Location of Password Hashes on a Windows Local Machine?

  1. C:\windows\system32\config\SAM (Registry: HKLM/SAM)
  2. System memory

The SAM file is mounted in the registry as HKLM/SAM. Windows locks this file, and will not release the lock unless it's shut down (restart, BSOD, etc). However, if you look at the SAM entry in the aforementioned registry section, you will not find the hash.

Therefore, it seems more than likely that the hash, or password, will also be stored in memory. In fact, there are quite a few password crackers that take your password directly from memory.


There is an additional location where they store cached domain credentials as MSCASH2 hashes:

HKEY_LOCAL_MACHINE\Security\Cache

So, if you are talking about a domain-joined machine, there are three places that you could find credentials stored.

  1. SAM file (need both C:\windows\system32\config\SAM, and C:\windows\system32\config\system)
  2. Registry (HKEY_LOCAL_MACHINE\Security\Cache for domain credentials, HKEY_LOCAL_MACHINE\SAM for local credentials)
  3. In-memory (dump with mimikatz) -- however this last one isn't "stored" as in written-to-disk.

Tags:

Windows

Passwords

Hash

Related

Why should servers be placed outside of the corporate network? Can I read the domain name from HTTPS before SSL handshake? What is the purpose of the expiration time in signed S3 urls? Getting spam calls from numbers similar to my own What was the aim of this invalid HTTP request that tells a story about goats in the request URI? How much can we trust open source implementations of crypto (security) libraries? Is it dangerous to call spam phone numbers, even if you know they're spammers? Is information disclosure in a form of a server header a real vulnerability? Is there an encryption algorithm that is fully secure? Why OpenSSH deprecated DSA keys Is there a threshold of bits of entropy below which hashing becomes meaningless? Is same origin policy for web only useful because of cookies?

Recent Posts