8e76513a2c5a5b5d698547739f0cc8de.png
之前一個朋友拿著一台 Lenovo 筆電跟我說,他設定了 Win7 的密碼,但是怎麼輸入都是錯的!原本想叫他重灌就好,可是裡面有重要資料,而且他的硬碟是有鎖的,就是拔出來也不見得能夠複製。更慘的是,他把 ThinkVantage 的 Partition 也破壞了。所以只好死馬當活馬醫了。
網路上查了很久,也試了幾個方法,最後總算找到一個好方法了!就是用以下的工具,做成 USB 開機,直接把密碼改掉!
在這邊可以下載
 
 
下載回來後,可以照以下步驟:
 
如果無法正常開機,可以參考這篇:忘記 Windows 的密碼
  • 製作 USB Boot disk
    先將 zip 檔解開,並且複製到你的 USB 隨身碟中。
    然後進入 DOS 模式 (最好是系統管理者權限)
    切換到 USB 那槽 (ex: X: ),然後輸入
    X:syslinux.exe -ma X:
    如果沒有錯誤訊息,那就是成功了!
  • 用 USB 開機
    接下來的部分比較複雜,如果開機成功,則會看到以下訊息 (若不成功可能需要檢查 BIOS 設定,或是你的機器根本不支援 USB 開機,那就要用光碟來開機了!)
    ISOLINUX 3.51 2007-06-10  Copyright (C) 1994-2007 H. Peter Anvin
     
     
      ***************************************************************************
      *                                                                         *
      *  Windows NT/2k/XP/Vista Change Password / Registry Editor / Boot CD     *
      *                                                                         *
      *  (c) 1998-2007 Petter Nordahl-Hagen. Distributed under GNU GPL v2       *
      *                                                                         *
      * DISCLAIMER: THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTIES!          *
      *             THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY DAMAGE       *
      *             CAUSED BY THE (MIS)USE OF THIS SOFTWARE                     *
      *                                                                         *
      * More info at: http://pogostick.net/~pnh/ntpasswd/                       *
      * Email       : pnh@pogostick.net                                         *
      *                                                                         *
      * CD build date: Sun Sep 23 14:15:35 CEST 2007                            *
      ***************************************************************************
     
      Press enter to boot, or give linux kernel boot options first if needed.
      Some that I have to use once in a while:
      boot nousb          - to turn off USB if not used and it causes problems
      boot irqpoll        - if some drivers hang with irq problem messages
      boot nodrivers      - skip automatic disk driver loading
     
      boot:
    直接按 <Enter> 即可。然後是一串開機訊息,可以不必太認真看。(以下訊息是抓他網站上的,因為修復時沒有抓畫面,所以直接用網站的說明!)
    Loading vmlinuz..................
      Loading scsi.cgz.........................
     
      Loading initrd.cgz..........
      Ready.
      Linux version 2.6.22.6 (root@athene) (gcc version 4.1.1 20060724 (prerelease) (4.1.1-3mdk)) #2 Sun Sep 9 16:59:48 CEST 2007
      BIOS-provided physical RAM map:
       BIOS-e820: 0000000000000000 - 000000000009f800 (usable)
       BIOS-e820: 000000000009f800 - 00000000000a0000 (reserved)
       BIOS-e820: 00000000000ca000 - 00000000000cc000 (reserved)
       BIOS-e820: 00000000000dc000 - 0000000000100000 (reserved)
       BIOS-e820: 0000000000100000 - 00000000316f0000 (usable)
       BIOS-e820: 00000000316f0000 - 00000000316ff000 (ACPI data)
       BIOS-e820: 00000000316ff000 - 0000000031700000 (ACPI NVS)
       BIOS-e820: 0000000031700000 - 0000000031800000 (usable)
       BIOS-e820: 00000000fec00000 - 00000000fec10000 (reserved)
       BIOS-e820: 00000000fee00000 - 00000000fee01000 (reserved)
       BIOS-e820: 00000000fffe0000 - 0000000100000000 (reserved)
      792MB LOWMEM available.
      Zone PFN ranges:
        DMA             0 ->     4096
        Normal       4096 ->   202752
      early_node_map[1] active PFN ranges
     
     ...
     
