Once you have selected the database source (SAM or AD) and working mode (task), you will be prompted for the operating system to work with (note: if your system uses non-standard mass-storagee adapters such as SCSI or SAS that are not supported by the ESR, you may need to specify additional drivers; see Mass-storage drivers chapter for details). With the Auto selection, you just select the system folder from the drop-down box:
With Manual selection, you have to select either the location of the AD database and SYSTEM Registry file (using [...] button at the right):
or the location of SAM and SYSTEM files:
In manual mode, it is recommended to select the location of SYSTEM file first, so the location of SAM (or AD database) will be inserted automatically. The default location of SAM and SYSTEM files is:
%WINDOWS%\SYSTEM32\CONFIG\
And AD database (ntds.dit) is usually stored in the following folder:
%WINDOWS%\NTDS\
When browsing for SAM/SYSTEM/AD files, if you don't see the local drive(s), that means that you do not have necessary drivers (such as SerialATA, SCSI, RAID etc) installed. You may need to specify them during boot process (see Booting from the CD or UFD chapter for details).
Please note that if your system uses non-default SYSKEY mode (i.e. SYSKEY is not stored in the Registry), then the program will prompt you for startup password or SYSKEY floppy disk. If you do not supply them, password hashes cannot be extracted (decrypted), and so you will not be able to change account passwords or properties, or even dump password hashes into the text file.
If you have selected Test short and simple passwords option, then ESR will try to recover passwords using several pre-defined built-in dictionary and brute-force attacks, as well as decrypt some passwords that are stored/cached/encrypted in other files. That does not mean that many passwords will be recovered, but takes only a few minutes (may be more on slow computers, so you may wish to disable this option) and really helps to recover short and simple passwords, so you will not need to reset them. Here are the passwords that are being tested:
| • | obvious combinations like passwords that are equal to login names |
| • | stored dial-up passwords |
| • | passwords from secrets (SECURITY registry file) |
| • | LM passwords |
| • | 4-characters (caps, digits, 16 symbols) |
| • | passwords from wordlist |
| • | passwords from wordlist with one digit at the end |
| • | NTLM passwords |
| • | 4 characters (small, digits, 16 symbols) |
| • | 4 chars (small, caps) |
| • | 5 chars (small) |
| • | 5 chars (caps) |
| • | 7 chars (digits) |
| • | 3 chars (all symbols) |
| • | passwords from wordlist |
| • | repeatable combinations (like '00000', 'aaa' etc) |
| • | keyboard combinations (like 'qwerty') |
| • | keyboard combinations on OEM layout |
Then, the program creates a few different 'mutations' for the passwords that have been found at previous steps, and try to apply them to all accounts.