Offline registry tools and password resetter


Here are the source code and binary downloads (see bottom of page) for the registry tools, along with documentation and release history.
This page is aimed at developers, tooldisk intergators, and system technicians. If you just need to use the tool to reset a password on your system.

Current features of the registry tools / library

Library:
  • Open several hives at once (they are however not linked in path-wise)
  • Add and remove keys (still not rename, sorry)
  • Add and remove values of any type. (no rename here either)
  • Read data in values
  • Put data into values.
  • (Recursive) iterate / list keys, get values types etc.
  • Recursive delete of keys
  • Read key "class" field
  • Expansion of the hive file now supported so you can add or import as much as you like!
  • Currently just ignores security descriptors in the registry.
  • Supports registry hives with different key indexing, so it covers all versions from NT3.51 to Vista/Win7 32/64bit and 2008 server.
Features of the tools (based on the library):
  • Simple interactive registry edit (command based), including hex edit of value data in unsupported value types.
  • Export of registry (or parts of it) to .reg file readable by Windows regedit.exe.
  • Import .reg file now in seemingly working condition. Will read files from regedit.exe, usually without changes. But currently slow.
  • Password reset, password change (partial)
  • User unlock
  • User promotion (add to administrators group. buggy)
  • Extract product key
  • Some syskey reset actions (NT4/2k/XP), but very risky.
  • .. and a lot of information and debug info for those who are interested.
This is news summary for the library and tools. Please see source and HISTORY.txt for more details.

