[chntpw-reged-sampasswd] chntpw reged sampasswd help #bash #help #forensic #disk #hive

chntpw-help.md

https://helpmanual.io/man8/chntpw/

chntpw [options] <samfile> [systemfile] [securityfile] [otherreghive] [...]

Utility to overwrite passwords of Windows systems

usage

chntpw -i $hive

options

-u username # Username or username ID (RID) to change. The default is 'Administrator'. 
-l # List all users in the SAM database and exit. 
-i # Interactive Menu system: list all users (as per -l option) and then ask for the user to change. 
-e # Registry editor with limited capabilities (but it does include write support). For a slightly more powerful editor see reged
-d # Use buffer debugger instead (hex editor)
    -L # Log all changed filenames to /tmp/changed. When this option is set the program automatically saves the changes in the hive files without  rompting the user. Be careful when using the -L option as a root user in a multiuser system. The filename is fixed and this can be used by  alicious users (dropping a symlink with the same name) to overwrite system files.
-N # Do not allocate more information, only allow the editing of existing values with same size. 
-E # Do not expand the hive file (safe mode). 

commands

hive [<n>] # list loaded hives or switch to hive numer n
cd <key> # change current key
ls | dir [<key>] # show subkeys & values,
cat | type <value> # show key value
dpi <value> # show decoded DigitalProductId value
hex <value> # hexdump of value data
ck [<keyname>] # Show keys class data, if it has any
nk <keyname> # add key
dk <keyname> # delete key (must be empty)
ed <value> # Edit value
nv <type#> <valuename> # Add value
dv <valuename> # Delete value
delallv # Delete all values in current key
rdel <keyname> # Recursively delete key & subkeys
ek <filename> <prefix> <keyname> # export key to <filename> (Windows .reg file format)
debug # enter buffer hexeditor
st [<hexaddr>] # debug function: show struct info
q # quit

install

sudo apt install -y chntpw

reged-help.md

reged [options] -x<registryhivefile><prefixstring><key><output.reg>

reged [options] -I<registryhivefile><prefixstring><input.reg>

reged [options] -e<registryhivefile>

Utility to export/import and edit a Windows registry hives

usage

reged -x SYSTEM 'HKEY_LOCAL_MACHINE\SYSTEM' 'ControlSet001\Control\Lsa\Skew1' test.reg

modes

-x <registryhivefile> <prefixstring> <key> <output.reg> # Xport. Where <prefixstring> for example is HKEY_LOCAL_MACHINE\SOFTWARE <key> is key  o dump (recursively), \ or \\ means all keys in hive. Only one .reg and one hive file supported at the same time
-I <registryhivefile> <prefixstring> <input.reg> # Import from .reg file. Where <prefixstring> for example is HKEY_LOCAL_MACHINE\SOFTWARE. Only one .reg and one hive file supported at the same time
-e <registryhive> ... # Interactive edit one or more of registry files

options

-L # Log changed filenames to /tmp/changed, also auto-saves
-C # Auto-save (commit) changed hives without asking
-N # No allocate mode, only allow edit of existing values with same size
-E # No expand mode, do not expand hive file (safe mode)
-t # Debug trace of allocated blocks
-v # Some more verbose messages

sampasswd-help.md

sampasswd [options] -uuser <samfile>

Reset passwords of users in the SAM user database

options

-r # Reset the user's password. 
-a # Reset all the users. If this option is used there is no need to specify the next option. 
-u <user> # User to change. The user value can be provided as a username, or a RID number in hexadecimal (if the username is preceded with '0x').  
-l # Lists the users in the SAM database. 
-H # Output human readable output. The program by default will print a parsable table unless this option is used. 
-N # Do not allocate more information, only allow the editing of existing values with same size. 
-E # Do not expand the hive file (safe mode). 
-t # Print debug information of allocated blocks. 
-v # Print verbose information and debug messages. ```