Download Kali Linux and burn the ISO to a CD/DVD. Boot Windows machine with the LiveCD. On the boot menu of Kali Linux, select Live (forensic mode).
Kali Linux initialize and when it loads, it will open a terminal window
and navigate to the Windows password database file. Almost all versions
of windows password is saved in SAM file. This file is usually located under /Windows/System32/config. On your system it may look something like this: /media/hda1/Windows/System32/config. Below is the screenshot.
The SAM database is usually in the /media/name_of_hard_drive/Windows/System32/config
The screen shot below lists the SAM database file on my hard drive. The
screen shot below lists the SAM database file on my hard drive.
Type command chntpw -l SAM and it will list out all the usernames that are contained on the Windows system.
The command gives us a list of usernames on the system. When we have the
username we want to modify and we simply run the command chntpw -u “username” SAM
In the example below we typed: chntpw -u “Administrator” SAM and we get the following menu:
We now have the option of clearing the password, changing the password,
or promoting the user to administrator. Changing the password does not
always work on Windows 7 systems, so it is recommended to clear
the password. Therefore you will be able to log in with a blank
password. You can also promote the user to a local administrator as
well.