±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36209
New Yesterday: 3 Visitors: 136

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Windows 10 Login Pin

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

LeGioN
Member
 

Windows 10 Login Pin

Post Posted: Jul 17, 19 08:17

Hey!

So.. It is an aweful slow week at work and I have decided to look into the Windows 10 pin code.

Before creating the pin the NGC folderis empty:
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc

After I added it there is now a subfolder:
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc\{xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}

This directory contains a buttload of subfolder and files.

However I am unable to figure out what the files are and what kind of encryption has been used.

There is a bunch of .dat files spread across multiple folders that contains all sort of random numbers. (Well.. I guess they are not random.. )
In the {xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} folder there is a 1.dat file that contains a SID S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxx-1001.

In my case there is 32 .dat files spread across all the sub directoreis.
1 that seems to be encrypted.
4 that contains something that looks like hashes.

Has anyone any idea how one can extract the Windows Login Pin from the data found in the folder?

/LeGioN  
 
  

deeFIR
Member
 

Re: Windows 10 Login Pin

Post Posted: Jul 18, 19 02:14

I just enabled PIN as a sign-in option and set it to a 4 number string. That generated all the files and folder structure you've referred to. Interestingly;

Ngc\{hex string}\1.day contains the SID of my current user.

I've changed my PIN numerous times and the names of the folders, files, and their corresponding values don't change (same hashes and file name).

I'm not in a position to inspect my SAM file at the moment. Perhaps if it's added as a reference (given the reference to the user's SID as mentioned above) there's possibly another value saved against the same SAM file.

I'm not in a position to do it at the moment, but perhaps try exporting your SAM, reg view it, change your PIN and view it again to identify any changes.

Do you have BitLocker enabled by chance? Some light reading; docs.microsoft.com/en-...n-password

A PIN is tied to the device

A PIN is not stored on any server and is device specific. This means that if someone finds out your system’s PIN, the intruder would be able to get nothing out of it unless he/she steals the device as well. The PIN cannot be used on any other device belonging to the same person.

A PIN is backed up by TPM hardware
 
 
  

LeGioN
Member
 

Re: Windows 10 Login Pin

Post Posted: Jul 18, 19 07:46

Thanks for the light reading! Very Happy
I opened regedit and just searched for my SID.

And lo and behold what I found:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\NgcPin\Credentials\Your_SID

In this there is a key called EncryptedPassword.

So at least I now have something to play around with trying to decrypt the password Very Happy

/LeGioN  
 
  

deeFIR
Member
 

Re: Windows 10 Login Pin

Post Posted: Jul 19, 19 04:08

Interesting. I found the same as well. After enabling and setting a PIN, the key EncryptedPassword was generated. I exported that as a reg file. I changed the PIN and refreshed the registry, and exported the EncryptedPassword key. Both keys, however, are the same.  
 
  

LeGioN
Member
 

Re: Windows 10 Login Pin

Post Posted: Jul 20, 19 20:58

- deeFIR
Interesting. I found the same as well. After enabling and setting a PIN, the key EncryptedPassword was generated. I exported that as a reg file. I changed the PIN and refreshed the registry, and exported the EncryptedPassword key. Both keys, however, are the same.


Ooh!
Interesting!
Hmm.. So wonder what makes it stay the same?
Did you log-in and out after changing it?
Or do a full reboot?

Currently enjoying a few days of work, but feel free to post your findings here ^^

/LeGioN  
 

Page 1 of 1