之前一個朋友拿著一台 Lenovo 筆電跟我說,他設定了 Win7 的密碼,但是怎麼輸入都是錯的!原本想叫他重灌就好,可是裡面有重要資料,而且他的硬碟是有鎖的,就是拔出來也不見得能夠複製。更慘的是,他把 ThinkVantage 的 Partition 也破壞了。所以只好死馬當活馬醫了。
網路上查了很久,也試了幾個方法,最後總算找到一個好方法了!就是用以下的工具,做成 USB 開機,直接把密碼改掉!
在這邊可以下載
下載回來後,可以照以下步驟:
如果無法正常開機,可以參考這篇:忘記 Windows 的密碼
步驟
-
製作 USB Boot disk
先將 zip 檔解開,並且複製到你的 USB 隨身碟中。
然後進入 DOS 模式 (最好是系統管理者權限)
切換到 USB 那槽 (ex: X: ),然後輸入
X:syslinux.exe -ma X:
如果沒有錯誤訊息,那就是成功了! -
用 USB 開機接下來的部分比較複雜,如果開機成功,則會看到以下訊息 (若不成功可能需要檢查 BIOS 設定,或是你的機器根本不支援 USB 開機,那就要用光碟來開機了!)
ISOLINUX 3.51 2007-06-10 Copyright (C) 1994-2007 H. Peter Anvin *************************************************************************** * * * Windows NT/2k/XP/Vista Change Password / Registry Editor / Boot CD * * * * (c) 1998-2007 Petter Nordahl-Hagen. Distributed under GNU GPL v2 * * * * DISCLAIMER: THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTIES! * * THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY DAMAGE * * CAUSED BY THE (MIS)USE OF THIS SOFTWARE * * * * More info at: http://pogostick.net/~pnh/ntpasswd/ * * Email : pnh@pogostick.net * * * * CD build date: Sun Sep 23 14:15:35 CEST 2007 * *************************************************************************** Press enter to boot, or give linux kernel boot options first if needed. Some that I have to use once in a while: boot nousb - to turn off USB if not used and it causes problems boot irqpoll - if some drivers hang with irq problem messages boot nodrivers - skip automatic disk driver loading boot:
直接按 <Enter> 即可。然後是一串開機訊息,可以不必太認真看。(以下訊息是抓他網站上的,因為修復時沒有抓畫面,所以直接用網站的說明!)Loading vmlinuz.................. Loading scsi.cgz......................... Loading initrd.cgz.......... Ready. Linux version 2.6.22.6 (root@athene) (gcc version 4.1.1 20060724 (prerelease) (4.1.1-3mdk)) #2 Sun Sep 9 16:59:48 CEST 2007 BIOS-provided physical RAM map: BIOS-e820: 0000000000000000 - 000000000009f800 (usable) BIOS-e820: 000000000009f800 - 00000000000a0000 (reserved) BIOS-e820: 00000000000ca000 - 00000000000cc000 (reserved) BIOS-e820: 00000000000dc000 - 0000000000100000 (reserved) BIOS-e820: 0000000000100000 - 00000000316f0000 (usable) BIOS-e820: 00000000316f0000 - 00000000316ff000 (ACPI data) BIOS-e820: 00000000316ff000 - 0000000031700000 (ACPI NVS) BIOS-e820: 0000000031700000 - 0000000031800000 (usable) BIOS-e820: 00000000fec00000 - 00000000fec10000 (reserved) BIOS-e820: 00000000fee00000 - 00000000fee01000 (reserved) BIOS-e820: 00000000fffe0000 - 0000000100000000 (reserved) 792MB LOWMEM available. Zone PFN ranges: DMA 0 -> 4096 Normal 4096 -> 202752 early_node_map[1] active PFN ranges ... Serial: 8250/16550 driver $Revision: 1.90 $ 4 ports, IRQ sharing enabled serial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A Floppy drive(s): fd0 is 1.44M FDC 0 is a post-1991 82077 RAMDISK driver initialized: 16 RAM disks of 32000K size 1024 blocksize USB Universal Host Controller Interface driver v3.0 Initializing USB Mass Storage driver... usbcore: registered new interface driver usb-storage USB Mass Storage support registered. serio: i8042 KBD port at 0x60,0x64 irq 1 serio: i8042 AUX port at 0x60,0x64 irq 12 usbcore: registered new interface driver usbhid drivers/hid/usbhid/hid-core.c: v2.6:USB HID core driver Using IPI Shortcut mode BIOS EDD facility v0.16 2004-Jun-25, 1 devices found Freeing unused kernel memory: 144k freed Booting ntpasswd Mounting: proc sys Ramdisk setup complete, stage separation.. In stage 2 Spawning shells on console 2 - 6 Initialization complete! ** Preparing driver modules to dir /lib/modules/2.6.22.6 input: AT Translated Set 2 keyboard as /class/input/input0 ** Will now try to auto-load relevant drivers based on PCI information ---- AUTO DISK DRIVER select ---- --- PROBE FOUND THE FOLLOWING DRIVERS: ata_piix ata_generic mptspi --- TRYING TO LOAD THE DRIVERS ### Loading ata_piix scsi0 : ata_piix scsi1 : ata_piix ata1: PATA max UDMA/33 cmd 0x000101f0 ctl 0x000103f6 bmdma 0x00011050 irq 14 ata2: PATA max UDMA/33 cmd 0x00010170 ctl 0x00010376 bmdma 0x00011058 irq 15 ata2.00: ATAPI: VMware Virtual