demo@mx1:/ $ setxkbmap de demo@mx1:/ $ lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS loop0 7:0 0 2.6G 1 loop /live/linux sda 8:0 0 1.8T 0 disk ├─sda1 8:1 0 100M 0 part ├─sda2 8:2 0 16M 0 part ├─sda3 8:3 0 1.8T 0 part /mnt/windows └─sda4 8:4 0 773M 0 part sdb 8:16 1 7.3G 0 disk └─sdb1 8:17 1 7.3G 0 part /home/demo/Live-usb-storage /root/Live-usb-storage /live/boot-dev sr0 11:0 1 1024M 0 rom demo@mx1:/ $ blkid /dev/sda1: UUID="6E47-6871" BLOCK_SIZE="512" TYPE="vfat" PARTLABEL="EFI system partition" PARTUUID="17554526-8baf-448a-9274-45d78c622af0" /dev/sda3: BLOCK_SIZE="512" UUID="A2F44987F4495F23" TYPE="ntfs" PARTLABEL="Basic data partition" PARTUUID="c06d52cc-18d6-4e20-9244-6b6f65924c14" /dev/sda4: BLOCK_SIZE="512" UUID="4C3EE1243EE10832" TYPE="ntfs" PARTUUID="73ab11e5-405c-46ee-af26-56d9cdaa3362" /dev/sdb1: LABEL="MX-LIVE" UUID="BEBD-B6AD" BLOCK_SIZE="512" TYPE="vfat" PARTUUID="1371a1ae-01" demo@mx1:/ $ sudo apt-get install os-prober Reading package lists... Done Building dependency tree... Done Reading state information... Done os-prober is already the newest version (1.81). 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. demo@mx1:/ $ sudo os-prober demo@mx1:/ $ cd /var/log/ demo@mx1:/var/log $ cat user.log cat: user.log: Permission denied demo@mx1:/var/log $ sudo cat user.log 2024-12-27T15:31:59.764056-05:00 mx1 spice-vdagent[4369]: vdagent virtio channel /dev/virtio-ports/com.redhat.spice.0 does not exist, exiting 2024-12-27T16:22:11.943502-05:00 mx1 os-prober: debug: running /usr/lib/os-probes/50mounted-tests on /dev/sda1 2024-12-27T16:22:11.983523-05:00 mx1 os-prober: debug: running /usr/lib/os-probes/50mounted-tests on /dev/sda2 2024-12-27T16:22:12.005131-05:00 mx1 50mounted-tests: debug: /dev/sda2 type not recognised; skipping 2024-12-27T16:22:12.009715-05:00 mx1 os-prober: debug: os detected by /usr/lib/os-probes/50mounted-tests 2024-12-27T16:22:12.025361-05:00 mx1 os-prober: debug: running /usr/lib/os-probes/50mounted-tests on /dev/sda3 2024-12-27T16:22:12.057342-05:00 mx1 os-prober: debug: running /usr/lib/os-probes/50mounted-tests on /dev/sda4 2024-12-27T16:22:12.105130-05:00 mx1 os-prober: debug: running /usr/lib/os-probes/mounted/05efi on mounted /dev/sdb1 2024-12-27T16:22:12.112287-05:00 mx1 05efi: debug: Not on UEFI platform 2024-12-27T16:22:12.117062-05:00 mx1 os-prober: debug: running /usr/lib/os-probes/mounted/10freedos on mounted /dev/sdb1 2024-12-27T16:22:12.124132-05:00 mx1 10freedos: debug: /dev/sdb1 is a FAT32 partition 2024-12-27T16:22:12.132615-05:00 mx1 os-prober: debug: running /usr/lib/os-probes/mounted/10qnx on mounted /dev/sdb1 2024-12-27T16:22:12.139776-05:00 mx1 10qnx: debug: /dev/sdb1 is not a QNX4 partition: exiting 2024-12-27T16:22:12.144340-05:00 mx1 os-prober: debug: running /usr/lib/os-probes/mounted/20macosx on mounted /dev/sdb1 2024-12-27T16:22:12.151427-05:00 mx1 macosx-prober: debug: /dev/sdb1 is not an HFS+ partition: exiting 2024-12-27T16:22:12.156096-05:00 mx1 os-prober: debug: running /usr/lib/os-probes/mounted/20microsoft on mounted /dev/sdb1 2024-12-27T16:22:12.163318-05:00 mx1 20microsoft: debug: /dev/sdb1 is a FAT32 partition 2024-12-27T16:22:12.182596-05:00 mx1 os-prober: debug: running /usr/lib/os-probes/mounted/30utility on mounted /dev/sdb1 2024-12-27T16:22:12.189760-05:00 mx1 30utility: debug: /dev/sdb1 is a FAT32 partition 2024-12-27T16:22:12.201885-05:00 mx1 os-prober: debug: running /usr/lib/os-probes/mounted/40lsb on mounted /dev/sdb1 2024-12-27T16:22:12.209589-05:00 mx1 os-prober: debug: running /usr/lib/os-probes/mounted/70hurd on mounted /dev/sdb1 2024-12-27T16:22:12.217028-05:00 mx1 os-prober: debug: running /usr/lib/os-probes/mounted/80minix on mounted /dev/sdb1 2024-12-27T16:22:12.224330-05:00 mx1 os-prober: debug: running /usr/lib/os-probes/mounted/83haiku on mounted /dev/sdb1 2024-12-27T16:22:12.231416-05:00 mx1 83haiku: debug: /dev/sdb1 is not a BeFS partition: exiting 2024-12-27T16:22:12.236116-05:00 mx1 os-prober: debug: running /usr/lib/os-probes/mounted/90linux-distro on mounted /dev/sdb1 2024-12-27T16:22:12.250550-05:00 mx1 os-prober: debug: running /usr/lib/os-probes/mounted/90solaris on mounted /dev/sdb1 2024-12-27T16:22:21.384742-05:00 mx1 os-prober: debug: running /usr/lib/os-probes/50mounted-tests on /dev/sda1 2024-12-27T16:22:21.744410-05:00 mx1 50mounted-tests: debug: mounted using GRUB fat filesystem driver 2024-12-27T16:22:21.749441-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/05efi 2024-12-27T16:22:21.756160-05:00 mx1 05efi: debug: Not on UEFI platform 2024-12-27T16:22:21.760736-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/10freedos 2024-12-27T16:22:21.767495-05:00 mx1 10freedos: debug: /dev/sda1 is a FAT partition (mounted by GRUB) 2024-12-27T16:22:21.776282-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/10qnx 2024-12-27T16:22:21.783084-05:00 mx1 10qnx: debug: /dev/sda1 is not a QNX4 partition: exiting 2024-12-27T16:22:21.787622-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/20macosx 2024-12-27T16:22:21.794402-05:00 mx1 macosx-prober: debug: /dev/sda1 is not an HFS+ partition: exiting 2024-12-27T16:22:21.798947-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/20microsoft 2024-12-27T16:22:21.805798-05:00 mx1 20microsoft: debug: /dev/sda1 is a FAT partition (mounted by GRUB) 2024-12-27T16:22:21.826476-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/30utility 2024-12-27T16:22:21.833392-05:00 mx1 30utility: debug: /dev/sda1 is a FAT partition (mounted by GRUB) 2024-12-27T16:22:21.845967-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/40lsb 2024-12-27T16:22:21.853230-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/70hurd 2024-12-27T16:22:21.860399-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/80minix 2024-12-27T16:22:21.867438-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/83haiku 2024-12-27T16:22:21.874229-05:00 mx1 83haiku: debug: /dev/sda1 is not a BeFS partition: exiting 2024-12-27T16:22:21.878914-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/90linux-distro 2024-12-27T16:22:21.894437-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/90solaris 2024-12-27T16:22:21.901881-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/efi 2024-12-27T16:22:21.928222-05:00 mx1 os-prober: debug: running /usr/lib/os-probes/50mounted-tests on /dev/sda2 2024-12-27T16:22:21.993571-05:00 mx1 50mounted-tests: debug: /dev/sda2 type not recognised; skipping 2024-12-27T16:22:21.998587-05:00 mx1 os-prober: debug: os detected by /usr/lib/os-probes/50mounted-tests 2024-12-27T16:22:22.014043-05:00 mx1 os-prober: debug: running /usr/lib/os-probes/50mounted-tests on /dev/sda3 2024-12-27T16:22:22.305299-05:00 mx1 50mounted-tests: debug: mounted using GRUB ntfs filesystem driver 2024-12-27T16:22:22.309713-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/05efi 2024-12-27T16:22:22.316426-05:00 mx1 05efi: debug: Not on UEFI platform 2024-12-27T16:22:22.320891-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/10freedos 2024-12-27T16:22:22.327677-05:00 mx1 10freedos: debug: /dev/sda3 is not a FAT partition: exiting 2024-12-27T16:22:22.332131-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/10qnx 2024-12-27T16:22:22.338912-05:00 mx1 10qnx: debug: /dev/sda3 is not a QNX4 partition: exiting 2024-12-27T16:22:22.343388-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/20macosx 2024-12-27T16:22:22.350443-05:00 mx1 macosx-prober: debug: /dev/sda3 is not an HFS+ partition: exiting 2024-12-27T16:22:22.354919-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/20microsoft 2024-12-27T16:22:22.361954-05:00 mx1 20microsoft: debug: /dev/sda3 is a NTFS partition 2024-12-27T16:22:23.025233-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/30utility 2024-12-27T16:22:23.033023-05:00 mx1 30utility: debug: /dev/sda3 is not a FAT partition: exiting 2024-12-27T16:22:23.038130-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/40lsb 2024-12-27T16:22:23.046082-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/70hurd 2024-12-27T16:22:23.053389-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/80minix 2024-12-27T16:22:23.060411-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/83haiku 2024-12-27T16:22:23.067176-05:00 mx1 83haiku: debug: /dev/sda3 is not a BeFS partition: exiting 2024-12-27T16:22:23.071664-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/90linux-distro 2024-12-27T16:22:23.112698-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/90solaris 2024-12-27T16:22:23.119945-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/efi 2024-12-27T16:22:23.143811-05:00 mx1 os-prober: debug: running /usr/lib/os-probes/50mounted-tests on /dev/sda4 2024-12-27T16:22:23.529019-05:00 mx1 50mounted-tests: debug: mounted using GRUB ntfs filesystem driver 2024-12-27T16:22:23.533579-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/05efi 2024-12-27T16:22:23.541914-05:00 mx1 05efi: debug: Not on UEFI platform 2024-12-27T16:22:23.546921-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/10freedos 2024-12-27T16:22:23.553790-05:00 mx1 10freedos: debug: /dev/sda4 is not a FAT partition: exiting 2024-12-27T16:22:23.558467-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/10qnx 2024-12-27T16:22:23.565302-05:00 mx1 10qnx: debug: /dev/sda4 is not a QNX4 partition: exiting 2024-12-27T16:22:23.570056-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/20macosx 2024-12-27T16:22:23.576869-05:00 mx1 macosx-prober: debug: /dev/sda4 is not an HFS+ partition: exiting 2024-12-27T16:22:23.581357-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/20microsoft 2024-12-27T16:22:23.588145-05:00 mx1 20microsoft: debug: /dev/sda4 is a NTFS partition 2024-12-27T16:22:23.719608-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/30utility 2024-12-27T16:22:23.726397-05:00 mx1 30utility: debug: /dev/sda4 is not a FAT partition: exiting 2024-12-27T16:22:23.730943-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/40lsb 2024-12-27T16:22:23.738270-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/70hurd 2024-12-27T16:22:23.745699-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/80minix 2024-12-27T16:22:23.752940-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/83haiku 2024-12-27T16:22:23.759650-05:00 mx1 83haiku: debug: /dev/sda4 is not a BeFS partition: exiting 2024-12-27T16:22:23.764100-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/90linux-distro 2024-12-27T16:22:23.799495-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/90solaris 2024-12-27T16:22:23.806827-05:00 mx1 50mounted-tests: debug: running subtest /usr/lib/os-probes/mounted/efi 2024-12-27T16:22:23.843300-05:00 mx1 os-prober: debug: running /usr/lib/os-probes/mounted/05efi on mounted /dev/sdb1 2024-12-27T16:22:23.850155-05:00 mx1 05efi: debug: Not on UEFI platform 2024-12-27T16:22:23.854710-05:00 mx1 os-prober: debug: running /usr/lib/os-probes/mounted/10freedos on mounted /dev/sdb1 2024-12-27T16:22:23.861642-05:00 mx1 10freedos: debug: /dev/sdb1 is a FAT32 partition 2024-12-27T16:22:23.870015-05:00 mx1 os-prober: debug: running /usr/lib/os-probes/mounted/10qnx on mounted /dev/sdb1 2024-12-27T16:22:23.877101-05:00 mx1 10qnx: debug: /dev/sdb1 is not a QNX4 