ELCOMSOFT.COM » Proactive System Password Recovery

Recovered hashes

Top  Previous  Next

Windows NT/2000XP/2003/2008/Vista/W7 Security Accounts Management Database (SAM) stores hashed copies of user passwords; the hash is a one-way function version of the clear text password. PSPR shows passwords of users that can be recovered instantly (including empty ones), or in a very short time (according to options). For these users, it is also possible to change the password hashes (and thus the passwords), but that may cause lost access to personal certificates, network passwords, EFS-encrypted files and some other data, so don't use that feature if you don't understand what you're doing.


Password history can be also extracted/decrypted (if appropriate option is set).


Using that feature, you can also dump (and probably decrypt) password hashes not only from the local system, but also from external (binary) SAM, SYSTEM and SECURITY files, and/or replace or reset the passwords there. Simply check the Manual decryption box, browse for these files, and press the Manual decryption button.


Please note that usually the SAM database is encrypted with a locally stored system key, and PSPR automatically decrypts it, but the SYSKEY utility can be used to additionally secure it by moving the SAM database encryption key off the Windows-based computer. The SYSKEY utility can also be used to configure a start-up password that must be entered to decrypt the system key so that Windows can access the SAM database. If the local machine is configured this way, PSPR can try to recover this start-up password: click on Find SYSKEY startup password link to open a new window where you can set brute-force and dictionary attack options. The same window is opened if you dump password hashes from external SAM and SYSTEM files (in Manual mode), or if the start-up password is known, you can enter it there (or if SYSKEY is stored on a floppy disk, provide PSPR with it in order to get password hashes decrypted for further attacks).


Password hashes of Active Directory users can be also shown (see options), and if passwords are stored using reversible encryption, plain-text passwords are recovered instantly regardless their complexity.


In Manual decryption mode (i.e., for password hashes loaded from Registry files taken from another computer), You can also use the SAM database editor feature to see the details of all user accounts (in read-only mode); select the user account you are interested in and press the SAM database editor link (if no account is selected, the first one from the list will be loaded). The following information is available:


general information (user name, full name, comments, user ID)
hashes (LM and NTLM, including 'history' ones)
flags (a lot of)
date/time of last logon, logoff, password change/set, account expiration, last bad password
local and global groups
logon hours
misc information
domain information
domain properties
domain password properties (incl. SAM session key and SYSKEY)


Windows logon passwords can be also audited/recovered in Proactive Password Auditor and Elcomsoft Distributed Password Recovery.


Get more information about Proactive System Password Recovery
Get full version of Proactive System Password Recovery

(c) 2014 ElcomSoft Co.Ltd.