      Serial: 8250/16550 driver $Revision: 1.90 $ 4 ports, IRQ sharing enabled
      serial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
      Floppy drive(s): fd0 is 1.44M
      FDC 0 is a post-1991 82077
      RAMDISK driver initialized: 16 RAM disks of 32000K size 1024 blocksize
      USB Universal Host Controller Interface driver v3.0
      Initializing USB Mass Storage driver...
      usbcore: registered new interface driver usb-storage
      USB Mass Storage support registered.
      serio: i8042 KBD port at 0x60,0x64 irq 1
      serio: i8042 AUX port at 0x60,0x64 irq 12
      usbcore: registered new interface driver usbhid
      drivers/hid/usbhid/hid-core.c: v2.6:USB HID core driver
      Using IPI Shortcut mode
      BIOS EDD facility v0.16 2004-Jun-25, 1 devices found
      Freeing unused kernel memory: 144k freed
      Booting ntpasswd
      Mounting: proc sys
      Ramdisk setup complete, stage separation..
      In stage 2
      Spawning shells on console 2 - 6
      Initialization complete!
     
      ** Preparing driver modules to dir /lib/modules/2.6.22.6
      input: AT Translated Set 2 keyboard as /class/input/input0
     
      ** Will now try to auto-load relevant drivers based on PCI information
     
      ---- AUTO DISK DRIVER select ----
      --- PROBE FOUND THE FOLLOWING DRIVERS:
      ata_piix
      ata_generic
      mptspi
      --- TRYING TO LOAD THE DRIVERS
      ### Loading ata_piix
      scsi0 : ata_piix
      scsi1 : ata_piix
      ata1: PATA max UDMA/33 cmd 0x000101f0 ctl 0x000103f6 bmdma 0x00011050 irq 14
      ata2: PATA max UDMA/33 cmd 0x00010170 ctl 0x00010376 bmdma 0x00011058 irq 15
      ata2.00: ATAPI: VMware Virtual IDE CDROM Drive, 00000001, max UDMA/33
      ata2.00: configured for UDMA/33
      scsi 1:0:0:0: CD-ROM            NECVMWar VMware IDE CDR10 1.00 PQ: 0 ANSI: 5
      sr0: scsi3-mmc drive: 1x/1x xa/form2 cdda tray
      Uniform CD-ROM driver Revision: 3.20
     
      ### Loading ata_generic
     
      ### Loading mptspi
      Fusion MPT base driver 3.04.04
      Copyright (c) 1999-2007 LSI Logic Corporation
      Fusion MPT SPI Host driver 3.04.04
      PCI: Found IRQ 9 for device 0000:00:10.0
      mptbase: Initiating ioc0 bringup
      ioc0: 53C1030: Capabilities={Initiator}
      scsi2 : ioc0: LSI53C1030, FwRev=01032920h, Ports=1, MaxQ=128, IRQ=9
      scsi 2:0:0:0: Direct-Access     VMware,  VMware Virtual S 1.0  PQ: 0 ANSI: 2
       target2:0:0: Beginning Domain Validation
       target2:0:0: Domain Validation skipping write tests
       target2:0:0: Ending Domain Validation
       target2:0:0: FAST-40 WIDE SCSI 80.0 MB/s ST (25 ns, offset 127)
      sd 2:0:0:0: [sda] 83886080 512-byte hardware sectors (42950 MB)
      sd 2:0:0:0: [sda] Write Protect is off
      sd 2:0:0:0: [sda] Cache data unavailable
      sd 2:0:0:0: [sda] Assuming drive cache: write through
      sd 2:0:0:0: [sda] 83886080 512-byte hardware sectors (42950 MB)
      sd 2:0:0:0: [sda] Write Protect is off
      sd 2:0:0:0: [sda] Cache data unavailable
      sd 2:0:0:0: [sda] Assuming drive cache: write through
       sda: sda1
      sd 2:0:0:0: [sda] Attached SCSI disk
      -------------------------------------------------------------
      Driver load done, if none loaded, you may try manual instead.
      -------------------------------------------------------------
     
      ** If no disk show up, you may have to try again (d option) or manual (m).
     
     
    You can later load more drivers..
     
