How to Remove Windows 10 Login Password Using Kali Linux

8
Updated on 26 May 2022
Windows 10

Do you forget your password to Windows 10 local account and can't pass the lock / login page at all? The problem is, that locked account is the only account on that computer and it's a local administrator account.

I experienced that nightmare the other day.

I searched some free solutions online for that matter. Many tutorials suggest to use Offline NT Password & Registry Editor from Pogostick, but I didn't have any luck using it to reset Windows 10 login password. Some of the errors I got were "Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b" and stuck on "Booting the kernel."

After tried several solutions, tools, and faced some troubles along the way, I was finally able to remove my Windows 10 local account's login password.

Below I put together what I did to remove Windows 10 local administrator account login password in easy step-by-step.

What you need to remove Windows 10 login password

  • Kali Linux ISO. Download it from Kali Linux Downloads page. For this tutorial, I used version 2019.2 of Kali Linux 64-Bit. [Update on 26 May 2022: If you want to use this specific Kali Linux's old version, you can download it here: kali-linux-2019.2-amd64.iso]
  • Universal USB Installer (UUI). Download it from Pendrivelinux UUI. I used version 1.9.8.7. [Update on 26 May 2022: this older version (UniversalUSBInstaller1.9.8.7) can be downloaded from archive.org]
  • USB Flashdrive. Kali Linux used about 3.1 – 3.4 GB.
  • Computer. You need access to a computer to install Kali Linux on USB flashdrive.

Steps to remove Windows 10 login password

  1. Download Kali Linux ISO and Universal USB Installer from above links.
  2. Plug in a USB flashdrive that you want to use as a bootable USB drive to a computer that you have access to.
  3. Run Universal USB Installer (UUI) .exe file on the same computer as the USB's. Setup UUI:
    1. On Step 1, select "Debian Live".
    2. On Step 2, check the "Show All ISOs?". Browse and select the Kali Linux .iso file that you downloaded.
    3. On Step 3, select the USB drive
    4. Click "Create"
Universal USB Installer Settings - Debian Live Kali Linux
  1. Now let's move to the computer whose password you forgot. Plug in the Kali Linux bootable USB.
  2. Go to the computer's BIOS settings. How to enter the BIOS settings will vary depend on your computer's manufacturer - please check the manual book. Some ways that you can try are:
    1. Press the turn on button, and immediately press F12. The screen will go dark for a moment, then open the BIOS settings.
    2. OR, you can try to boot up until you reach the login screen. Hold Shift button while you select the Restart option. You will enter Advanced Boot Options blue screen with big title "Choose an option". Select "Troubleshoot" > "Advanced options" > "UEFI Firmware Settings". Click "Restart".
  3. Change the boot order so that the computer will boot from the USB drive first. If you don't find the option to boot from USB drive, try to check and make sure (however, again, it depends on your computer's manufacturer BIOS settings):
    1. The "USB Boot" is enabled
    2. Boot mode support Legacy and boot priority is Legacy First.
  4. Save changes and restart the computer
  5. You will boot to Kali Linux Live screen. Choose "Live (forensic mode)"
Kali Linux Live Screen
  1. Go to System32 folder. Navigate from "+Other Locations" > "Windows" > "Windows" > "System32". Select "Open in Terminal" option from the dropdown menu.
System32 Open in Terminal
  1. Go to config folder by typing: cd config
  2. In the config folder, type chntpw -l SAM to list user(s). Note the username.
    1. If you get error in this step that read as follow: read error: : Read-only file system, turn off the computer and remove the bootable USB.
    2. Turn on the computer again until it reaches the Windows login screen. Plug in the bootable USB. Choose the Restart option from Windows login screen. Let it boot from the USB.
    3. Do the steps 8-11.
  3. Type chntpw -u USERNAME SAM to open details of the specific username. Change the 'USERNAME' with your username, e.g chntpw -u John SAM
  4. Type 1 to choose option number 1 - Clear (blank) user password.
  5. Type q to quit editing user
  6. Type y
  7. Turn off the computer. Remove the bootable USB. Turn on the computer.
  8. Enter the BIOS settings to change boot order to Windows again.
  9. You should now be able to enter Windows 10 with your administrator account without any password. You can set password to your account again from the Windows user settings.

8
First published by  on Last Modified on 26 May 2022.

8 Comments

Add new comment
  • Disconnect the power cable from your pc or if its a laptop disconnect the power cable turn it on and let it running until battery gets to 0% and laptop turns itself off.Than reconnect the power cable and boot immediately into bootable usb kali and remove the password from SAM config.This should do the trick if you cant disable hibernation in bios.U can disable this feature when u log into windows.It is in power options,choose what the power buttons do.This is how I bypassed the hibernation feature.I know it has been a year since u posted a comm but this may help someone.

  • No Config directory on Configuration. Got error message unable to open/read a hive, exiting… when running chntpw -l SAM

  • Kali Linux doesn’t work with UEFI mode. However, legacy mode is not available on my Surface Pro tablet. Finally I managed to log in with PCUnlocker. Thanks anyway!

    • Sorry to hear it didn’t work for you. Thank you for the tip to PCUnlocker. Maybe it can help someone in the future that got the same problem with Surface Pro tablet.

    • Kali Linux works just fine with UEFI mode, in fact it works flawlessly regardless of whether you choose legacy or UEFI, the only reason I can think you’d say that is the secure boot settings.

  • does not let me mount as rw due to windows being in hibernation aka fast boot. tried to do -o remove_hiberfile which does not work. tried that with a mix of options like -t ntfs, ntfs-3g, rw nothing works to mount it as rw. it just mounts as ro. so not sure how to disable fast boot or hibernation without logging in. dont know if because its on a nvme instead of sdb2 but it does mount as ro.

Add A Comment

Your email address will not be published. Required fields are marked *