Elcomsoft.com » Password Recovery Software » Proactive Password Auditor » Help


Previous  Top  Next

Windows 2000, Windows XP, Windows Vista, Windows 7, Windows 8, Windows Server 2003/2008/2012 (32-bit or 64-bit)
about 6 megabytes of free space on hard disk


Please note that some features (such as dumping password hashes from memory or registry) are available only with Administrator privileges. If you do not have them, or if Administrator's password is lost, forgotten or expired, or if Administrator's account is locked or disabled, it is suggested to use Elcomsoft System Recovery, a bootable CD or USB flash drive that can reset or change passwords to any user local or Active Directory accounts (including Administrator's one), enable/unlock disabled/locked accounts, dump password hashes into the text file (for further audit/recovery with PPA) and more.


For dumping password hashes from memory, there are some additional requirements:


'RestrictAnonymous' value in the following Registry key:




should be set to 0 or 1; remote access to the registry by domain users also should NOT be restricted using the wollowing key:




For more information about these keys, see Microsoft Knowledge Base articles Q143474 and Q246261.


Both the local and remote computers should have File and print sharing (i.e., the Workstation and Server services) enabled.


Remote system should have Admin$ share (a hidden share that maps to the \windows directory), or other share with the same properties defined.


If remote machine (you dump password hashes from) is running Windows XP SP2+ or Windows Server 2003+, the Network access: Sharing and security model for local accounts security policy should be set Classic - local users authenticate as themselves there. It can be done using Group Policy Editor (gpedit.msc) under the following branch: Local Computer Policy | Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options.


If, for some reason, PPA fails to dump from the remote computer, please try to connect to ADMIN$ resource manually in Windows Explorer: Tools | Map Network Drive (do not forget to disable the Reconnect at logon option and supply the same credentials as in PPA). If connection will be performed successfully, PPA should also work (do not forget to disconnect the network drive after this test); if not, you may also need to check the filerewall settings on the remote computer. If manual connection to ADMIN$ also fails, it means that ADMIN$ share is not enabled, or security policy described above is set to Guest only - local users authenticate as Guest, or you are supplying the wrong credentials (password is wrong, or the given user does not have administrator privileges on the remote machine).


In the domain environment, it is recommended to start PPA under the domain administrator's account.

Get more information about Proactive Password Auditor
Get full version of Proactive Password Auditor

(c) 2009 ElcomSoft Co.Ltd.