Windows Password Recovery - loading password hashes
User passwords in Windows systems are converted to special values - hashes. Hashes have a fixed size - 16 bytes - and can be stored in two repositories: SAM - for the regular accounts and Active Directory - for domain accounts.
The regular accounts that contain user name, password and other auxiliary information are stored in the Windows NT registry; precisely, in the SAM (Security Account Manager) file. That file is located on the hard disk, in the folder %windows%\system32\config. For example, С:\Windows\System32\Config\SAM.
Another way to access the SAM file is to launch a special program from a boot disk and then copy the file. Anyway you need a physical access to the computer with password hashes.
User passwords or, to be accurate, hashes are additionally encrypted with the SYSKEY utility, which stores its service data in the SYSTEM registry file. Thus, to extract hashes from SAM, you would also need the SYSTEM file, which is located in the same folder as SAM, and optional SECURITY file.
Domain accounts are stored in the Active Directory database. Usually, the Active Directory database is located in the file %Windows%\ntds\NTDS.DIT. The way user hashes are encrypted here is a bit different than that is in SAM, but the recovery would also require the SYSTEM file.
Windows Password Recovery support several ways of loading hashes into the program.
Extract password hashes from system restore/repair/backup folders or from volume shadow copies.
More information... |
 |
Load hashes into the program by importing them from other projects/applications.
More information... |
 |
