpw' utility succeeds, you will be prompted to confirm the writeback to the NT disk/filesystem. Only 'y' is accepted for it to commit the changes. (the commit is in 2 steps. First in the editor program, then in the bootfloppy scripts. Your harddisk will only be changed if the last one is confirmed)
After everything is complete, you will get the "# " shell prompt. You may then reset the computer (three-finger-salute).

What can go wrong?

Lots of things can go wrong, but most faults won't damage your system.

The most critical moment is when writing back the registry files to NTFS. Also, the file written back may be corrupt (from chntpw messing it up), preventing your NT system from booting properly. YOU HAVE BEEN WARNED! One indication of a corrupt SAM is that the Netlogon service will fail to start, which again means it's impossible to log in.

The most likely things to happen is: cannot find your scsi-controller, cannot parse the partition tables correctly, cannot read the NTFS (I told you it was ALPHA-code), the scripts crap out in some way or another due to a bug or something. For linux-knowledged people, you may do things manually if the scripts fail, you have shells on tty1-tty4 (ALT F1 - ALT F4).

Bootdisk history

000607:

000607-release of chntpw with bugfixes when handlig large hives.
Hopefully fixed handling of large NTFS-filesystems (>6-7GB?), now only uses kernel drivers, not commandline tools.
Some devicenodes for Compaq Smartarray SCSI raids added (/dev/ida/c?d?p?)

000401: 000401-release of chntpw with better syskey-handling, no bootdisk changes apart from that, use same SCSI-drivers as previous release.
000220: Fixed some bugs leading to hang while reading registry files.
000219: Some hardwaredriver updates.
000215: (full update)

chntpw 0.98 000215, includes Syskey handling & edit in-place registry editor.
Bootdisk changed a lot (scsi-drivers separate, see above).

(earlier history removed)
9705xx

First public release.

Download

bd000607.zip (1.4MB, note: offsite link) - Bootdisk image (000607)
sc000219.zip (550KB) - SCSI-drivers (000219) (only use newest drivers with newest bootdisk, this one works with bd000219 and newer)
rawwrite2.zip - DOS Program to write the image.

Previous versions:

bd000401.zip (1.4MB) - Bootdisk image (000401)

NOTE THAT THE BOOTDISK CONTAINS CRYPTHOGRAPHIC CODE, and that it may be ILLEGAL to RE-EXPORT it from your country.

Use:

The zip-file contains at least the floppy image, and newer versions may also contain the chntpw linux binary as a standalone file. The unzipped image (bdxxxxxx.bin) is a block-to-block representation of the actual floppy, and the file cannot simply be copied to the floppy. Special tools must be used to write it block by block. For Dos, win95/98 & NT, use rawrite2.exe or some other imagewriter:

rawrite2 -f: bd000401.bin -d: A

Or from unix:

dd if=bootdisk.bin of=/dev/fd0 bs=1024

Todo:

Full registry write support (allocate new nodes, delete etc)
Bootdisk-scripts & main program still a bit to verbose even when not in verbose mode.

[Back to main page]

000607, pnordahl@eunet.no