Use a bootable rescue ISO if the Windows administrator account password is locked or forgotten. This tutorial is a step-by-step guide to unlock administrator on Windows Server with SystemRescueCD, a self-contained Linux ISO used for many maintenance and rescue tasks. This guide applies to:
If possible, perform a clean Windows shutdown. When we mount the rescue ISO, you'll reboot the server through the customer portal. If Windows isn't already powered down, you may have issues mounting the disk later in SystemRescueCD.
Before attempting any rescue, back up your VPS. Vultr offers manual snapshots and automated backups for VPS instances. If you do not have automatic backups enabled, make a manual snapshot. Attempting to rescue a server without a backup is reckless. There is no substitute for a sound backup strategy. You can create a server snapshot in a few clicks in the customer portal.
You are responsible to back up all your mission-critical data, following your local laws and organizational policies. Vultr does not maintain additional backups outside your customer portal.
Navigate to the Server Information page in the customer portal. Select Settings > Custom ISO. Select the SystemRescueCD ISO, then click Attach ISO and Reboot.
The server will reboot from the ISO. Connect to the server with the web console to perform the rescue steps. It may take a few moments for you to be able to view your instance console while the server reboots.
Select "Boot SystemRescueCd using default options" and press ENTER. Wait for the ISO to boot to a root prompt.
Locate the correct Windows device with fdisk. Look for the main Windows system device. Normally, this will be the NTFS type device with a similar size to the VPS disk. For this tutorial, use /dev/vda2, the 79.5 GB NTFS device.
# fdisk -l
Device Boot Start End Sectors Size Id Type
/dev/vda1 * 2048 1126399 1124352 549M 7 HPFS/NTFS/exFAT
/dev/vda2 1126400 167770111 166643712 79.5G 7 HPFS/NTFS/exFAT
Make a mount point folder.
# mkdir /mnt/win
Attempt to mount the Windows system disk.
# mount /dev/vda2 /mnt/win
If mount succeeded, skip to the next section. Mount might encounter errors if the system wasn't shut down cleanly in step one.
The disk contains an unclean file system (0, 0).
Metadata kept in Windows cache, refused to mount.
Falling back to read-only mount because the NTFS
partition is in an unsafe state. Please resume and
shutdown Windows fully (no hibernation or fast
restarting.)
If mount encounters errors, as shown above, the Windows device will be mounted read-only. Before we can correct the error, unmount the drive.
# umount /dev/vda2
With the drive unmounted, run ntfsfix
resolve the dirty shutdown error. Replace /dev/vda2 with your partition.
# ntfsfix /dev/vda2
...
NTFS partition /dev/vda2 was processed successfully.
After ntfsfix completes, attempt to mount the device.
# mount /dev/vda2 /mnt/win
Navigate to the C:\Windows\System32\config folder, which is now mounted in SystemRescueCD under /mnt/win.
# cd /mnt/win/Windows/System32/config/
Launch chntpw in interactive mode, using the default Security Account Management (SAM) database.
# chntpw -i SAM
1 - Edit user data and passwords
2 - List groups
- - -
9 - Registry editor, now with full write support!
q - Quit (you will be asked if there is something to save)
Enter 1 + ENTER to edit user passwords. A user list will appear.
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrator | ADMIN | |
| 01f7 | DefaultAccount | | dis/lock |
| 01f5 | Guest | | dis/lock |
| 01f8 | WDAGUtilityAccount | | dis/lock |
Please enter user number (RID) or 0 to exit: [1f4]
Enter the RID number for the account you'd like to edit.
- - - - User Edit Menu:
1 - Clear (blank) user password
(2 - Unlock and enable user account) [seems unlocked already]
3 - Promote user (make user an administrator)
4 - Add user to a group
5 - Remove user from a group
q - Quit editing user, back to user select
Select: [q] > 1
Choose an option from the menu. For this tutorial, choose 1 to clear the password.
Password cleared!
Enter Q to exit the user menu.
Enter Q to exit chntpw.
Hives that have changed:
# Name
0 <SAM>
Write hive files? (y/n) [n] : y
Change to the root directory.
# cd /
Unmount the Windows device.
# umount /dev/vda2
You must log in to the server through the web console to set a new password. Remote Desktop Protocol (RDP) does not allow login with blank passwords.
With the password reset, you can resume using Windows as usual.