By default winpass without any arguments will reset the builtin administrator account of a locally installed Windows, but you can specify other accounts as well at the commandline. In fact, you can add any parameter from chntpw which will be parsed to the commandline. So winpass -l will list all usernames found in the SAM (=Windows user and password database). Should you have troubles that metacharacters are present in the username (such as the Ø or something), you can still use the HEX reference to the username listed next to it. Be sure to prepend that with a '0x'. More info on that can be found in the chntpw manual.
Winpass does not reset any Active Directory passwords
[root@trk]:(~)# winpass -u "John Doe"
Searching and mounting all filesystems on local machine
Remounting NTFS partitions with ntfs-3g
Result of mounting:
/dev/hda1 on /hda1 type fuseblk (rw,allow_other,blksize=4096)
Windows NT/2K/XP installation(s) found in:
1: /hda1/WINDOWS
Make your choice or 'q' to quit [1]: 1
Ok, continue
chntpw version 0.99.6 080526 (sixtyfour), (c) Petter N Hagen
Hive <SAM> name (from header): <\SystemRoot\System32\Config\SAM>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c
Page at 0x8000 is not 'hbin', assuming file contains garbage at end
File size 262144 [40000] bytes, containing 7 pages (+ 1 headerpage)
Used for data: 317/24808 blocks/bytes, unused: 6/3640 blocks/bytes.
Hive <SECURITY> name (from header): <\SystemRoot\System32\Config\SECURITY>
ROOT KEY at offset: 0x001020 * Subkey indexing type is: 666c
Page at 0x10000 is not 'hbin', assuming file contains garbage at end
File size 262144 [40000] bytes, containing 15 pages (+ 1 headerpage)
Used for data: 1108/53920 blocks/bytes, unused: 11/7040 blocks/bytes.
* SAM policy limits:
Failed logins before lockout is: 3
Minimum password length : 7
Password history count : 7
| RID -|---------- Username ------------| Admin? |- Lock? --|
| 01f4 | Administrator | ADMIN | |
| 03eb | ASPNET | ADMIN | |
| 01f5 | Guest | ADMIN | dis/lock |
| 03e8 | HelpAssistant | | dis/lock |
| 03f0 | John Doe | ADMIN | |
| 03ea | SUPPORT_388945a0 | | dis/lock |
---------------------> SYSKEY CHECK <-----------------------
SYSTEM SecureBoot : -1 -> Not Set (not installed, good!)
SAM Account\F : 1 -> key-in-registry
SECURITY PolSecretEncryptionKey: 1 -> key-in-registry
Syskey not installed!
RID : 1008 [03f0]
Username: John Doe
fullname: John Doe
comment :
homedir :
User is member of 2 groups:
00000221 = Users (which has 4 members)
00000220 = Administrators (which has 7 members)
Account bits: 0x0010 =
[ ] Disabled | [ ] Homedir req. | [ ] Passwd not req. |
[ ] Temp. duplicate | [X] Normal account | [ ] NMS account |
[ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act |
[ ] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) |
[ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) |
Failed login count: 0, while max tries is: 3
Total login count: 0
- - - - User Edit Menu:
1 - Clear (blank) user password
2 - Edit (set new) user password (careful with this on XP or Vista)
3 - Promote user (make user an administrator)
(4 - Unlock and enable user account) [seems unlocked already]
q - Quit editing user, back to user select
Select: [q] > 1
Password cleared!
Hives that have changed:
# Name
0 <SAM> - OK
Backup file already exists. Not touching this file. Please be aware that 'winpass --restore' would restore the very original file from before winpass was ever run
Writing /hda1/WINDOWS/system32/config/SAM
[root@trk]:(~)#