02 November 2011

Hex Edit Windows 7 SAM file to enable Administrator Account

It could happen that your were connected to a Windows Domain and that you've decided to leave this domain.
What about if all local users are disabled?

You cannot join anew a Windows Domain as you don't own any local user able to connect in order to join the domain.
You can still start your computer and see the login screen but you will definitely stay a click away from your desktop...

Hopefully, there is a bunch of tools allowing you to enable anew the Administrator account and even reset the password :
(Simply search "offline windows password change" on Google)

But in my case, editing the SAM file on another computer simply didn't work and I didn't want to burn a CD or corrupt my multiboot usbkey.

So I've booted on Lubuntu already installed on my usbkey and decided to hex edit the file.

Later on, I've found a linux tool called chntpw that could be installed on my live lubuntu distro and could do the trick, but I went another way :
  1. apt-get install hexedit
  2. Open SAM file (containing local user accounts)
    1. hexedit /media/os/Windows/System32/config/SAM
  3. Find signature "00001F4"
    1. CTRL+S : 3030303030314634
  4. Find signature "2.9.8"
    1. CTRL+S :  3200390038
  5. Being on the char "2" position, calculate 18 hex position on the left (i.e. press 36 times the left arrow key)
  6. The hex char should be 11, replace it by 10
  7. Save by pressing F2
  8. Reboot on Windows
  9. Enjoy your local administrator account enabled with a blank password*
* If the administartor password wasn't changed by a user or a GPO

#1 #2

Post a Comment