Offline registry tools and password resetter

Advanced users page

Here are the source code and binary downloads (see bottom of page) for the registry tools, along with documentation and release history.

This page is aimed at developers, tooldisk intergators, and system technicians. If you just need to use the tool to reset a password on your system, see the bootdisk download page.

Current features of the sam and registry tools and library

Library:

• Open several hives at once (they are however not linked in path-wise)
• Add and remove keys (still not rename, sorry)
• Add and remove values of any type. (no rename here either)
• Read data in values
• Put data into values.
• (Recursive) iterate / list keys, get values types etc.
• Recursive delete of keys
• Read key "class" field
• Expansion of the hive file now supported so you can add or import as much as you like!
• Currently just ignores security descriptors in the registry.
• Supports registry hives with different key indexing, so it covers all versions from NT3.51 to Win7/Win8.1 32/64bit and 2012 server.
• Can list and change (add / remove) local users in local groups
• Can list and reset passwords

• Simple interactive registry edit (command based), including hex edit of value data in unsupported value types.
• Export of registry (or parts of it) to .reg file readable by Windows regedit.exe.
• Import .reg file now in seemingly working condition. Will read files from regedit.exe, usually without changes. But currently slow.
• Password reset, password change (partial)
• User unlock
• User promotion (add to admin group 0x220. Now working!)
• Do scripted or interactive edit of user in group memberships
• Extract product key
• Some syskey reset actions (NT4/2k/XP), but very risky.
• .. and a lot of information and debug info for those who are interested.

News

This is news summary for the library and tools. Please see source and HISTORY.txt for more details.

2014-02-01 - New major features!

• New command line tools, both have script parsable output if needed
  • samusrgrp : group membership list / edit
  • sampasswd : user list and password reset
• The commands uses new library functions (libsam.c) for adding and removing users from local groups (group membership), including lower lever SID handling functions.
• Known BUG: If a user is member of no (0) groups, adding it to a group often crashes my program
• Interactive chntpw program changed a bit to then do groups, too. Also easier to quit (more logical looping / menu selections)
• Also note that some command line parameters for chntpw has changed, and it may be better to use sampasswd or samusrgrp in many "automatic" situations.
• Fixed a few smaller issues by myself
• Jacky To got two bugs, one nasty one that could thrash the hive when deleting bottom value in a key, and problem with uninitialized pointers when expanding the hive (would lead to a crash, no corruption I think). Both bugs fixed I hope.
• Steven Shiau submitted a patch making the scripting easier, I decided to go for completely new commands instead. But thank you to all who suggested the same.
• Also thanks to David Collett for catching and fixing bug in REG_MULTI_SZ editing.

• Hive expansion! Library now does hive file expansion by default if needed to when adding keys/values (but you can turn it off, safe mode). If expansion occured, you will get a warning when writing back.
• .reg file import! Will read files from regedit.exe in most cases (UTF-16) but can miss on some international characters. Also reads "latin" (8 bit) files.
• There were a lot of goofs by me in the add/delete key and value handling, which made windows complain and lose data. Hope I managed to fix them.
• Also, found out more about how Windows does things, for example more details of empty name (default) value, zero-size values, large values (gets split internally) and other special cases.
• Did quite a lot of testing by importing for example the SOFTWARE\Classes tree with regedit.exe and importing it again into the DEFAULT hive with my tool, then ask windows to "Load hive" (in regedit.exe). If it does not complain in the event log, it is good. (Also, seems like windows has gotten better at not bluescreening on a corrupt registry hive, did not get a single one when doing this with pretty messed up hives in win7 and Vista)
• Be aware that .reg import is currently very slow, since I messed up the design for the string reading badly, and also the add routines is not exactly optimized. Consider it a proof of concept! Example: Import of SOFTWARE\Microsoft tree (exported by regedit.exe) into the small DEFAULT hive took more than 10 minutes on a pretty fast machine. Especially hex data is slow (one byte at a time.. lazy me..)
• WARNING: .reg file import does not do much sanity checking of the input .reg file. It will either crash during import or mess up the registry if the .reg file is bad.
• This version has no significant changes in the password (reset) handling part of the tools.
• On TODO list for some of the next version: Windows like API. Faster .reg import. Fix bugs!

2010-06-27

• Patches from Frediano Ziglio adding or fixing:
• - buffer overflow in export_subkey printing keyname
• - reg export: some quoting error (name and string values must be quoted)
• - adding support for wide character encoding in keys and value names
• - and some other bugs fixed
• New function from from Aleksander Wojdyga to decode Digital Product ID. Now in registry editor, may be moved later. example dpi \Microsoft\Windows NT\CurrentVersion\DigitalProductId
• Syskey menu selection has been removed from text, but can still be selected as number 2. So that people stop emailing me when it bombs out.
• Some other minor tweaks

• New site, official URL is now: http://pogostick.net/~pnh/ntpasswd/
• All releases still contains old mail address, please note NEW mailaddress is pnh@pogostick.net. Old mailaddress vil be invalid after January 1st 2010.
• No new release, 2008-08-02 is still newest. Hope to release new early 2010.
• Some of the newest releases (from 2008) seems to be working (more or less) on Windows 7 without any changes.