2011-05-09 - New major features!
  • Hive expansion! Library now does hive file expansion by default if needed to when adding keys/values (but you can turn it off, safe mode). If expansion occured, you will get a warning when writing back.
  • .reg file import! Will read files from regedit.exe in most cases (UTF-16) but can miss on some international characters. Also reads "latin" (8 bit) files.
  • There were a lot of goofs by me in the add/delete key and value handling, which made windows complain and lose data. Hope I managed to fix them.
  • Also, found out more about how Windows does things, for example more details of empty name (default) value, zero-size values, large values (gets split internally) and other special cases.
  • Did quite a lot of testing by importing for example the SOFTWARE\Classes tree with regedit.exe and importing it again into the DEFAULT hive with my tool, then ask windows to "Load hive" (in regedit.exe). If it does not complain in the event log, it is good. (Also, seems like windows has gotten better at not bluescreening on a corrupt registry hive, did not get a single one when doing this with pretty messed up hives in win7 and Vista)
  • Be aware that .reg import is currently very slow, since I messed up the design for the string reading badly, and also the add routines is not exactly optimized. Consider it a proof of concept! Example: Import of SOFTWARE\Microsoft tree (exported by regedit.exe) into the small DEFAULT hive took more than 10 minutes on a pretty fast machine. Especially hex data is slow (one byte at a time.. lazy me..)
  • WARNING: .reg file import does not do much sanity checking of the input .reg file. It will either crash during import or mess up the registry if the .reg file is bad.
  • This version has no significant changes in the password (reset) handling part of the tools.
  • On TODO list for some of the next version: Windows like API. Faster .reg import. Fix bugs!
2010-06-27
  • Patches from Frediano Ziglio adding or fixing:
  • - buffer overflow in export_subkey printing keyname
  • - reg export: some quoting error (name and string values must be quoted)
  • - adding support for wide character encoding in keys and value names
  • - and some other bugs fixed
  • New function from from Aleksander Wojdyga to decode Digital Product ID. Now in registry editor, may be moved later. example dpi \Microsoft\Windows NT\CurrentVersion\DigitalProductId
  • Syskey menu selection has been removed from text, but can still be selected as number 2. So that people stop emailing me when it bombs out.
  • Some other minor tweaks
2009-12-01
  • New site, official URL is now: http://pogostick.net/~pnh/ntpasswd/
  • All releases still contains old mail address, please note NEW mailaddress is pnh@pogostick.net. Old mailaddress vil be invalid after January 1st 2010.
  • No new release, 2008-08-02 is still newest. Hope to release new early 2010.
  • Some of the newest releases (from 2008) seems to be working (more or less) on Windows 7 without any changes.
2008-08-02 Released a CD, but no changes to registry edit / password handling, chntpw etc.
2008-05-26
  • Fixed nasty bug which skipped first indirect index table when deleting keys. Usually threw recusive delete into a endless loop.
  • Type QWORD now recongnized. Believe it is from XP and newer systems.
  • Library functions accepting a path now has flag to say if search should be exact or on first match (partial string) basis.
  • Export to .reg file by Leo von Klenze (Thank you!), expanded to handle more types by me.
  • 64 bit compatible patch by Mike Doty, via Alon Bar-Lev, http://bugs.gentoo.org/show_bug.cgi?id=185411
2007-09-27
  • Fixed hang in bootdisk/CD
  • Also fixed a script crash in the floppy.
2007-09-26
  • User promotion now official! You can add a user into the administrator group, making the user an administrator!
  • Password edit has cosmetical changes / menu control
  • Some verbosity / text info has changed.
  • A few smaller bugfixes
  • Bootfloppy release is back. Better driver handling. Better NTFS handling.
2007-04-09 (guess it is 10 year anniversary!)
  • Now with Vista support! 32 & 64 bit. (NTFS filesystem driver now supports Vista)
  • CD has better driver support, changed quite a bit.
  • Mostly cosmetical changes to "chntpw" program.
  • Main password reset and regedit (chntpw + ntreg) code now made GPL licensed, for those of you who care. Source available at the source page.
2006-04-06, release 060213
  • Driver updates only, see download page for more info.
2005-03-03, release 050303
  • Driver updates only, see download page for more info.
2004-12-05, release 041205
  • New and improved driver probe on disk, now with probe based on PCI info. The CD/floppy should now work much better for SATA and other drivers needing multiple driver modules.
  • Fixed a small bug causing crashes when loading some hives (end pointer of last page seems to be way off sometimes). Thanks to Michael Rothstein for providing a hive file with this "weirdness"
2004-11-01 (no new release)
  • Added some info about "changes not taking effect" to the FAQ
2004-08-18, release 040818
  • Fixed critical bugs in regedit hive allocation routines, earlier versions may corrupt the hive when adding, expanding or deleting keys or values. Earlier version should be safe for password edit usually.
  • Added edit support for large keys (typically more than 500 subkeys), this happens often i SOFTWARE\Classes. As a bi-effect there is now full support for writing NT 3.51 registry, too. (it's related to key indices and indirect indices if many subkeys)
  • Regedit string input bugfix. Often crashed earlier. Several people reported this, with some suggestions. It's still ugly, however :/
  • Regedit recursive key delete 'rdel' added. It is rather slow however, and may hang or crash if given illegal key names. It also may produce some debug output in some situations.
  • Regedit 'hex' command to dump value in hex no matter what type the value is.
  • Regedit 'ck' command to dump class data of key, if it has any. (most keys does not have class data). Keys with classes are marked with * in the key listings. No edit of it yet.
  • Some bugs fixed in hive file load/save, and error handling. Thanks for reports from several people on this.
  • Generally NO CHANGES to password edit stuff.
2004-08-09: IN VERSION 0401xx AND EARLIER: Some rather serious bugs have been discovered in the allocation routines, which are used when adding or deleting values or keys in the registry editor. In best case, they leak space, in worst case, it may corrupt the file.
NOTE: This does not generally affect password changing, since password reset just overwrites a few bytes in place, it does not reallocate space. 
SUMMARY: Password edit OK. Regedit may not be. Expect new version out within a week or so.
2004-01-16, release 040116
  • Completely new bootdisk system! Hopefully a bit easier to understand and run through.
  • Support for easy change of RecoveryConsole parameters (one of them tells RecoveryConsole to NOT ask for admin password).
  • A few bugfixes. For those of you wanting to look and build chntpw from the source, it should now compile??
2003-04-26:
  • Newer NTFS driver and internals of writebacks changed a bit on floppy, may fix some hangs reported on writing back to NTFS.
  • No changes to chntpw program itself
  • John Simpson supplies nice description on how to fix up lost admin password in ActiveDirectory.
2003-02-25:
  • NTFS "hang on writeback" bugfix on floppy/CD.
  • HighPoint (hpt) IDE chipset support added. No idea if it works.
  • Highly expermimental and not complete feature added: User promotion! Promote user into admin group.
    • Will add any user to administrator group, remove from all others.
    • VERY LITTLE TESTED YET!
    • Limitations: Not working on users which is not in any previous group, may not work at all on some setups, will not check policies: Guest can be promoted, but will most likely not be able to log in anyway because it is usually denied in security policies. I know how to do this, but it is not finished yet. This is still work in progress!
    • To use, enter @ at password prompt. Change is set even if you answer no on "do you wish to change" question. Please do not try it if you do not want to risk a complete system reinstall.
    • I need people that can test this on systems they are willing to risk a reinstall on! Please contact me if you have any info.
Earlier history removed.. (started in 1997)
User "manual" & tech info in the README file, or look inside the source. See the INSTALL file inside the archive on how tou build.
ntreg.c & ntreg.h now somewhat makes a rather complete library for access to the registry files. There is currenctly no documentation for the different function calls, and all functions may change in future releases. I plan on cleaning it up, and if possible mimicing the NT API.

Explanation of win3.11, win95 and NT registry files can be found in WinReg.txt, written by some German (I think, at least speaks German) named B.D. Sorry I don't have that persons full name, I can't find a name/address in the file, and it was not credited when I picked it up from some website. This is the original file as I found it, I've discovered some minor errors, but not corrected the file. Look it up in my sourcecode for more detailed info.