Description: Fix spelling and grammar mistakes in documentation Author: Javier Fernandez-Sanguino Forwarded: NOT yet Last-Update: 2014-08-07 Copyright: This file is distributed with the same license as the chntpwd sources This patch is the result of reviewing (by a non-foreign speaker, oh! the irony!) the documentation provided by the upstream author in the sources (text files). It tries to fix some grammar and spelling mistake, while trying not to add any new ones. --- a/MANUAL.txt +++ b/MANUAL.txt @@ -15,14 +15,14 @@ SOFTWARE - HKEY_LOCAL_MACHINE\SOFTARE: Config and info of installed software and a lot of higher level windows config -Note that these programs (and the registry library they use) does not -join all these files in the same tree like windows does. +Note that these programs (and the registry library they use) do not +join all these files in the same tree like Windows does. For example, a path like HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control is not valid, it is instead just ControSet001\Control (after selecting the hive if more than one is loaded) -But except if you use the registry edit or export/import functions you +But, unless you use the registry edit or export/import functions, you do not need think about this as for other things the tools handle this. @@ -49,65 +49,65 @@ - -u Username or RID (0x3e9 for example) to interactively edit + -u Username or RID (0x3e9 for example) to edit interactively -Invoke the interactive edit menu on specified user. -Specifying a user name will most likely fail if user has international -character, so better to use user ID (RID), for example +Invoke the interactive edit menu on the specified user. +Specifying a user name will most likely fail if the username has international +characters, so itis better to use the user's ID (RID), for example chnptw -u 0x3e9 SAM -to edit user with hexadecimal RID 3e9 +to edit the user with hexadecimal RID 3e9 - -l list all users in SAM file and exit + -l list all users in the SAM file and exit -Just that, list users in human readable form, with some info about if -user is admin and if password is set. +Just that, list all the users in human readable form, with some information +about the user, such as if the user is an administrator user and if the password is set. -i Interactive Menu system Invokes the menu system. Menu items will vary a bit depending on what registry hives are loaded. - -f Interactively edit first admin user + -f Interactively edit the first admin user -Select first admin user for edit. This is user with lowest RID that -also is member of administators group, or built-in user 0x1f4 if not -others possible. +Select the first admin user for edit. This is the user with the lowest RID that +also is member of the administrators group, or the built-in user 0x1f4 if no +other users are found. -e Registry editor. Now with full write support! -Enter the registry editor. It is a small command system. ? for help -there. See other documentation for more on regedits. +Enter the registry editor. It is a small command system. Press '?' for help +there. See other documentation for more information on regedits. - -d Enter buffer debugger instead (hex editor), + -d Enter the buffer debugger instead (hex editor), -Command line type hex editor, mostly for debugging purposes. ? for help. +Command line type hex editor, mostly used for debugging purposes. ? for help. - -v Be a little more verbose (for debuging) + -v Be a little more verbose (for debugging) Lots of debug output during most operations (especially hive loading) -L For scripts, write names of changed files to /tmp/changed If any of the other functions changes the registry, the changed files -are listed here. Can be used by wrapper scripts to know what to save. +are listed here. This option can be used by wrapper scripts to know what to save. My boot CD uses it. -N No allocation mode. Only same length overwrites possible (very safe mode) -Safe mode. Will only allow changes in registry that overwrites old -values with same length data. Password reset only changes 2 bytes, and -does not change value lenght, so password reset will still work in +Safe mode. This option will only allow changes in the registry that overwrite old +values with the same length data. Password reset only changes 2 bytes, and +does not change value length, so password resets will still work in this safe mode. If something tries to violate this safe mode, a lot of -error messages (some of the rather obscure) may occur. +error messages (some of them rather obscure) may be shown. -E No expand mode, do not expand hive file (safe mode) Safe mode. Does not allow expanding the size of the file, but will -allow adding keys/values as long as there is free space in the file +allow adding keys/values as long as there is enough free space in the file already. (most files contains some free space) If expansion is needed but not allowed by this option, -a lot of obscure error messages may occur, and file should not be saved. +a lot of obscure error messages may be show, and the file should not be saved. ------------------------------------------------------------------------- @@ -155,10 +155,10 @@ reged -x system HKEY_LOCAL_MACHINE\\SYSTEM ControlSet001 output.reg -should export everything