2008-08-02 Released a CD, but no changes to registry edit / password handling, chntpw etc.

2008-05-26

• Fixed nasty bug which skipped first indirect index table when deleting keys. Usually threw recusive delete into a endless loop.
• Type QWORD now recongnized. Believe it is from XP and newer systems.
• Library functions accepting a path now has flag to say if search should be exact or on first match (partial string) basis.
• Export to .reg file by Leo von Klenze (Thank you!), expanded to handle more types by me.
• 64 bit compatible patch by Mike Doty, via Alon Bar-Lev, http://bugs.gentoo.org/show_bug.cgi?id=185411

• Fixed hang in bootdisk/CD
• Also fixed a script crash in the floppy.

• User promotion now official! You can add a user into the administrator group, making the user an administrator!
• Password edit has cosmetical changes / menu control
• Some verbosity / text info has changed.
• A few smaller bugfixes
• Bootfloppy release is back. Better driver handling. Better NTFS handling.

• Now with Vista support! 32 & 64 bit. (NTFS filesystem driver now supports Vista)
• CD has better driver support, changed quite a bit.
• Mostly cosmetical changes to "chntpw" program.
• Main password reset and regedit (chntpw + ntreg) code now made GPL licensed, for those of you who care. Source available at the source page.

2006-04-06, release 060213

• Driver updates only, see download page for more info.

• Driver updates only, see download page for more info.

• New and improved driver probe on disk, now with probe based on PCI info. The CD/floppy should now work much better for SATA and other drivers needing multiple driver modules.
• Fixed a small bug causing crashes when loading some hives (end pointer of last page seems to be way off sometimes). Thanks to Michael Rothstein for providing a hive file with this "weirdness"

2004-11-01 (no new release)

• Added some info about "changes not taking effect" to the FAQ

2004-08-18, release 040818

• Fixed critical bugs in regedit hive allocation routines, earlier versions may corrupt the hive when adding, expanding or deleting keys or values. Earlier version should be safe for password edit usually.
• Added edit support for large keys (typically more than 500 subkeys), this happens often i SOFTWARE\Classes. As a bi-effect there is now full support for writing NT 3.51 registry, too. (it's related to key indices and indirect indices if many subkeys)
• Regedit string input bugfix. Often crashed earlier. Several people reported this, with some suggestions. It's still ugly, however :/
• Regedit recursive key delete 'rdel' added. It is rather slow however, and may hang or crash if given illegal key names. It also may produce some debug output in some situations.
• Regedit 'hex' command to dump value in hex no matter what type the value is.
• Regedit 'ck' command to dump class data of key, if it has any. (most keys does not have class data). Keys with classes are marked with * in the key listings. No edit of it yet.
• Some bugs fixed in hive file load/save, and error handling. Thanks for reports from several people on this.
• Generally NO CHANGES to password edit stuff.

2004-08-09: IN VERSION 0401xx AND EARLIER: Some rather serious bugs have been discovered in the allocation routines, which are used when adding or deleting values or keys in the registry editor. In best case, they leak space, in worst case, it may corrupt the file.
NOTE: This does not generally affect password changing, since password reset just overwrites a few bytes in place, it does not reallocate space.
SUMMARY: Password edit OK. Regedit may not be. Expect new version out within a week or so.

2004-01-16, release 040116

• Completely new bootdisk system! Hopefully a bit easier to understand and run through.
• Support for easy change of RecoveryConsole parameters (one of them tells RecoveryConsole to NOT ask for admin password).
• A few bugfixes. For those of you wanting to look and build chntpw from the source, it should now compile??

2003-04-26:

• Newer NTFS driver and internals of writebacks changed a bit on floppy, may fix some hangs reported on writing back to NTFS.
• No changes to chntpw program itself
• John Simpson supplies nice description on how to fix up lost admin password in ActiveDirectory.

Earlier history removed.. (started in 1997)

Source code and more info

• chntpw-source-140201.zip - Source code + static linked binaries (zipped)
• README.txt - Readme file from the source archive. Contains some technical info.
• MANUAL.txt - Short manual on the command line tools + reg edit.
• GPL.txt - "chntpw" and other command programs license is GPL
• LGPL.txt - "ntreg"-library license is LGPL
• HISTORY.txt - History file from the archive.
• regedit.txt - Regedit short demo.
• syskey.txt - (obsolete) Technical info on howto switch off syskey.

ntreg.c & ntreg.h now somewhat makes a rather complete library for access to the registry files. There is currenctly no documentation for the different function calls, and all functions may change in future releases. I plan on cleaning it up, and if possible mimicing the windows API.

Explanation of win3.11, win95 and NT registry files can be found in WinReg.txt, written by some German (I think, at least speaks German) named B.D. Sorry I don't have that persons full name, I can't find a name/address in the file, and it was not credited when I picked it up from some website many years ago. This is the original file as I found it, I've discovered some minor errors and some changes in newer windows versions, but not corrected the file. Look it up in my sourcecode for more detailed info.

See also the bootdisk page for easy-to-use password reset system.

Please read the