Linux下清除Windows密码

本文共有6853个字,关键词:

简介: 下载安装ntfs-3g 下载驱动让linux挂载windows磁盘 https://tuxera.com/opensource/ntfs-3g_ntfsprogs-2022.5.17.tgz 安装 tar -xvf ntfs-3g_ntfsprogs-2022.

下载安装ntfs-3g

  • 下载驱动让linux挂载windows磁盘

https://tuxera.com/opensource/ntfs-3g_ntfsprogs-2022.5.17.tgz
或者
https://github.com/tuxera/ntfs-3g

  • 安装
tar -xvf ntfs-3g_ntfsprogs-2017.3.23.tgz
cd ntfs-3g_ntfsprogs-2017.3.23
./configure
make
make install

下载安装chntpw

  • 下载chntpw
https://pkgs.org/download/chntpw
wget https://download-ib01.fedoraproject.org/pub/fedora/linux/releases/36/Everything/x86_64/os/Packages/c/chntpw-1.00-10.140201.fc36.x86_64.rpm
yum -y install ./chntpw-1.00-10.140201.fc36.x86_64.rpm

挂载windows磁盘

  • 挂载windows的系统盘

默认第二个分区才是C盘

mkdir /win
mount -t  ntfs-3g /dev/sda2 /win
  • 备份SAM文件
cd /win/Windows/System32/config/
cp SAM{,.bak}
  • 清除Windows密码
chntpw SAM
User Edit Menu:
 1 - Clear (blank) user password
 2 - Edit (set new) user password (careful with this on XP or Vista)
 3 - Promote user (make user an administrator)
(4 - Unlock and enable user account) [seems unlocked already]
 q - Quit editing user, back to user select
Select: [q] > 1                         # 1 清除密码
Password cleared!

Select: [q] > q                         # q 退出
Hives that have changed:
 #  Name
 0  <SAM>
Write hive files? (y/n) [n] : y         # y保存
 0  <SAM> - OK
  • 将windows系统盘重新挂载回windows中即可

可能的错误

  • 由于windows未正常关机,导致的挂载错误提示:
The disk contains an unclean file system (0, 0).
Metadata kept in Windows cache, refused to mount.
Failed to mount '/dev/sda1': Operation not permitted
The NTFS partition is in an unsafe state. Please resume and shutdown
Windows fully (no hibernation or fast restarting), or mount the volume
read-only with the 'ro' mount option.
  • 修复方法
ntfsfix /dev/sdXY

注册表的编辑

  • 使用chntpw -e参数加载注册表
chntpw [OPTIONS] <samfile> [systemfile] [securityfile] [otherreghive] [...]
 -h          This message
 -u <user>   Username or RID (0x3e9 for example) to interactively edit
 -l          list all users in SAM file and exit
 -i          Interactive Menu system
 -e          Registry editor. Now with full write support!
 -d          Enter buffer debugger instead (hex editor),
 -v          Be a little more verbose (for debuging)
 -L          For scripts, write names of changed files to /tmp/changed
 -N          No allocation mode. Only same length overwrites possible (very safe mode)
 -E          No expand mode, do not expand hive file (safe mode)

Usernames can be given as name or RID (in hex with 0x first)

See readme file on how to get to the registry files, and what they are.
Source/binary freely distributable under GPL v2 license. See README for details.
NOTE: This program is somewhat hackish! You are on your own!

#chntpw -e /win/Windows/System32/config/SYSTEM
  • 编辑注册表信息
Simple registry editor. ? for help.

> ?
Simple registry editor:
hive [<n>]             - list loaded hives or switch to hive numer n
cd <key>               - change current key
ls | dir [<key>]       - show subkeys & values,
cat | type <value>     - show key value
dpi <value>            - show decoded DigitalProductId value
hex <value>            - hexdump of value data
ck [<keyname>]         - Show keys class data, if it has any
nk <keyname>           - add key
dk <keyname>           - delete key (must be empty)
ed <value>             - Edit value
nv <type#> <valuename> - Add value
dv <valuename>         - Delete value
delallv                - Delete all values in current key
rdel <keyname>         - Recursively delete key & subkeys
ek <filename> <prefix> <keyname>  - export key to <filename> (Windows .reg file format)
debug                  - enter buffer hexeditor
st [<hexaddr>]         - debug function: show struct info
q                      - quit
  • 关于注册表的知识

