Recovering a Windows 10 password when the partition is read-only

On my new laptop I entered a new password for my account the first time I booted Windows. I no longer remember this password.

The account was just a local account and not a Microsoft account, so I can't recover the password that way.

I am a linux user and have installed Debian alongside Windows. I tried using the 'chntpw' software to change/remove the account password, but when I run the program in the correct folder I get the following error:

root@sam:/media/sda3/Windows/System32/config# chntpw -i SAM
chntpw version 1.00 140201, (c) Petter N Hagen
openHive(SAM) failed: Read-only file system, trying read-only
openHive(): read error: : Read-only file system
chntpw: Unable to open/read a hive, exiting..

I did a bit of googling and found out that Windows 10 has a half-hibernate feature that allows it to boot faster, but requires the partition to be read-only even when Windows has shut down. There is a way to turn this off in the settings, but I can't access the settings as I can't log in!

Is there a way to use chntpw while the partition is locked, or alternatively a way of shutting down Windows so that I can write to the partition?

Sam

Posted 2015-12-07T16:22:55.953

Reputation: 191

Answers

Start booting Windows and press F8 during the boot process. Select to discard hibernation data and start Windows normally, then shut it down. That should remove hibernation data and make the partition read-write again.

As a last resort, boot Windows till the password prompt, wait for the HDD to settle down then switch the laptop off with the power button.

Then boot into Debian and try the chntpw trick once more.

Dmitry Grigoryev

Posted 2015-12-07T16:22:55.953

Reputation: 7 505

2The author is unable to boot into Windows, in order to disable hibernation, because he doesn't know the password to what I presume is the only user account enabled. So simply discarding the hibernation data would be enough in this case, to solve the problem that the drive is locked, because of the hibernation file. – Ramhound – 2015-12-07T16:40:19.540

F8 menu is not password-protected AFAIK. – Dmitry Grigoryev – 2015-12-07T16:43:02.933

If the user starts Windows 10 normally then shuts Windows down, a new hibernation file will be created, because he wasn't able to log into the user in order to disable hibernation since that is the default behavior. – Ramhound – 2015-12-07T16:44:44.767

Do you think the power button trick might work? – Dmitry Grigoryev – 2015-12-07T16:48:14.693

I think enabling the Administrator user and disabling hibernation or simply doing this and booting into his other operating system would be a better solution. A hard shutdown seems like an odd solution to a problem easily worked around. – Ramhound – 2015-12-07T16:52:50.080

2Thanks for this answer. I'm not sure why my question was downvoted but this solved my problem and will help other people in the same situation. – Sam – 2015-12-07T17:13:49.270

There is another option. Before you ran chntpw in Debian, you had to mount the drive with a command like sudo ntfs-3g /dev/sda3 /media/sda3. (That assumes that you already created /media/sda3.) If you had used the remove_hiberfile option, such as sudo ntfs-3g -o remove_hiberfile /dev/sda3 /media/sda3, then ntfs-3g would have deleted the Windows hibernation file hiberfil.sys for you, which would have solved your problem.

Please note that using an external program to delete the Windows hibernation file is dangerous, because any data saved only to the hibernation file will be lost. This procedure is only to be done as a last resort.

rclocher3

Posted 2015-12-07T16:22:55.953

Reputation: 121

There is an easy fix for this problem.

Boot Windows, then click on the screen to access the login window.

In the lower right corner, click the Power icon, then click restart. No hibernation data is written by Windows when restarted, only when shut down.

Boot into Linux and go ahead with clearing your Windows password.

Once you're able to log into Windows, disable Fast Startup so you won't run into this problem in the future. See https://www.windowscentral.com/how-disable-windows-10-fast-startup for how-to details.

By the way, as mentioned in the article, you will probably have to disable Fast Startup again after each Windows "edition" update.

S. Y. Lerner

Posted 2015-12-07T16:22:55.953

Reputation: 21

thnks.work 4 me. – Yosi Azwan – 2019-05-12T04:11:37.840

The problem is that the chntpw binaries distributed in common Linux package repos, do not work on x86_64. I successfully worked around it by downloading a statically linked binary of chntpw, which is found in http://pogostick.net/~pnh/ntpasswd/chntpw-source-140201.zip as chntpw.static. Copy that file over into /usr/bin, make it executable, work around the hibernate issue, and I was able to edit SAM.

That's the root cause, but before you do that, you must work around the hibernate issue. If you have lost your original password, don't try to trick Windows into a full shutdown, it won't work. Here is what you do:

(and become root, of course)

Run fix on the filesystem. Mine is /dev/sda4.
Therefore I run: ntfsfix /dev/sda4
Mount using the command to remove the hiberfile.
mount -t ntfs-3g -o remove_hiberfile /dev/sda4 /mnt/win

Edit: Even this didn't remove hiberfile.sys, but I was able to mount the FS and delete hiberfile.sys manually.

(or wherever your mount point is).

Slack Flag

Posted 2015-12-07T16:22:55.953

Reputation: 101

-1

On Windows 10 if you hold shift while clicking shut down on the login screen it goes into a full shutdown, which let me write to the partition when I tried it.

Egan Johnson

Posted 2015-12-07T16:22:55.953

Reputation: 1