Home > Products > Windows Passwords > Windows Password Recovery > Screenshots > Loading hashes > Registry and Active Directory
Loading password hashes from registry and Active Directory
01.03.2024
New blog post
Dumping the history of users' IP addresses in Windows
20.02.2024
Reset Windows Password v14.1
IP addresses history viewer, fast disk search, local security editor and some more
02.01.2024
Wireless Password Recovery v6.9.0
A revision of the GPU health monitor along with some minor updates
23.12.2023
HAPPY NEW YEAR!
Happy New Year greetings and holidays discount

Articles and video

You may find it helpful to read our articles on Windows security and password recovery examples. Video section contains a number of movies about our programs in action

Windows Password Recovery - loading hashes from registry and Active Directory

 

Loading password hashes from registry and Active Directory

Import hashes from binary files. Windows Password Recovery can extract password hashes directly from binary files. Even those used by the current system (i.e. locked).

Normally, password hashes are stored in the SAM registry file, that resides in the '%WINDOWS%\System32\Config' folder. The same folder contains both the SECURITY and SYSTEM registry. If you have specified the current system's path to the registry, parsing it will take a bit longer (normally by a couple of extra seconds).

Password hashes for domain accounts are stored in the Active Directory database; or, to be more specific, in the very heart of it, in the ntds.dit file, which resides in the following folder: '%Windows%\ntds'. To recover domain accounts, you will need the SYSTEM registry as well.

Be careful! Dumping the current system's Active Directory database may take quite some time, especially if the databases contain thousands of user accounts.

Extracting domain cached credentials is pretty much the same as extracting regular SAM accounts. All you need is to specify paths to both SECURITY and SYSTEM files.

Importing Windows PINs requires full access to the Windows folder and the read-only access to the users' profiles directory (typically, C:\Users).

To load Microsoft or Azure AD cached passwords, it's just enough to show a path to the Windows directory.

If you are copying the files from another system, besides the SAM (ntds.dit) and SYSTEM files, it is also highly recommended to copy the SECURITY and SOFTWARE registries (they should be located in the same folder with the SYSTEM file); that would allow you to recover the passwords to some user accounts quicker.

Using additional options you can:

  • Turn on/off password history parsing. Turning off the history load will increase database processing. On the other hand, when attacking hashes, guessing history passwords may give a clue to figure out the password for the primary account the hashes belong to.
  • Discard loading machine accounts (ones end up with $ character).
  • Switch on/off the instant check for plaintext passwords, BitLocker backup keys, and other sensitive information
  • Search for deleted and hidden user accounts (when reading hashes from Active Directory only)
 
The program works properly and supports all the SYSKEY encryption options: Registry SYSKEY, SYSKEY startup diskette, SYSKEY startup password.