below ControlSet001 key from registry hive -file named system into .reg file named output.reg, using +should export everything below ControlSet001 key from the registry hive +file named 'system' into the .reg file named 'output.reg', using HKEY_LOCAL_MACHINE\SYSTEM in front of every key name in the .reg file. -(in most shells \\ is needed to ignore the meaning \ has to the shell) +(in most shells \\ is needed to ignore the meaning '\' has to the shell) reged -x system HKEY_LOCAL_MACHINE\\SYSTEM ControlSet001\\Enum output.reg @@ -166,7 +166,7 @@ reged -x system HKEY_LOCAL_MACHINE\\SYSTEM \\ output.reg -export everything in the system file +exports everything in the system file @@ -174,12 +174,12 @@ Import from .reg file. Where for example is HKEY_LOCAL_MACHINE\SOFTWARE Only one .reg and one hive file supported at the same time -Reverse of -x, this reads from a .reg file and puts it into the hive -file, just like regedit.exe foobar.reg will do in windows. -The is removed from the start of each key name, if you +This option is the opposite of -x: it reads from a .reg file and puts it into the hive +file, just like 'regedit.exe foobar.reg' will do in Windows. +The is removed from the beginning of each key name, if you specify this wrong, the result may not be what you expected. KNOWN PROBLEM: This routine is slow, very slow indeed on binary values (has -hex numbers in .reg file). May take over 5 minutes to import a file +hex numbers in .reg file). It may take over 5 minutes to import a file the size of a normal XP software-hive .reg export. Problems / unusual things in the .reg file may cause crash or unexpected data or some times even an error messsage! :) @@ -190,10 +190,10 @@ -e ... Interactive edit one or more of registry files -Enter the registry editor. It is a small command system. ? for help +Enter the registry editor. This is a small command system. Press '?' for help there. See other documentation for more on regedits. -If both -I and -e given, editor will be entered after import, but -before save, so you can check things if you need. +If both -I and -e given, editor will be entered after importing, but +before saving, so you can check things if you need. Options: @@ -292,12 +292,12 @@ samusrgrp is a command line tool to add users to groups or remove users from -groups. Users and groups must be local (cannot be domain / AD). +groups. Users and groups must be local (i.e. they cannot be domain / AD). It can also list the groups with their members in several forms, the -output can be used in scripts of course. +output can be used in scripts as it is provided in machine readable format. Listing groups will also list domain users that are members of the -group (if any), but it will not be able to look up the name, so it +group (if any), but it will not be able to look up the name, so they will be listed as a SID only. samusrgrp version 0.2 130501, (c) Petter N Hagen @@ -310,7 +310,7 @@ -L = list groups and also their members -s = Print machine SID -For add or remove, you must also specify a bit more info: +To add or remove a user, you must also specify some more information: Parameters: can be given as a username or a RID in hex with 0x in front @@ -356,9 +356,9 @@ Members name (if available, else SID) Members SID -So in this example, the Guests group have 2 members: Administrator and +So in this example, the Guests group has 2 members: Administrator and Guest. -At the time of writing this, it WILL NOT LIST EMPTY GROUPS (no +At the time of writing this, it WILL NOT LIST EMPTY GROUPS (groups with no members). I plan to change this, empty groups on one line with -1 in member number field, and rest of user fields empty. @@ -429,7 +429,7 @@ User RID (hex) User name -Is user admin? (1 = yes, 0 = no) (member of group ID 0x220) +Is the user an administrator? (1 = yes, 0 = no) (member of group ID 0x220) Account flags, ACB (hex). See sam.h file. Password hash length. 14 = normal password. 0 or 4 = probably blank. @@ -441,58 +441,61 @@ Reset user :01f4:Administrator Reset user :03e9:pnh -which of course is :RID:username +which of course is in the format :RID:username Explanation on this: -r -f -> Reset password of admin user with lowest RID not counting built-in admin (0x1f4) unless it is the only admin -All windows from NT3.1 up has a system created administrator account +All Windows systems, from version NT3.1 up, include a predefined administrator account with RID (user ID) 0x1f4 (500 decimal) -Before Windows XP the installer asked for a password for this account, -and then it was used to login first after installation. -(Built-in guest account was also created by the installer, but it has +Before Windows XP, the installer asked for a password for this account, +and then it was used to login right after installation. +(The built-in 'Guest' account was also created by the installer, but it has always been disabled by default) -On Windows XP and newer systems, the installer also creates this -account, but locks it down, it generally cannot be logged in. It is -also not shown on the welcome screen (unless all other users are +On Windows XP and newer Windows systems, the installer also creates this +account, but it is locked down. It cannot be used to log in. It is +also not shown on the 'Welcome' screen (unless all