You may find it helpful to read our articles on Windows security and password recovery examples. Video section contains a number of movies about our programs in action
Windows uses 3 generic types of cached credentials:
Domain Cached Credentials. By default, when you log on to a domain account, Windows caches last 10 successfull logon attempts to a local PC. This is referred and known as Domain Cached Credentials. Please refer to our article for more detailed info on domain cached credentials. To decrypt domain cached credentials to plaintext passwords, you will need one of the tools that supports DCC recovery. For example, hashcat. You can also use our Domain Cached Credentials explorer tool to investigate, search and dump DCC hashes.
Generic logon credentials. Or simply SAM hashes. This is user's logon passwords. All logon passwords are stored as hashes. Our tools have wide capabilities to decrypt hashed back to plaintext passwords.
DPAPI cached credentials. We call it DPAPI credhist. All previous user passwords are saved into DPAPI blockchain. So to decrypt hashes to all passwords previously set by user, you will have to decrypt the current user's hash first. The credentials are saved either as NTLM or as SHA1 hashes. This features is supported by our WPR tool only. See some info here.
Windows Password Recovery v10.2.3.951
Windows 8/Server 2012 v6.2.9200
Windows x64 - Yes
User Administrator - Yes
Drive (C:\\\\) - fixed, NTFS, 824411 Mb free
Drive \\'E:\\\\\\' - CD-ROM
Windows dir - C:\\\\WINDOWS
System dir - C:\\\\WINDOWS\\\\system32
Temp dir - C:\\\\Users\\\\RUSLA_~1\\\\AppData\\\\Local\\\\Temp\\\\
Profile dir - C:\\\\Users\\\\rusla_000
Program dir - C:\\\\Program Files (x86)\\\\Passcape\\\\WPR
Program name - wpr.exe
Program size - 6716416
OpenCL 10.0.1800.11
Detected devices: 4 CPU cores, 1 AMD GPU
13:07:20 April 01 2016> Application started
13:09:50 April 01 2016> Importing from raw binary files
13:09:50 April 01 2016> AD: C:\\\\WINDOWS\\\\
13:09:50 April 01 2016> SYSTEM: C:\\\\WINDOWS\\\\system32\\\\config\\\\SYSTEM
13:09:50 April 01 2016> \\'SYSTEM\\' is a system protected file, making a readable copy
13:10:10 April 01 2016> AD open error