Results 1 to 9 of 9

Thread: Reset your Windows password, edit the Windows Registry from Ubuntu

Threaded View

  1. #1
    Join Date
    May 2008
    Location
    Kyiv, Ukraine
    Beans
    3
    Distro
    Ubuntu 10.04 Lucid Lynx

    Lightbulb Reset your Windows password, edit the Windows Registry from Ubuntu

    THE MAIN GOAL OF THIS TOPIC IS TO SHOW AN ABILITY OF WINDOWS REGISTRY EDITING BUT NOT PASSWORD RESETTING ONLY. IT WAS CREATED AFTER READING OF THE FOLLOWING AT THE FORUM, WHERE THE QUESTIONS STILL WITHOUT ANSWERS INFACT:

    http://ubuntuforums.org/showthread.php?t=1046931
    http://ubuntuforums.org/showthread.php?t=624943
    http://ubuntuforums.org/showthread.php?t=955950
    http://ubuntuforums.org/showthread.php?t=678747

    In connection with the Windows viruses and impossibility to start regedit or Windows in whole, sometimes Windows users need to edit the registry from outside. I've found, so far, the only utility in Linux chntpw, which was originally designed to reset passwords, and then acquired the registry editing ability.

    Editing the registry:

    1. Boot from a LiveCD or install a second system Ubuntu.

    2. Install chntpw utility:

    Code:
    sudo apt-get install chntpw
    3. Mount Windows partition:

    Find the Windows partition:

    Code:
    $ sudo fdisk -l
    Assume it is on /dev/sda2. Next step is mounting of the partiotion:

    Code:
    $ sudo mkdir /media/windows 
    $ sudo mount /dev/sda2 /media/windows
    4. Registry editing

    Code:
    $ chntpw -l /media/windows/Windows/system32/config/software
    Move to registry branch you need, for example:

    Code:
    $ cd Microsoft\Windows NT\CurrentVersion\Winlogon
    and edit a key, for example:

    Code:
    $ ed Shell
    Password resetting:

    1. See 1-3 of the previous section

    4. Find the user whose password will be changed

    Code:
    $ chntpw -l /media/windows/Windows/system32/config/SAM
    5. Password resetting

    Code:
    $ chntpw /media/windows/Windows/system32/config/SAM -u Administrator
    Just cite the places in the registry where they can hide a record of running viruses:

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\SharedTaskScheduler
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    The default values in Regedit:
    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell" = "Explorer.exe"
    "Userinit" = "C:\WINDOWS\system32\userinit.exe"

    Check Explorer.exe file for double presence ... the right place for the file is Windows\ but not Windows\System32\ ...

    This post was written to open the theme to combat viruses and sms-extortionists.
    Last edited by melnichuk; August 1st, 2010 at 12:25 PM.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •