Recovering a Windows 10 password when the partition is read-only

Question

On my new laptop I entered a new password for my account the first time I booted Windows. I no longer remember this password.

The account was just a local account and not a Microsoft account, so I can't recover the password that way.

I am a linux user and have installed Debian alongside Windows. I tried using the 'chntpw' software to change/remove the account password, but when I run the program in the correct folder I get the following error:

root@sam:/media/sda3/Windows/System32/config# chntpw -i SAM
chntpw version 1.00 140201, (c) Petter N Hagen
openHive(SAM) failed: Read-only file system, trying read-only
openHive(): read error: : Read-only file system
chntpw: Unable to open/read a hive, exiting..

I did a bit of googling and found out that Windows 10 has a half-hibernate feature that allows it to boot faster, but requires the partition to be read-only even when Windows has shut down. There is a way to turn this off in the settings, but I can't access the settings as I can't log in!

Is there a way to use chntpw while the partition is locked, or alternatively a way of shutting down Windows so that I can write to the partition?

Answer 1

There is an easy fix for this problem.

Boot Windows, then click on the screen to access the login window.

In the lower right corner, click the Power icon, then click restart. No hibernation data is written by Windows when restarted, only when shut down.

Boot into Linux and go ahead with clearing your Windows password.

Once you're able to log into Windows, disable Fast Startup so you won't run into this problem in the future. See https://www.windowscentral.com/how-disable-windows-10-fast-startup for how-to details.

By the way, as mentioned in the article, you will probably have to disable Fast Startup again after each Windows "edition" update.

Answer 2

Start booting Windows and press F8 during the boot process. Select to discard hibernation data and start Windows normally, then shut it down. That should remove hibernation data and make the partition read-write again.

As a last resort, boot Windows till the password prompt, wait for the HDD to settle down then switch the laptop off with the power button.

Then boot into Debian and try the chntpw trick once more.

Answer 3

The solution for me was what Egan Johnson posted in his answer (I do not have reputation to upvote or comment, so adding separate answer here).

I was in the same situation as the original poster:

• Windows 10 shut down with a hiberfile, so Linux live distro can not mount NTFS with read write permissions, and therefore chntpw can not work.
• With no working login to to Windows to change the Fast Boot option, not possible to get a clean shutdown without hiberfile

In addition the F8 option in the accepted answer was disabled. To enable it, you need to log in change it, so not possible without login.

What solved it for me was following Egan Johnson's answer and this link How to Fully Shutdown Windows 10 Instead of Hibernating It.

Holding down SHIFT while clicking Shutdown from the login screen, I was able to perform a clean shut down off Windows from the login screen. Next boot with Linux live was able to mount the disk with read write permissions.

Answer 4

There is another option. Before you ran chntpw in Debian, you had to mount the drive with a command like sudo ntfs-3g /dev/sda3 /media/sda3. (That assumes that you already created /media/sda3.) If you had used the remove_hiberfile option, such as sudo ntfs-3g -o remove_hiberfile /dev/sda3 /media/sda3, then ntfs-3g would have deleted the Windows hibernation file hiberfil.sys for you, which would have solved your problem.

Please note that using an external program to delete the Windows hibernation file is dangerous, because any data saved only to the hibernation file will be lost. This procedure is only to be done as a last resort.

Answer 5

The way I was able to manage this was to run ntfsfix on the Windows partition before mounting it:

ntfsfix /dev/sda2 # this is an example Windows partition location
mount -t ntfs-3g /dev/sda2 /mnt

This put the Windows partition as read/write allowing me to clear the password.

Answer 6

On Windows 10 if you hold shift while clicking shut down on the login screen it goes into a full shutdown, which let me write to the partition when I tried it.

Answer 7

The problem is that the chntpw binaries distributed in common Linux package repos, do not work on x86_64. I successfully worked around it by downloading a statically linked binary of chntpw, which is found in http://pogostick.net/~pnh/ntpasswd/chntpw-source-140201.zip as chntpw.static. Copy that file over into /usr/bin, make it executable, work around the hibernate issue, and I was able to edit SAM.

That's the root cause, but before you do that, you must work around the hibernate issue. If you have lost your original password, don't try to trick Windows into a full shutdown, it won't work. Here is what you do:

(and become root, of course)

1. Run fix on the filesystem. Mine is /dev/sda4.
   Therefore I run: ntfsfix /dev/sda4
2. Mount using the command to remove the hiberfile.
   mount -t ntfs-3g -o remove_hiberfile /dev/sda4 /mnt/win

Edit: Even this didn't remove hiberfile.sys, but I was able to mount the FS and delete hiberfile.sys manually.

(or wherever your mount point is).

Answer 8

F8 was disabled for me as this was upgraded from windows 7 and I hear that can disable the F8 boot menu.

Also the restart/power of options were also disabled on the log in screen.

So, every time I started up the computer the only way to shut it down was by doing an unclean hard / semi hard power off. This left the NTFS volume in a bad state. I was up a creek on this one.

Here is how I fixed it:

I booted up and held the power button to shut off multiple times until I forced the start up repair.

I went into advanced options and troubleshooting.

I clicked on repair startup. (Repairs errors that prevent windows starting up) It ran through a repair (which said it failed for me anyway so don't worry)

Last I backed up to the option that said shutdown computer.

I am assuming this performed a clean shutdown because I was able to run: chntpw -l SAM without a hitch. I cleared the password and all was good!