Home > Products > Windows Passwords > Windows Password Recovery > Screenshots > Forensic tools > Domain Cached Credentials Explorer
Domain Cached Credentials Explorer and Dumper
11.12.2018
Office password recovery tools
Support for new devices, some speedup when recovering MS Office 2013-2019 passwords using AMD GPUs, bugs fixups
06.12.2018
Windows Password Recovery 11.6
Support for new GPU devices, GPU health monitor, LM password recovery speedup
27.11.2018
Reset Windows Password v9.0.1
Enhanced support for newer browsers when recovering internet passwords
26.11.2018
Wireless Password Recovery v5.0.2
Minor improvements and bug fixes

Articles and video

You may find it helpful to read our articles on Windows security and password recovery examples. Video section contains a number of movies about our programs in action

Windows Password Recovery - domain cached credentials explorer


Beginning with version 2.0, the program allows reading cached domain records. Windows uses cached domain records to be able to connect to the server even if the logon server is unavailable for whatsoever reason.

The plugin for handling cached domain records includes three steps.

In the beginning, decide, which records are to be decrypted: cached records of the current operating system or of some other computer.

Domain cached credentials location


Cached domain records are stored in the SECURITY registry file. Thus, when selecting the option to read records from an external PC, on the next step of the Wizard, you should specify the path to both SECURITY and SYSTEM registry used for decrypting the records. When selecting the option to read cached records of the local computer, on the second step of the wizard, the program will automatically locate those files. The registry files are located at the following folder C:\%WINDIR%\system32\config\, where %WINDIR% is the Windows directory.

Domain cached credentials of an external PC - loading SECURITY hive

If the reading was successful, in the final dialog you will see the decrypted domain records. Each record has several attributes. For example, username, last logon time, group membership, cached user password (actually, hash).

Right-clicking on the list of records opens the context menu, which allows to:

  • Save records with all attributes to a text file.
  • Export password hashes to a PWDUMP, *.DCC or *.PEIF file. Please note that the PWDUMP format stores records not quite properly; therefore, it is more preferable to save domain password hashes to *.DCC or *.PEIF file.
  • Check or reset the password for a cached domain record.
  • Delete record.
     

Editing domain cached password

To recover cached domain password, you can take advantage of Network Password Recovery Wizard; just have the hashes exported to a file of one of the above-mentioned formats beforehand.