      *************************************************************************
      * Windows Registry Edit Utility Floppy / chntpw                         *
      * (c) 1997 - 2007 Petter N Hagen - pnh@pogostick.net<script type="text/javascript">
    /* <![CDATA[ */
    (function(){try{var s,a,i,j,r,c,l,b=document.getElementsByTagName("script");l=b[b.length-1].previousSibling;a=l.getAttribute('data-cfemail');if(a){s='';r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})();
    /* ]]> */
    </script>                    *
      * GNU GPL v2 license, see files on CD                                   *
      *                                                                       *
      * This utility will enable you to change or blank the password of       *
      * any user (incl. administrator) on an Windows NT/2k/XP/Vista           *
      * WITHOUT knowing the old password.                                     *
      * Unlocking locked/disabled accounts also supported.                    *
      *                                                                       *
      * It also has a registry editor, and there is now support for           *
      * adding and deleting keys and values.                                  *
      *                                                                       *
      * Tested on: NT3.51 & NT4: Workstation, Server, PDC.                    *
      *            Win2k Prof & Server to SP4. Cannot change AD.              *
      *            XP Home & Prof: up to SP2                                  *
      *            Win 2003 Server (cannot change AD passwords)               *
      *            Vista 32 and 64 bit                                        *
      *                                                                       *
      * HINT: If things scroll by too fast, press SHIFT-PGUP/PGDOWN ...       *
      *************************************************************************
     
      =========================================================
      There are several steps to go through:
      - Disk select with optional loading of disk drivers
      - PATH select, where are the Windows systems files stored
      - File-select, what parts of registry we need
      - Then finally the password change or registry edit itself
      - If changes were made, write them back to disk
     
      DON'T PANIC! Usually the defaults are OK, just press enter
                   all the way through the questions
  • 選擇正確的 Partition 然後重設密碼
    接下來,如果看到這個訊息,就表示抓到你的硬碟了。
    =========================================================
     ¤ Step ONE: Select disk where the Windows installation is
     =========================================================
     
     Disks:
     Disk /dev/sda: 42.9 GB, 42949672960 bytes
     
     Candidate Windows partitions found:
      1 :        /dev/sda1   40958MB BOOT
     
    Please select partition by number or
      q = quit
      d = automatically start disk drivers
      m = manually select disk drivers to load
      f = fetch additional drivers from floppy / usb
      a = show all partitions found
      l = show propbable Windows (NTFS) partitions only
     Select: [1]
    這時需要選擇 Partition ,因為只有一個,所以輸入 1 (我修復的那台機器有三個 Partitions,一開始我是選錯的,就會發生找不到 windows 的狀態,然後重選,所以除非你電腦上有裝多套 Windows ,否則選錯是不會怎麼樣的。
    輸入 1 後:
    Selected 1
     
     Mounting from /dev/sda1, with filesystem type NTFS
     
     NTFS volume version 3.1.
     
  • 設定 Windows 路徑
    =========================================================
     ¤ Step TWO: Select PATH and registry files
     =========================================================
     What is the path to the registry directory? (relative to windows disk)
     [WINDOWS/system32/config] :
    一般來說,除非你改目錄,否則都應該是這個目錄。
    接下來會出現:
    -rw-------    2 0        0          262144 Feb 28  2007 BCD-Template
     -rw-------    2 0        0         6815744 Sep 23 12:33 COMPONENTS
     -rw-------    1 0        0          262144 Sep 23 12:33 DEFAULT
     drwx------    1 0        0               0 Nov  2  2006 Journal
     drwx------    1 0        0            8192 Sep 23 12:33 RegBack
     -rw-------    1 0        0          524288 Sep 23 12:33 SAM
     -rw-------    1 0        0          262144 Sep 23 12:33 SECURITY
     -rw-------    1 0        0        15728640 Sep 23 12:33 SOFTWARE
     -rw-------    1 0        0         9175040 Sep 23 12:33 SYSTEM
     drwx------    1 0        0            4096 Nov  2  2006 TxR
     drwx------    1 0        0            4096 Feb 27  2007 systemprofile
     
     Select which part of registry to load, use predefined choices
     or list the files with space as delimiter
     1 - Password reset [sam system security]
     2 - RecoveryConsole parameters [software]
     q - quit - return to previous
     [1] :
    選擇 1 就可以重設密碼了。
  • 重設密碼
    Selected files: sam system security
     Copying sam system security to /tmp
     
     =========================================================
     ¤ Step THREE: Password or registry edit
     =========================================================
     chntpw version 0.99.5 070923 (decade), (c) Petter N Hagen
     Hive  name (from header): <\SystemRoot\System32\Config\SAM>
     ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf>
     Page at 0x44000 is not 'hbin', assuming file contains garbage at end
     File size 524288 [80000] bytes, containing 11 pages (+ 1 headerpage)
     Used for data: 288/250904 blocks/bytes, unused: 15/23176 blocks/bytes.
     
