Windows 10 Login Pi...
 
Notifications
Clear all

Windows 10 Login Pin

5 Posts
2 Users
0 Likes
2,781 Views
LeGioN
(@legion)
Posts: 51
Trusted Member
Topic starter
 

Hey!

So.. It is an aweful slow week at work and I have decided to look into the Windows 10 pin code.

Before creating the pin the NGC folderis empty
C\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc

After I added it there is now a subfolder
C\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc\{xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}

This directory contains a buttload of subfolder and files.

However I am unable to figure out what the files are and what kind of encryption has been used.

There is a bunch of .dat files spread across multiple folders that contains all sort of random numbers. (Well.. I guess they are not random.. )
In the {xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} folder there is a 1.dat file that contains a SID S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxxx-1001.

In my case there is 32 .dat files spread across all the sub directoreis.
1 that seems to be encrypted.
4 that contains something that looks like hashes.

Has anyone any idea how one can extract the Windows Login Pin from the data found in the folder?

/LeGioN

 
Posted : 17/07/2019 8:17 am
(@deefir)
Posts: 49
Eminent Member
 

I just enabled PIN as a sign-in option and set it to a 4 number string. That generated all the files and folder structure you've referred to. Interestingly;

Ngc\{hex string}\1.day contains the SID of my current user.

I've changed my PIN numerous times and the names of the folders, files, and their corresponding values don't change (same hashes and file name).

I'm not in a position to inspect my SAM file at the moment. Perhaps if it's added as a reference (given the reference to the user's SID as mentioned above) there's possibly another value saved against the same SAM file.

I'm not in a position to do it at the moment, but perhaps try exporting your SAM, reg view it, change your PIN and view it again to identify any changes.

Do you have BitLocker enabled by chance? Some light reading; https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password

A PIN is tied to the device

A PIN is not stored on any server and is device specific. This means that if someone finds out your system’s PIN, the intruder would be able to get nothing out of it unless he/she steals the device as well. The PIN cannot be used on any other device belonging to the same person.

A PIN is backed up by TPM hardware

 
Posted : 18/07/2019 2:14 am
LeGioN
(@legion)
Posts: 51
Trusted Member
Topic starter
 

Thanks for the light reading! D
I opened regedit and just searched for my SID.

And lo and behold what I found
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\NgcPin\Credentials\Your_SID

In this there is a key called EncryptedPassword.

So at least I now have something to play around with trying to decrypt the password D

/LeGioN

 
Posted : 18/07/2019 7:46 am
(@deefir)
Posts: 49
Eminent Member
 

Interesting. I found the same as well. After enabling and setting a PIN, the key EncryptedPassword was generated. I exported that as a reg file. I changed the PIN and refreshed the registry, and exported the EncryptedPassword key. Both keys, however, are the same.

 
Posted : 19/07/2019 4:08 am
LeGioN
(@legion)
Posts: 51
Trusted Member
Topic starter
 

Interesting. I found the same as well. After enabling and setting a PIN, the key EncryptedPassword was generated. I exported that as a reg file. I changed the PIN and refreshed the registry, and exported the EncryptedPassword key. Both keys, however, are the same.

Ooh!
Interesting!
Hmm.. So wonder what makes it stay the same?
Did you log-in and out after changing it?
Or do a full reboot?

Currently enjoying a few days of work, but feel free to post your findings here ^^

/LeGioN

 
Posted : 20/07/2019 8:58 pm
Share: