Windows Password Recovery - loading hashes from remote computer
Import hashes from a remote host. The program has means for dumping hashes from a remote host without employing third-party utilities. This does not compromise the remote system, as it still requires supplying the credentials for the remote host user.
Dumping from a remote host works as follows. First, you should enter the remote host name in the Remote Host field. You can use the [...] button to browse the network. Once you have selected the remote host, set up a shared resource (allowed for both reading and writing), through which the data will be transmitted. Usually, that is either C$ or ADMIN$. Here too, you can take advantage of the browse button to the right of the edit box. Next, in the two fields at the bottom type in the remote host account name and the password.
The 'Save Credentials' button saves current settings. Respectfully, the 'Load Credentials' button allows loading existing settings, so that you don't have to enter them manually every time you need them. The password is stored in the encrypted form!
The import feature requires administrative privileges.
You may, however, experience some troubles connecting to remote PC, even if you have an Administrator account. When connection to the target PC with Windows Vista/7/8/10, you may get the following error:
The error 5 indicates that access is denied (even if the target account has Administrator privileges). The problem is that any remote connection in Windows Vista and higher OSes by default cannot perform administrative tasks. Microsoft documentation clearly states the following:
When a user with an administrator account in a Windows Vista computer's local Security Accounts Manager (SAM) database remotely connects to a Windows Vista computer, the user has no elevation potential on the remote computer and cannot perform administrative tasks. If the user wants to administer the workstation with a SAM account, the user must interactively log on to the computer to be administered.
There's a however a flag in the Windows registry that allows to change the default behavior. Just launch the registry editor of the target PC and open the following key:
Then create DWORD value LocalAccountTokenFilterPolicy and set it to one (1). So you will be able to connect to the admin share.