other users are deleted or disabled) -The installer instead asks for a user to create during install. That + +Instead, the installer asks for a new user to create during the installation. That user is a normal non-hardwired user (RID > 0x3e8, 1000 decimal), -and it is added to the built-in administrators group (group # 0x220). +and it is added to the built-in Administrators' group (group # 0x220). -It is users in the built-in group 0x220 that generally has full +The users in the built-in group 0x220 ('Administrators') generally have full administrator rights to the machine. -(XP installer can create several users, but only first gets group +(Note: XP installer can create several users, but only the first user gets group 0x220) -More users can of course be added from the control panel, and they can -be put into the 0x220 group if neccessary. From the "simplified" -control panel dialog this is what happens if user is selected to be able to -have full (or admin) access to the machine. If user is set to "normal" -or something like that, it is not in the 0x220 group. +More users can of course be added from the Control Panel, and they can +be added to the 0x220 group if neccessary. From the "simplified" +Control Panel dialog this is what happens if a user is selected and is configured to +have full (or admin) access to the machine. If a user is set to "normal" +or something like that, it will not be included in the 0x220 group. From the "Users and Groups" part of the administrative tools (not -available on some home versions of windows) the group assignments and +available on some Windows Home versions) the group assignments and other user info can be changed in more detail of course. + From there, users in a domain (if machine is in domain) can also be -added to the local 0x220 group, the domain user full access to that -local machine even if the user is nothing special in the domain. +added to the local 0x220 group. A domain user will have full access to that +local machine even if the user is not included in any Domain Administrators' +group. Anyway.. -On XP and newer, it is therefore not the hardwired 0x1f4 account that is -used for admim. On home machines it is most often the first regular one (since -most people do not change any user stuff after the installer) or it -could be any other user in the list. +On XP and newer Windows version, the hardwired 0x1f4 account is not used +for administrative purposes. On home machines it is most often the first +regular user (since most people do not change any user stuff after the +installation) or it could be any other user in the list. -So this reset function picks the first it finds over 0x3e8 (1000) +So this reset function picks the first user it finds over 0x3e8 (1000) that is also in the 0x220 group. It will most likely work for 98% of -home user machines :) Unless there are no users in the 0x220 group, -then it picks the 0x1f4 hard-wired user (since it may be Windows +home user machines :) If there are no users in the 0x220 group, +then it will pick the 0x1f4 hard-wired user (since the system may be Windows 2000??????). This may of course be wrong if someone managed to remove all accounts @@ -502,7 +505,7 @@ Explanation on -a -r: -The -r -a option will reset all users in the 0x220 group. Also user +The -r -a option will reset all users in the 0x220 group. This includes user 0x1f4, which maybe is bad.. will consider changing this... --- a/README.txt +++ b/README.txt @@ -7,17 +7,17 @@ "ntreg" (the registry library) and "libsam" (SAM manipulation library, user, groups etc) -is licensed under the GNU Lesser Public License. See LGPL.txt. +are licensed under the GNU Lesser Public License. See LGPL.txt. "chntpw" (the password reset / registry editor frontend) "reged" (registry editor, export and import tool) "sampasswd" (password reset command line program) "samusrgrp" (user and group command line program) -is licensed under the GNU General Public License, see GPL.txt. +are licensed under the GNU General Public License, see GPL.txt. -For manual to the different commands, see MANUAL.txt -Also, all have some help built in, just use the -h option. +For a manual of the different commands, plese see MANUAL.txt +Also, all programs have some built-in help, just use the -h option. See INSTALL.txt for compile instructions. @@ -29,16 +29,23 @@ At that site there's a floppy and a bootable CD that use chntpw to access the NT/2k/XP/Vista/Win7/Win8 system it is booted on to edit password etc. -The instructions below are for the standalone program itself, not the floppy. +The instructions below are for the standalone program itself, not for the floppy. What does chntpw do? -------------------- This little program will enable you to view some information and -change user passwords, change user/group memberships -in a Windows (NT/XP/Vista/win7/win8) etc SAM userdatabase file. -You do not need to know the old passwords. -However, you need to get at the registry files some way or another yourself. +change user's passwords, change user/group's memberships +in a Windows (NT, XP, Vista, Win7, Win8, etc.) SAM userdatabase file. +You do not need to know the previous passwords. +However, you need to access at the registry files some way or another yourself. + +For example, you can run this