partition: exiting 2024-12-27T16:22:23.881674-05:00 mx1 os-prober: debug: running /usr/lib/os-probes/mounted/20macosx on mounted /dev/sdb1 2024-12-27T16:22:23.888416-05:00 mx1 macosx-prober: debug: /dev/sdb1 is not an HFS+ partition: exiting 2024-12-27T16:22:23.892927-05:00 mx1 os-prober: debug: running /usr/lib/os-probes/mounted/20microsoft on mounted /dev/sdb1 2024-12-27T16:22:23.899744-05:00 mx1 20microsoft: debug: /dev/sdb1 is a FAT32 partition 2024-12-27T16:22:23.918919-05:00 mx1 os-prober: debug: running /usr/lib/os-probes/mounted/30utility on mounted /dev/sdb1 2024-12-27T16:22:23.925724-05:00 mx1 30utility: debug: /dev/sdb1 is a FAT32 partition 2024-12-27T16:22:23.937692-05:00 mx1 os-prober: debug: running /usr/lib/os-probes/mounted/40lsb on mounted /dev/sdb1 2024-12-27T16:22:23.944892-05:00 mx1 os-prober: debug: running /usr/lib/os-probes/mounted/70hurd on mounted /dev/sdb1 2024-12-27T16:22:23.952016-05:00 mx1 os-prober: debug: running /usr/lib/os-probes/mounted/80minix on mounted /dev/sdb1 2024-12-27T16:22:23.958958-05:00 mx1 os-prober: debug: running /usr/lib/os-probes/mounted/83haiku on mounted /dev/sdb1 2024-12-27T16:22:23.965698-05:00 mx1 83haiku: debug: /dev/sdb1 is not a BeFS partition: exiting 2024-12-27T16:22:23.970291-05:00 mx1 os-prober: debug: running /usr/lib/os-probes/mounted/90linux-distro on mounted /dev/sdb1 2024-12-27T16:22:23.984280-05:00 mx1 os-prober: debug: running /usr/lib/os-probes/mounted/90solaris on mounted /dev/sdb1 demo@mx1:/var/log $ sudo mkdir /mnt/windows demo@mx1:/var/log $ sudo mount -t ntfs-3g /dev/sda3 /mnt/windows demo@mx1:/var/log $ ls /mnt/windows/Users admin-usc 'All Users' Default 'Default User' desktop.ini Public demo@mx1:/var/log $ find /mnt/windows -type f -size +100M -exec ls -lh {} \; | awk '{ print $NF ": " $5 }' /mnt/windows/hiberfil.sys: 3.2G /mnt/windows/pagefile.sys: 1.9G (x86)/Microsoft/Edge/Application/121.0.2277.106/msedge.dll: 261M (x86)/Microsoft/EdgeCore/121.0.2277.106/msedge.dll: 261M (x86)/Microsoft/EdgeWebView/Application/121.0.2277.106/msedge.dll: 261M /mnt/windows/swapfile.sys: 256M Information/{1b9f0ecc-c34d-11ef-b333-5800e3441bf6}{3808876b-c176-4e48-b7ae-04046e6cc752}: 512M /mnt/windows/Windows/System32/Microsoft-Edge-WebView/msedge.dll: 256M /mnt/windows/Windows/System32/MRT.exe: 181M /mnt/windows/Windows/WinSxS/amd64_microsoft-edge-webview_31bf3856ad364e35_10.0.22621.3007_none_72fe7b4806349259/msedge.dll: 256M demo@mx1:/var/log $ find /mnt/windows -type f \( -name "*.mp4" -o -name "*.mkv" -o -name "*.avi" \) -exec ls -lh {} \; | awk '{ print $NF ": " $5 }' Files/WindowsApps/Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe/PeopleAppAssets/Videos/people_fre_motionAsset_p1.mp4: 34K Files/WindowsApps/Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe/PeopleAppAssets/Videos/people_fre_motionAsset_p2.mp4: 24K Files/WindowsApps/Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe/PeopleAppAssets/Videos/people_fre_motionAsset_p3.mp4: 22K /mnt/windows/Windows/ImmersiveControlPanel/SystemSettings/Assets/SDRSampleAccessibility.mkv: 1.8M /mnt/windows/Windows/SystemApps/Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy/media/oobe-intro.mp4: 580K /mnt/windows/Windows/SystemResources/Windows.UI.SettingsAppThreshold/SystemSettings/Assets/EdrCalibration.mkv: 877K /mnt/windows/Windows/SystemResources/Windows.UI.SettingsAppThreshold/SystemSettings/Assets/HDRSample.mkv: 1.7M /mnt/windows/Windows/SystemResources/Windows.UI.SettingsAppThreshold/SystemSettings/Assets/SDRSample.mkv: 1.8M /mnt/windows/Windows/WinSxS/amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.22621.3085_none_fad69a9a12776d02/EdrCalibration.mkv: 877K /mnt/windows/Windows/WinSxS/amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.22621.3085_none_fad69a9a12776d02/HDRSample.mkv: 