Can be done in damn near any linux os, I used backtrack for this:

1) Boot backtrack
2) Find the windows drive(partiton)
a) fdisk -l (the larger drive is prob windows, example: /dev/sda2)

3) Create a directory to mount it to
a) mkdir /mnt/win (makes a folder under /mnt/win, windows will be there)

4) Mount the windows drive to your new directory
a) mount -t ntfs-3g /dev/sda2 /mnt/win -o force (this mounts /dev/sda2 to /mnt/win) (if your doing this on a disto other than backtrack and this command doesn't work do "apt-get update" then "apt-get install ntfs-3g"

5) Goto the location of the sam file, CASE specific, run ls after every cd change
a) location is: /mnt/sda2/windows/system32/config

6) Run CHNTPW
a) chntpw -l SAM SYSTEM (Case of sam and system is important)
b) This lists the users, so pick your user

7) chntpw -u USERNAMEHERE SAM SYSTEM
8) SAY NO TO DISABLE SYSKEY!
9) Now just run your command to either unlock the acct or blank password
10) Safe HIVE and reboot.
11) Shutdown via command
a) shutdown -h now

Re-posted from my own site: http://deauththis.com/forum/security/ba ... 48/#msg248

you can also find a video of me doing it there