IDE CDROM Drive, 00000001, max UDMA/33 ata2.00: configured for UDMA/33 scsi 1:0:0:0: CD-ROM NECVMWar VMware IDE CDR10 1.00 PQ: 0 ANSI: 5 sr0: scsi3-mmc drive: 1x/1x xa/form2 cdda tray Uniform CD-ROM driver Revision: 3.20 ### Loading ata_generic ### Loading mptspi Fusion MPT base driver 3.04.04 Copyright (c) 1999-2007 LSI Logic Corporation Fusion MPT SPI Host driver 3.04.04 PCI: Found IRQ 9 for device 0000:00:10.0 mptbase: Initiating ioc0 bringup ioc0: 53C1030: Capabilities={Initiator} scsi2 : ioc0: LSI53C1030, FwRev=01032920h, Ports=1, MaxQ=128, IRQ=9 scsi 2:0:0:0: Direct-Access VMware, VMware Virtual S 1.0 PQ: 0 ANSI: 2 target2:0:0: Beginning Domain Validation target2:0:0: Domain Validation skipping write tests target2:0:0: Ending Domain Validation target2:0:0: FAST-40 WIDE SCSI 80.0 MB/s ST (25 ns, offset 127) sd 2:0:0:0: [sda] 83886080 512-byte hardware sectors (42950 MB) sd 2:0:0:0: [sda] Write Protect is off sd 2:0:0:0: [sda] Cache data unavailable sd 2:0:0:0: [sda] Assuming drive cache: write through sd 2:0:0:0: [sda] 83886080 512-byte hardware sectors (42950 MB) sd 2:0:0:0: [sda] Write Protect is off sd 2:0:0:0: [sda] Cache data unavailable sd 2:0:0:0: [sda] Assuming drive cache: write through sda: sda1 sd 2:0:0:0: [sda] Attached SCSI disk ------------------------------------------------------------- Driver load done, if none loaded, you may try manual instead. ------------------------------------------------------------- ** If no disk show up, you may have to try again (d option) or manual (m). You can later load more drivers.. ************************************************************************* * Windows Registry Edit Utility Floppy / chntpw * * (c) 1997 - 2007 Petter N Hagen - pnh@pogostick.net<script type="text/javascript"> /* <![CDATA[ */ (function(){try{var s,a,i,j,r,c,l,b=document.getElementsByTagName("script");l=b[b.length-1].previousSibling;a=l.getAttribute('data-cfemail');if(a){s='';r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})(); /* ]]> */ </script> * * GNU GPL v2 license, see files on CD * * * * This utility will enable you to change or blank the password of * * any user (incl. administrator) on an Windows NT/2k/XP/Vista * * WITHOUT knowing the old password. * * Unlocking locked/disabled accounts also supported. * * * * It also has a registry editor, and there is now support for * * adding and deleting keys and values. * * * * Tested on: NT3.51 & NT4: Workstation, Server, PDC. * * Win2k Prof & Server to SP4. Cannot change AD. * * XP Home & Prof: up to SP2 * * Win 2003 Server (cannot change AD passwords) * * Vista 32 and 64 bit * * * * HINT: If things scroll by too fast, press SHIFT-PGUP/PGDOWN ... * ************************************************************************* ========================================================= There are several steps to go through: - Disk select with optional loading of disk drivers - PATH select, where are the Windows systems files stored - File-select, what parts of registry we need - Then finally the password change or registry edit itself - If changes were made, write them back to disk DON'T PANIC! Usually the defaults are OK, just press enter all the way through the questions -
選擇正確的 Partition 然後重設密碼
接下來,如果看到這個訊息,就表示抓到你的硬碟了。========================================================= ¤ Step ONE: Select disk where the Windows installation is ========================================================= Disks: Disk /dev/sda: 42.9 GB, 42949672960 bytes Candidate Windows partitions found: 1 : /dev/sda1 40958MB BOOT Please select partition by number or q = quit d = automatically start disk drivers m = manually select disk drivers to load f = fetch additional drivers from floppy / usb a = show all partitions found l = show propbable Windows (NTFS) partitions only Select: [1]
這時需要選擇 Partition ,因為只有一個,所以輸入 1 (我修復的那台機器有三個 Partitions,一開始我是選錯的,就會發生找不到 windows 的狀態,然後重選,所以除非你電腦上有裝多套 Windows ,否則選錯是不會怎麼樣的。
輸入 1 後:Selected 1 Mounting from /dev/sda1, with filesystem type NTFS NTFS volume version 3.1.
