Using LinuxLite to repair Win 7 password

[paul1149]

Sorry, I messed up the location of regback. It's under system32/config.

[firenice03]

Ok so I installed chntpw... I was getting the same errors as you...

I was able to get it to work...

TYPE the command into terminal - Don't copy and paste... chntpw -l SAM
I copied and pasted = failed
Manually entered = success

Its the "-" copied its the longer typed its the shorter... Why this makes a difference I don't know...

I retyped and tested the below... It did seem to work...

Code:

chntpw -l SAM

Code:

chntpw -u user SAM

I'll toss in some screenshots...

Shots:
Failed

Success:

[torreydale]

This thread is fascinating.  I'm learning some stuff.  Good teamwork here.

[firenice03]

This thread is fascinating.  I'm learning some stuff.  Good teamwork here.

I too got giddy when it worked
This is a great little tool, specially combined with a Live USB. I could of used it many times over the years...

[Colin23erk]

Thanks
Tried what you said


[/code]

colin@colin-NC110:/media/sda1/Windows/System32/config$ chntpw -l SAM
chntpw version 0.99.6 110511 , © Petter N Hagen
Hive <SAM> name (from header): <\C:\Windows\system32\config\sam>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf>
File size 262144 [40000] bytes, containing 5 pages (+ 1 headerpage)
Used for data: 203/15264 blocks/bytes, unused: 11/5056 blocks/bytes.




* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length        : 0
Password history count        : 0
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrator                  | ADMIN  | dis/lock |
| 03e8 | Colin                          | ADMIN  |          |
| 01f5 | Guest                          |        | dis/lock |


-------------------------------------------------------------------------------------------


colin@colin-NC110:/media/sda1/Windows/System32/config$ chntpw -u colin SAM
chntpw version 0.99.6 110511 , © Petter N Hagen
Hive <SAM> name (from header): <\C:\Windows\system32\config\sam>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf>
File size 262144 [40000] bytes, containing 5 pages (+ 1 headerpage)
Used for data: 203/15264 blocks/bytes, unused: 11/5056 blocks/bytes.




* SAM policy limits:
Failed logins before lockout is: 0
Minimum password length        : 0
Password history count        : 0
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrator                  | ADMIN  | dis/lock |
| 03e8 | Colin                          | ADMIN  |          |
| 01f5 | Guest                          |        | dis/lock |


------------------- SYSKEY CHECK <-----------------------
SYSTEM  SecureBoot            : -1 -> Not Set (not installed, good!)
SAM      Account\F            : 0 -> off
SECURITY PolSecretEncryptionKey: -1 -> Not Set (OK if this is NT4)
Syskey not installed!
Cannot find value <\SAM\Domains\Account\Users\Names\colin\@>


Hives that have changed:
#  Name
None!


colin@colin-NC110:/media/sda1/Windows/System32/config$

Code:

[font=Verdana][size=78%] not sure where to go n --Concerned about this line ( [/font][/size][font=Verdana][size=x-small]Cannot find value <\SAM\Domains\Account\Users\Names\colin\@>)[/font][/size]
[font=Verdana][size=x-small]
[/font][/size]
[font=Verdana][size=x-small]The problem was created because of a Ransom attack (my own slip up )[/font][/size]
[font=Verdana][size=78%]
[/font][/size]

[paul1149]

> The problem was created because of a Ransom attack

My guess is the attack crippled your user account. At what point are they demanding the ransom? At the Welcome screen? IAC, if I am correct the SAM hive, and perhaps others as well, is corrupted and you must either revert to a restore point, use last known good config, or restore the registry manually the way I described (and maybe not just the SAM file either, though I would start there). Best would be if you keep up to date system images offline. The alternative would be to try to rescue data and settings, if they're not backed up, and then do a fresh install. At least, that's how I would approach it. Perhaps a malware expert would have a lower level way to solve the problem.

[firenice03]

> The problem was created because of a Ransom attack

My guess is the attack crippled your user account. At what point are they demanding the ransom? At the Welcome screen? IAC, if I am correct the SAM hive, and perhaps others as well, is corrupted and you must either revert to a restore point, use last known good config, or restore the registry manually the way I described (and maybe not just the SAM file either, though I would start there). Best would be if you keep up to date system images offline. The alternative would be to try to rescue data and settings, if they're not backed up, and then do a fresh install. At least, that's how I would approach it. Perhaps a malware expert would have a lower level way to solve the problem.

Seen one once, where it used the web cam took a pic and then locked for ransom (think it was saying from FBI)..
I may still have notes, but it wasn't fun...
Had to create a usb with files, boot to the usb run said files.. scan, scan and scan some more...

I'll see what I can dig up, but some info..
http://www.trendmicro.com/vinfo/us/secur...Ransomware
https://www.f-secure.com/en/web/labs_glo...ransomware

These are samples... Try to nail down which your infected by to properly remove...
Some scanners, some require manual deletion of registry keys...
Back up your stuff first..
May want to try some online scanners through LL on the Windows partition...

[avj]

The problem now appears to be that you entered: 

Code:

chntpw -u colin SAM

  that line looks like it should read

Code:

chntpw -u Colin SAM

, capitallization is important. 

| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrator                  | ADMIN  | dis/lock |
| 03e8 | Colin                          | ADMIN  |          |
| 01f5 | Guest                          |        | dis/lock |

[Wirezfree]

@avj, nice one.. Have noted this in case any of my Win using friends ever get stuck

[paul1149]

Yes, superb catch, avj. Colin, forget everything I wrote unless chntpw fails on the actual username. I've used this many times in the form of NT offline PW changer, and the command line is indeed case sensitive.