     Hive  name (from header): <SYSTEM>
     ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c <lh>
     Page at 0x8b4000 is not 'hbin', assuming file contains garbage at end
     File size 9175040 [8c0000] bytes, containing 2117 pages (+ 1 headerpage)
     Used for data: 96982/6224016 blocks/bytes, unused: 4381/2830032 blocks/bytes.
     
     Hive  name (from header): <emRoot\System32\Config\SECURITY>
     ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf>
     Page at 0x6000 is not 'hbin', assuming file contains garbage at end
     File size 262144 [40000] bytes, containing 5 pages (+ 1 headerpage)
     Used for data: 334/17312 blocks/bytes, unused: 7/3008 blocks/bytes.
     
     
     * SAM policy limits:
     Failed logins before lockout is: 0
     Minimum password length        : 0
     Password history count         : 0
     
     
     ======== chntpw Main Interactive Menu ========
     
     Loaded hives:   
     
       1 - Edit user data and passwords
       2 - Syskey status & change
       3 - RecoveryConsole settings
           - - -
       9 - Registry editor, now with full write support!
       q - Quit (you will be asked if there is something to save)
     
     
     What to do? [1] ->
    如果你不清楚其他的作用,那就直接輸入 1 就好!此時會出現這個畫面:
    Select: ! - quit, . - list users, 0x - User with RID (hex)
     or simply enter the username to change: [Administrator] admin
     
     RID     : 1000 [03e8]
     Username: admin
     fullname:
     comment :
     homedir :
     
     User is member of 1 groups:
     00000220 = Administrators (which has 4 members)
     
     Account bits: 0x0214 =
     [ ] Disabled        | [ ] Homedir req.    | [X] Passwd not req. |
     [ ] Temp. duplicate | [X] Normal account  | [ ] NMS account     |
     [ ] Domain trust ac | [ ] Wks trust act.  | [ ] Srv trust act   |
     [X] Pwd don't expir | [ ] Auto lockout    | [ ] (unknown 0x08)  |
     [ ] (unknown 0x10)  | [ ] (unknown 0x20)  | [ ] (unknown 0x40)  |
     
     Failed login count: 0, while max tries is: 0
     Total  login count: 3
     
     - - - - User Edit Menu:
      1 - Clear (blank) user password
      2 - Edit (set new) user password (careful with this on XP or Vista)
      3 - Promote user (make user an administrator)
     (4 - Unlock and enable user account) [seems unlocked already]
      q - Quit editing user, back to user select
     Select: [q] > 1
     Password cleared!

    選擇 1 可以清除密碼,或是選擇 2 可以重設密碼。記得注意,如果他已經被 lock ,那你就要選擇 4 把帳號 unlock 。
    完成後輸入 ! 即可離開。
    ======== chntpw Main Interactive Menu ========
     
     Loaded hives: <sam> <system> <security>
     
       1 - Edit user data and passwords
       2 - Syskey status & change
       3 - RecoveryConsole settings
           - - -
       9 - Registry editor, now with full write support!
       q - Quit (you will be asked if there is something to save)
     
     
     What to do? [1] -> q
     
     Hives that have changed:
      #  Name
      0   - OK
     
     =========================================================
     ¤ Step FOUR: Writing back changes
     =========================================================
     About to write file(s) back! Do it? [n] : y
    最後會再跟你確認一次是否要執行,當然要輸入 y 囉,不然前面就作白工了!然後重開機試試看吧。
  • 後記
    現在流行雲端,其實自動備份的軟體,像是 drop box,或是 Windows Mesh 都是不錯的選擇,多多備份比較安全囉。希望大家都用不到這個工具!
Facebook 討論區載入中...