Does Windows have a built-in password store?

Question

What passwords are stored in Microsoft Windows? How can I know what password are saved in computer?

Answer 1

Windows Credentials

Yes, they are stored hashed within files in the c:\Windows\System32\Config\ directory. You will need the SAM and system files. However, a backup of these files may be stored in the Windows repair folder at c:\Windows\Repair\. SAM contains the hashed passwords, however they are encrypted using the boot key within the system file.

If Windows is running and you need access to the locked files in the Config folder (for example you know the files in Repair are out of date), you can extract these files using regedit.

C:\>reg.exe save HKLM\SAM sam
The operation completed successfully
C:\>reg.exe save HKLM\SYSTEM sys
The operation completed successfully

An alternative is to use a tools such as Pwdump which can extract the hashes stored within the SAM/system files directly without the need to use regedit or manual decryption of the SAM using the boot key.

Windows passwords may also be cached in memory. Windows Credentials Editor can extract these values in plain text from the Windows Digest Authentication package.

C:\>wce -w
WCE v1.3beta (Windows Credentials Editor) - (c) 2010,2011,2012 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity com)
Use -h for help.


test\MYDOMAIN:mypass1234
NETWORK SERVICE\WORKGROUP:test

You will need local administrator access to do all of the above, unless you can mount the partition from another machine to directly access the files in the first case.

Network Credentials

Network passwords are stored inside Windows Vault/Credential Manager:

Tools such as Windows Vault Password Decryptor can extract and decrypt these.

Answer 2

To access the windows passwords, you'll need both the SAM and SYSTEM file from C:/WINDOWS/SYSTEM32/config

On a Linux Distro, like Kali-linux, you can then use the command "bkhive SYSTEM bootkey" to get the bootkey from the system file. Then, use the command "samdump2 SAM bootkey > samdump.txt" to get the hash dump from the SAM file.

If you open the file, you'll see lines similar to below:

admin:1006:NO PASSWORD*********************:44bf0244f032ca8baaddda0fa9328bf8:::

This means the admin account's NTLM password is "44bf0244f032ca8baaddda0fa9328bf8".

If you see something like:

admin:1006:37035b1c4ae2b0c54a15db05d307b01b:44bf0244f032ca8baaddda0fa9328bf8:::

This means the PC has LM hashes enabled. In this case, the LM hash is "37035b1c4ae2b0c54a15db05d307b01b". LM hashes are easy to crack, they have the strength of a 7 character password (look it up on wikipedia to find out why).

The SAM and SYSTEM file generally are obtained when the PC is powered off. However, there is a technique to get the files when the PC is powered on, using shadow volume copy, which is available in modern versions of windows. Essentially, this allows you to take a back up of the running system, and you can extract the SAM and SYSTEM file from that backup. Google is your friend, there are many articles explaining this technique in detail.

Answer 3

Yes, Widnows saves users' passwords in 3 files:

1. Windows\System32\Config\SAM file (without extension).
2. Windows\System32\Config\SAM.sav: it is a copy of the first one
3. Windows\System32\Config\SAM.log A transaction log of changes.

To access these files, run Start/CMD and type %SystemRoot%then choose the subfolder system32\config.

These files can not be read, deleted or modified in any way by the user.

These files are diretctly used and read from this windows registry key: HKEY_LOCAL_MACHINE\SAM:

Answer 4

All local user account passwords are stored inside windows. They are located inside C:\windows\system32\config\SAM If the computer is used to log into a domain then that username/password are also stored so it's possible to log into the computer when not connected to the domain.

As for seeing which passwords are currently stored on a computer you can use a program such as Cain and Abel to see the different users and their corresponding hashed passwords. Cain and Abel will also allow you to attempt to crack the passwords if you have enough spare time.