Location of Password Hashes on a Windows Local Machine?

  • "Where are the two locations that user's password hashes are stored on a local windows machine?"

    My place of business asked me this question. I know that the SAM stores password hashes, where would the other location be?

    1. C:\windows\system32\config\SAM (Registry: HKLM/SAM)
    2. System memory

    The SAM file is mounted in the registry as HKLM/SAM. Windows locks this file, and will not release the lock unless it's shut down (restart, BSOD, etc). However, if you look at the SAM entry in the aforementioned registry section, you will not find the hash.

    Therefore, it seems more than likely that the hash, or password, will also be stored in memory. In fact, there are quite a few password crackers that take your password directly from memory.

    Thank you for the answer! I did a bit more digging and I learned that in memory, lsass holds on to a plaintext copy of the password for whoever is logged in.

    That's how a badUSB device can grab the hash. Rubber ducky, Malduino, P4wnP1 etc.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM