In this article I will show you in a step-by-step way how you can crack the Administrator password in Windows 7, so should you have lost, forgotten it, or simply don’t know the administrator password, then this tutorial will allow you to gain access to your computer again. Please bear in mind that although there look like a lot of steps to take, the actual process should only take you a few minutes to complete. I just wanted to make it simple to follow for users who are new to this. Also, don’t be alarmed by the massive wall of text that the program generates when it is running as this is mainly kernel messages about your hardware which you don’t need to worry about.
Note: Users that have EFS encrypted files (XP and onwards) on the account which they are attempting to access using this program, should realise that running this program will make those files completely unreadable/unrecoverable once the password has been removed. For most people this won’t be an issue as they won’t have used EFS to encrypt anything.
The software that we will be using to achieve this is called Offline NT Password & Registry Editor and is free to download and use. You can use the software via CD/USB or as in this tutorial, via Hiren’s Boot Disk which uses the latest version of the software. If you don’t have a Hiren’s Boot CD then please see this article on how to get it, which also explains what else is on the disk and how to boot to it via USB. What we will effectively be doing in this article is completely removing the Admin password in Windows 7 allowing you to boot straight into the OS without being prompted for the Admin password which you have forgotten. Right, let’s get on and crack the Admin password.
Here are the 2 things that you will need:
- Download the Offline NT Password & Registry Editor or have a recent copy of Hiren’s Boot CD to hand
- A blank CD/USB (not required if you have Hiren’s already on CD or USB)
As stated above, I will be using my copy of Hiren’s Boot CD (HBCD) that I already have on my bootable USB stick. The steps taken when using the program are exactly the same though so don’t worry. Firstly you will need to set the CD or USB (depending on which one you are using) as the first boot device in BIOS and then restart the machine.
Once you have booted to the CD/USB you will see the first screen. Note that this first screenshot is for people using Hiren’s Boot CD, showing the menu and which program to select
When you first boot to HBCD you will be presented with the screen below. Using your up/down keys, scroll down to Offline NT/2000/XP/Vista/7 Password Changer and hit Enter
As I said before, don’t panic when you see the wall of test that is generated as these are kernel messages regarding your hardware and can be ignored. All you need to be concerned with are the questions at the bottom of the screen. After every step, more text is generated and again you will be required to answer the question at the bottom of the next screen.
By default pretty much all of the questions will be pre-answered/suggested for you (in square brackets like this  ) meaning that all you have to do is hit Enter to go to the next step. However, pay attention to this first question which asks you where the Windows installation is stored. By default it assumes that you will want to select disk 1, however if you look, you will see that for Windows 7 users, this disk is only 100MB in size. This is the System Reserved Partition, so instead choose the second option of  and then hit Enter.
Note: I assume that the program defaults to one as it was originally written for operating systems that had the complete OS on one partition. You can see from the size of the second one that it’s far larger as well. Mine appears to only be 25GB in size which is down to the fact that in order to get the screenshots, I ran the program in VirtualBox (which is why some of the kernel messages differ slightly to what you would see when running the program natively on your system
Assuming that you pointed the program to where your Windows installation lies correctly you will see the next question. This one requires you to state where the path to the registry is. Just hit Enter as it will have already suggested the correct answer.
It now needs to know the path to the registry to load. Again it will give you some options, although the suggested one will be the right answer, so just hit Enter.
Now that it has loaded the path to the registry that it needs, (SAM ~ Security Accounts Manager) it will ask which part of the registry to load. Again just hit Enter as we want to head to the Reset Password section
You will now see the accounts on you computer, and the program will now ask which one you wish to edit. The default answer by the program will be [Administrator] as indicated by the suggestion in square brackets, so just hit Enter to move on. Please note that I chose another account (Richard virt) in the screenshot below. You can ignore this as I was just testing out some things.
Now we get to an area where you can decide not to go with the suggested responses. This is where you can choose to either clear the password, (Remove it completely) set a new password, (XP and Vista users are warned about using this) promote one of the other users to an admin, or to go back to the previous question.
What we are trying to do here is to completely remove the password so that when we restart the machine we aren’t asked for a password to login.
So go with the suggested answer of  which will clear/remove the password. Basically, just hit Enter
You should hopefully have received the Password Cleared! message, followed by a question of do you wish to quit. Don’t just hit Enter here, instead type an exclamation mark [!] and then hit Enter
Hit Enter again to quit. Note I typed Q and then hit Enter, but you don’t need to do this. Just hit Enter to move on.
This is where you will ask the program to write back the changes it has made to disk. Type Y and hit Enter
If it failed (which hopefully it won’t have if you have followed these steps correctly) it will ask if you want to start again. As we have the Edit Complete message which means that it has successfully written the changes to disk, all you nee to do is type N and hit Enter
First remove the CD/USB that has the program on it that you booted to at the beginning of this article. Otherwise when you reboot it will boot to the program on the CD/USB again.
Now just hit CTRL+ALT+DEL to reboot your computer. (If you are using this program in VirtualBox go Machine>ACPI Shutdown)
Now when your computer has rebooted, you will no longer be asked to input the Admin password to access the machine.
As you can see, bypassing the required Admin password (when set) on Windows 7 is very simple. However, if it is that easy to do then it also means that the security that an Admin password should provide is inadequate for safeguarding your data from would be thieves. If you wish to prevent someone from accessing your files/private data on the computer should it be stolen, then I would highly recommend that you fully encrypt the computer using TrueCrypt.
One thing I would do though, is when you have successfully logged back into the computer, is that you again create an Admin password and make a note of it somewhere (email it to yourself so you can find it again using your mobile etc) and then create a Password Reset Disk. A Password Reset Disk can be used if you ever have this problem again to allow you to create a new Admin password when you enter the wrong one in. I will explain (and link here) to an article for that which I will be writing in a bit.
I hope this has helped you out of a sticky hole. If you have any questions regarding this, please feel free to ask in the comments and I will try to answer them. There is an official FAQ that you should check first though, as the creator of the program has addressed some issues you may come across. Personally I have used this program on quite a few machines, and have never had an issue.
Special thanks to Petter N Hagen for writing an awesome program