首先是几个键值 ,其次就是ControlSet001、ControlSet002与CurrentControlSet的关系。

在注册表HKLMsystem注册表项中包括用于windows启动的三个控件组(额外还可能存在一个备份控件组),在初始状态下,它们分别是ControlSet001、 ControlSet002以及CurrentControlSet。这些控件组中包含了操作系统配置的信息,比如服务、驱动、系统控制、枚举信息等等。

默认情况下,ControlSet001是系统真实的配置信息,但是为了避免序号混乱,windows启动时会从ControlSet001复制一份副 本,作为操作系统当前的配置信息,也就是CurrentControlSet。我们对于计算机配置所作的修改都是直接写入到 CurrentControlSet,在修改CurrentControlSet中,windows会用CurrentControlSet的内容覆盖掉ControlSet001,以 保证这两个控件组一致。

当操作系统每成功启动一次(指成功登录),它都将ControlSet001中的数据复制到 ControlSet002中。这样,ControlSet002就成了“最近一次成功启动的配置信息”。所以我们一般系统注册表中都只是有这三个控件组,并且序号都是current、001和002。当操作系统为非正常关机后的重启时,我们最好将ControlSet002的值一并修改,防止系统启动后自动恢复到最后一次成功启动的配置。

同时具体选择哪一个配置文件,会在Select键值中出现。在离线编辑的时候,仅存在ControlSet001、ControlSet002,我直接编辑实际生效的ControlSet001。

  • 修改RDP端口例子:
cd ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp
ed PortNumber
0xd3d
  • 启用无密码远程桌面:
Simple registry editor. ? for help.

> ?
Simple registry editor:
hive [<n>]             - list loaded hives or switch to hive numer n
cd <key>               - change current key
ls | dir [<key>]       - show subkeys & values,
cat | type <value>     - show key value
dpi <value>            - show decoded DigitalProductId value
hex <value>            - hexdump of value data
ck [<keyname>]         - Show keys class data, if it has any
nk <keyname>           - add key
dk <keyname>           - delete key (must be empty)
ed <value>             - Edit value
nv <type#> <valuename> - Add value
dv <valuename>         - Delete value
delallv                - Delete all values in current key
rdel <keyname>         - Recursively delete key & subkeys
ek <filename> <prefix> <keyname>  - export key to <filename> (Windows .reg file format)
debug                  - enter buffer hexeditor
st [<hexaddr>]         - debug function: show struct info
q                      - quit

> ls
Node has 17 subkeys and 0 values
  key name
  <ActivationBroker>
  <ControlSet001>
  <ControlSet002>
  <DriverDatabase>
  <HardwareConfig>
  <Input>
  <Keyboard Layout>
  <Maps>
  <MountedDevices>
  <ResourceManager>
  <ResourcePolicyStore>
  <RNG>
  <Select>
  <Setup>
  <Software>
  <WaaS>
  <WPA>

> cd ControlSet001\Control\Lsa

\ControlSet001\Control\Lsa> cat LimitBlankPasswordUse
Value <LimitBlankPasswordUse> of type REG_DWORD (4), data length 4 [0x4]
0x00000001

\ControlSet001\Control\Lsa> ed LimitBlankPasswordUse
EDIT: <LimitBlankPasswordUse> of type REG_DWORD (4) with length 4 [0x4]
DWORD: Old value 1 [0x1], enter new value (prepend 0x if hex, empty to keep old value)
-> 0
DWORD: New value 0 [0x0],
\ControlSet001\Control\Lsa> cat LimitBlankPasswordUse
Value <LimitBlankPasswordUse> of type REG_DWORD (4), data length 4 [0x4]
0x00000000

最后按q退出编辑并且选择保存变化,完成后卸除挂在并重启windows系统,那么修复就完成了。

「一键投喂 软糖/蛋糕/布丁/牛奶/冰阔乐!」

e2c

(๑>ڡ<)☆谢谢老板~

使用微信扫描二维码完成支付

版权声明:本文为作者原创,如需转载须联系作者本人同意,未经作者本人同意不得擅自转载。
添加新评论
暂无评论