1.7M /mnt/windows/Windows/WinSxS/amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.22621.3085_none_fad69a9a12776d02/SDRSample.mkv: 1.8M /mnt/windows/Windows/WinSxS/amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.22621.3085_none_fad69a9a12776d02/SDRSampleAccessibility.mkv: 1.8M /mnt/windows/Windows/WinSxS/amd64_microsoft-windows-c..st.appxmain.desktop_31bf3856ad364e35_10.0.22621.2280_none_691866de3f73014d/oobe-intro.mp4: 580K /mnt/windows/Windows/WinSxS/amd64_microsoft-windows-c..st.appxmain.desktop_31bf3856ad364e35_10.0.22621.2506_none_68ef6c1a3f93242e/oobe-intro.mp4: 580K /mnt/windows/Windows/WinSxS/amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.22621.2792_none_fa8c2de212aeffe6/EdrCalibration.mkv: 877K /mnt/windows/Windows/WinSxS/amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.22621.2792_none_fa8c2de212aeffe6/HDRSample.mkv: 1.7M /mnt/windows/Windows/WinSxS/amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.22621.2792_none_fa8c2de212aeffe6/SDRSample.mkv: 1.8M /mnt/windows/Windows/WinSxS/amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.22621.2792_none_fa8c2de212aeffe6/SDRSampleAccessibility.mkv: 1.8M $ cd /mnt/windows/Windows/System32/config/ demo@mx1:/mnt/windows/Windows/System32/config $ sudo apt install chntpw -y [sudo] password for demo: Reading package lists... Done Building dependency tree... Done Reading state information... Done The following NEW packages will be installed: chntpw 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 99.6 kB of archives. After this operation, 498 kB of additional disk space will be used. Get:1 http://deb.debian.org/debian bookworm/main amd64 chntpw amd64 140201-1 [99.6 kB] Fetched 99.6 kB in 0s (435 kB/s) Selecting previously unselected package chntpw. (Reading database ... 359602 files and directories currently installed.) Preparing to unpack .../chntpw_140201-1_amd64.deb ... Unpacking chntpw (140201-1) ... Setting up chntpw (140201-1) ... Processing triggers for man-db (2.11.2-2) ... demo@mx1:/mnt/windows/Windows/System32/config $ cd /mnt/windows/Windows/System32/config demo@mx1:/mnt/windows/Windows/System32/config $ sudo chntpw -l SAM chntpw version 1.00 140201, (c) Petter N Hagen Hive name (from header): <\SystemRoot\System32\Config\SAM> ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c File size 65536 [10000] bytes, containing 7 pages (+ 1 headerpage) Used for data: 318/32576 blocks/bytes, unused: 25/16352 blocks/bytes. | RID -|---------- Username ------------| Admin? |- Lock? --| | 03e9 | admin-usc | ADMIN | | | 01f4 | Administrator | ADMIN | dis/lock | | 01f7 | DefaultAccount | | dis/lock | | 01f5 | Gast | | dis/lock | | 01f8 | WDAGUtilityAccount | | dis/lock | demo@mx1:/mnt/windows/Windows/System32/config $ sudo chntpw -u Administrator SAM chntpw version 1.00 140201, (c) Petter N Hagen Hive name (from header): <\SystemRoot\System32\Config\SAM> ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c File size 65536 [10000] bytes, containing 7 pages (+ 1 headerpage) Used for data: 318/32576 blocks/bytes, unused: 25/16352 blocks/bytes. ================= USER EDIT ==================== RID : 0500 [01f4] Username: Administrator fullname: comment : Vordefiniertes Konto f�r die Verwaltung des Computers bzw. der Dom�ne homedir : 00000220 = Administratoren (which has 2 members) Account bits: 0x0211 = [X] Disabled | [ ] Homedir req. | [ ] Passwd not req. | [ ] Temp. duplicate | [X] Normal account | [ ] NMS account | [ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act | [X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) | [ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) | Failed login count: 0, while max