utility from a Live CD in a Windows computer +and, after booting, mount the NTFS filesystem. Or remove the hard drive +from the system and install it (e.g. using a USB hard-disk case) in a +Linux system where you have this tool installed. + + In addition it contains a simple registry editor with full write support, and hex-editor which enables you to fiddle around with bits&bytes in the file as you wish yourself. @@ -46,9 +53,9 @@ Also have registry import or export ----------------------------------- -"reged" is a program that can do import and export of .reg files into -the registry hive (binary) files. Also has an editor, but still -rudimentary text based command line type thing. +"reged" is a program that can import and export .reg files into +the registry hive (binary) files. It also has an editor, but it is still +a rudimentary text based command-line type of thing. And by popular request Even have programs that can be used in scripts! @@ -65,41 +72,42 @@ I often forget passwords. Especially on test installations (that I just _must_ have some stuff out of half a year later..) -On most unix-based boxes you just boot the thingy off some kind +On most Unix-based boxes you just boot the thingy off some kind of rescue bootmedia (cd/floppy etc), and simply edit the password file. On Windows however, as far as I know, there is no way except reinstalling the userdatabase, losing all users except admin. (ok, some companies let you pay lotsa $$$$$ for some rescue service..) (ok, from Windows Vista or something you can make a password reset -file, but you have to remember to do that BEFORE you forget your password...) +CD or USB, but you have to remember to do that BEFORE you forget your password...) How? ---- -Currently, this thing only runs under linux, but it may just happen +Currently, this thing only runs under Linux, but it may just happen to compile on other platforms, too. -So, to set a new adminpassword on your Windows installation you either: +So, to set a new administrator's password on your Windows installation you either: -1) Take the harddrive and mount it on a linux-box +1) Take the harddrive and mount it on a Linux box or -2) Boot a "live" linux CD with full GUI (many available: Ubuntu, +2) Boot a "live" Linux CD with full GUI (there are many available: Ubuntu, Knoppix and more. Search for them) -In both those cases, use the "chntpw.static" program found in the +In both those cases, you can use the "chntpw.static" program found in the "static" zip file on my website. + or -3) Use my linux boot CD (or USB) at: http://pogostick.net/~pnh/ntpasswd/ +3) Use my Linux boot CD (or USB) avialable at: http://pogostick.net/~pnh/ntpasswd/ Usage: ------ -For manual to the different commands, see MANUAL.txt -Also, all have some help built in, just use the -h option. +You will find a manual to the different commands in the MANUAL.txt file. +Also, all programs have some help built in, just use the -h option. Some old tech babble on how the password is stored -------------------------------------------------- @@ -108,21 +116,21 @@ A struct, called the V value of a key in the NT registry was suddenly somewhat documented through the pwdump utility -included in the unix Samba distribution. +included in the Unix Samba distribution. This struct contains some info on a user of the NT machine, along with 2 crypted versions of the password associated with the account. One password is the NT console login password, -the other the LANMAN network share password +the other is the LANMAN network share password (which essentially is the first one in uppercase only, - and no unicode) + and no Unicode) This is how NT encrypts the passwords: The logon cleartext password a user enters is: -1) Converted to unicode -2) A MD4 hash is made out of the unicode string +1) Converted to Unicode +2) A MD4 hash is made out of the Unicode string 3) Then the hash is crypted with DES, using the RID (lower part of the SID, userid) as the crypt key. This is the so called "obfuscation" step, so @@ -134,7 +142,7 @@ 1) Uppercased (and illegal characters probably removed) 14 bytes max, if less the remaining bytes are zeroed. 2) A known (constant) string is DES-encrypted - using 7 first characters of the password as the key. + using the 7 first characters of the password as the key. Another constant is encrypted using the last 7 chars as the key. The result of these two crypts are simply appended, @@ -142,13 +150,13 @@ 3) The same obfuscation DES stage as 3 above. 4) 16 bytes result put into the V struct. -Since the number of possible combinations in the lanman +Since the number of possible combinations in the LANMAN password is relatively low compared to the other one, and it's easy to see if it's shorter than 8 chars or not it's used first in brute-force-crackers. -This program, however, don't care at all what the old -one is, it just overwrites it with the new one. +This program, however, does not care at all what the old +passowrd is, it just overwrites it with the new one. Ok. So, how do we find and identify the V struct? Yeah.. that was the hard part.. The files structure @@ -204,4 +212,4 @@ 0x0035a8 80 REG_BINARY 0x003228 508 REG_BINARY -For more techincal info, look it up in the source code. +For more technical info, look it up in the source code.