Resetting Local Administrator/User Passwords on Windows NT/2000/XP/2003
The following document explains how to change an unknown password for any local account (including Administrator) on a Windows NT/2000/XP/2003 system. Use this only for disaster recovery purposes.

Requirements:

1.Physical access to the Windows NT/2000/XP/2003 machine
2.CD or DVD drive

Procedure:

1.Download KNOPPIX v. 4.0 (or above) ISO file and burn it to a CD.1
2.Power up the Windows system (if it’s not already running), insert the KNOPPIX CD into the CD/DVD drive and reboot.
3.At the BIOS screen quickly press F2 (or F12) to go into the Setup. Make sure that CD/DVD drive is listed as a boot device and comes before any hard drives. Save the changes to BIOS and allow the system to reboot.
4.A graphical KNOPPIX screen will appear the “boot:” prompt. Just hit Enter or wait and the system will continue booting after a couple of minutes.
5.Once the KDE desktop is loaded, open the Konqueror browser (it might already be opened) and configure the HTTP proxy if necessary (in the browser click on Setup -> Konqueror Configuration -> Proxy and enter the proxy IP/DNS address and port number).2
6.Download the Debian chntpw program or use the copy on the USB memory stick (see footnote 2 below). Place the chntpw_.deb in /ramdisk
7.Open a terminal window and do su – root
8.cd to /ramdisk and run the following commands:

alien -t  chntpw_.deb
tar xvzf chntpw_.tgz
mv ./usr/sbin/chntpw ./

9.Mount the Windows boot disk in read/write mode:

mount -t ntfs -v -o rw /dev/sda1 /mnt/sda1 3

10.To reset Windows passwords run the following commands:

cd /mnt/sda1/WINDOWS/system32/config4
/ramdisk/chntpw SAM

follow the system prompts to set a new Administrator password (you can enter * to remove the password altogether. 5
Answer “yes” to all chntpw prompts.
11.Unmount the Windows filesystem and reboot:

umount /mnt/sda1
reboot

12.Remove the CD-ROM when prompted and hit Enter to complete the reboot sequence.
13.As the system is rebooting, unplug the network cable.
14.On bootup Windows will attempt to scan the disk. Hit any key to cancel the scan or let the scan run to completion. If the scan started, do not attempt to interrupt it.
15.Login as Administrator on local machine (not domain) using your new password.
16.Connect network, if needed. Depending on the security policy, the Administrator password may eventually revert to its initial value. As Administrator you can prevent this.

* Microsoft, Windows and the Windows logo are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.