-
設定 Windows 路徑
========================================================= ¤ Step TWO: Select PATH and registry files ========================================================= What is the path to the registry directory? (relative to windows disk) [WINDOWS/system32/config] :
一般來說,除非你改目錄,否則都應該是這個目錄。
接下來會出現:-rw------- 2 0 0 262144 Feb 28 2007 BCD-Template -rw------- 2 0 0 6815744 Sep 23 12:33 COMPONENTS -rw------- 1 0 0 262144 Sep 23 12:33 DEFAULT drwx------ 1 0 0 0 Nov 2 2006 Journal drwx------ 1 0 0 8192 Sep 23 12:33 RegBack -rw------- 1 0 0 524288 Sep 23 12:33 SAM -rw------- 1 0 0 262144 Sep 23 12:33 SECURITY -rw------- 1 0 0 15728640 Sep 23 12:33 SOFTWARE -rw------- 1 0 0 9175040 Sep 23 12:33 SYSTEM drwx------ 1 0 0 4096 Nov 2 2006 TxR drwx------ 1 0 0 4096 Feb 27 2007 systemprofile Select which part of registry to load, use predefined choices or list the files with space as delimiter 1 - Password reset [sam system security] 2 - RecoveryConsole parameters [software] q - quit - return to previous [1] :
選擇 1 就可以重設密碼了。 -
重設密碼
Selected files: sam system security Copying sam system security to /tmp ========================================================= ¤ Step THREE: Password or registry edit ========================================================= chntpw version 0.99.5 070923 (decade), (c) Petter N Hagen Hive name (from header): <\SystemRoot\System32\Config\SAM> ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf> Page at 0x44000 is not 'hbin', assuming file contains garbage at end File size 524288 [80000] bytes, containing 11 pages (+ 1 headerpage) Used for data: 288/250904 blocks/bytes, unused: 15/23176 blocks/bytes. Hive name (from header): <SYSTEM> ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c <lh> Page at 0x8b4000 is not 'hbin', assuming file contains garbage at end File size 9175040 [8c0000] bytes, containing 2117 pages (+ 1 headerpage) Used for data: 96982/6224016 blocks/bytes, unused: 4381/2830032 blocks/bytes. Hive name (from header): <emRoot\System32\Config\SECURITY> ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c <lf> Page at 0x6000 is not 'hbin', assuming file contains garbage at end File size 262144 [40000] bytes, containing 5 pages (+ 1 headerpage) Used for data: 334/17312 blocks/bytes, unused: 7/3008 blocks/bytes. * SAM policy limits: Failed logins before lockout is: 0 Minimum password length : 0 Password history count : 0 ======== chntpw Main Interactive Menu ======== Loaded hives: 1 - Edit user data and passwords 2 - Syskey status & change 3 - RecoveryConsole settings - - - 9 - Registry editor, now with full write support! q - Quit (you will be asked if there is something to save) What to do? [1] ->如果你不清楚其他的作用,那就直接輸入 1 就好!此時會出現這個畫面:Select: ! - quit, . - list users, 0x - User with RID (hex) or simply enter the username to change: [Administrator] admin RID : 1000 [03e8] Username: admin fullname: comment : homedir : User is member of 1 groups: 00000220 = Administrators (which has 4 members) Account bits: 0x0214 = [ ] Disabled | [ ] Homedir req. | [X] Passwd not req. | [ ] Temp. duplicate | [X] Normal account | [ ] NMS account | [ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act | [X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) | [ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) | Failed login count: 0, while max tries is: 0 Total login count: 3 - - - - User Edit Menu: 1 - Clear (blank) user password 2 - Edit (set new) user password (careful with this on XP or Vista) 3 - Promote user (make user an administrator) (4 - Unlock and enable user account) [seems unlocked already] q - Quit editing user, back to user select Select: [q] > 1 Password cleared!
選擇 1 可以清除密碼,或是選擇 2 可以重設密碼。記得注意,如果他已經被 lock ,那你就要選擇 4 把帳號 unlock 。
完成後輸入 ! 即可離開。======== chntpw Main Interactive Menu ======== Loaded hives: <sam> <system> <security> 1 - Edit user data and passwords 2 - Syskey status & change 3 - RecoveryConsole settings - - - 9 - Registry editor, now with full write support! q - Quit (you will be asked if there is something to save) What to do? [1] -> q Hives that have changed: # Name 0 - OK ========================================================= ¤ Step FOUR: Writing back changes ========================================================= About to write file(s) back! Do it? [n] : y最後會再跟你確認一次是否要執行,當然要輸入 y 囉,不然前面就作白工了!然後重開機試試看吧。 -
後記現在流行雲端,其實自動備份的軟體,像是 drop box,或是 Windows Mesh 都是不錯的選擇,多多備份比較安全囉。希望大家都用不到這個工具!
Facebook 討論區載入中...