tries is: 10 Total login count: 0 - - - - User Edit Menu: 1 - Clear (blank) user password 2 - Unlock and enable user account [probably locked now] 3 - Promote user (make user an administrator) 4 - Add user to a group 5 - Remove user from a group q - Quit editing user, back to user select Select: [q] > 1 Password cleared! ================= USER EDIT ==================== RID : 0500 [01f4] Username: Administrator fullname: comment : Vordefiniertes Konto f�r die Verwaltung des Computers bzw. der Dom�ne homedir : 00000220 = Administratoren (which has 2 members) Account bits: 0x0211 = [X] Disabled | [ ] Homedir req. | [ ] Passwd not req. | [ ] Temp. duplicate | [X] Normal account | [ ] NMS account | [ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act | [X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) | [ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) | Failed login count: 0, while max tries is: 10 Total login count: 0 ** No NT MD4 hash found. This user probably has a BLANK password! ** No LANMAN hash found either. Try login with no password! - - - - User Edit Menu: 1 - Clear (blank) user password 2 - Unlock and enable user account [probably locked now] 3 - Promote user (make user an administrator) 4 - Add user to a group 5 - Remove user from a group q - Quit editing user, back to user select Select: [q] > q Hives that have changed: # Name 0 Write hive files? (y/n) [n] : y 0 - OK demo@mx1:/mnt/windows/Windows/System32/config $ sudo chntpw -u admin-usc SAM chntpw version 1.00 140201, (c) Petter N Hagen Hive name (from header): <\SystemRoot\System32\Config\SAM> ROOT KEY at offset: 0x001020 * Subkey indexing type is: 686c File size 65536 [10000] bytes, containing 7 pages (+ 1 headerpage) Used for data: 318/32576 blocks/bytes, unused: 25/16352 blocks/bytes. ================= USER EDIT ==================== RID : 1001 [03e9] Username: admin-usc fullname: comment : homedir : 00000220 = Administratoren (which has 2 members) Account bits: 0x0214 = [ ] Disabled | [ ] Homedir req. | [X] Passwd not req. | [ ] Temp. duplicate | [X] Normal account | [ ] NMS account | [ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act | [X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) | [ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) | Failed login count: 1, while max tries is: 10 Total login count: 4 - - - - User Edit Menu: 1 - Clear (blank) user password (2 - Unlock and enable user account) [seems unlocked already] 3 - Promote user (make user an administrator) 4 - Add user to a group 5 - Remove user from a group q - Quit editing user, back to user select Select: [q] > 1 Password cleared! ================= USER EDIT ==================== RID : 1001 [03e9] Username: admin-usc fullname: comment : homedir : 00000220 = Administratoren (which has 2 members) Account bits: 0x0214 = [ ] Disabled | [ ] Homedir req. | [X] Passwd not req. | [ ] Temp. duplicate | [X] Normal account | [ ] NMS account | [ ] Domain trust ac | [ ] Wks trust act. | [ ] Srv trust act | [X] Pwd don't expir | [ ] Auto lockout | [ ] (unknown 0x08) | [ ] (unknown 0x10) | [ ] (unknown 0x20) | [ ] (unknown 0x40) | Failed login count: 1, while max tries is: 10 Total login count: 4 ** No NT MD4 hash found. This user probably has a BLANK password! ** No LANMAN hash found either. Try login with no password! - - - - User Edit Menu: 1 - Clear (blank) user password (2 - Unlock and enable user account) [seems unlocked already] 3 - Promote user (make user an administrator) 4 - Add user to a group 5 - Remove user from a group q - Quit editing user, back to user select Select: [q] > q Hives that have changed: # Name 0 Write hive files? (y/n) [n] : y 0 - OK demo@mx1:/mnt/windows/Windows/System32/config BOOM! :D