How to know if there is User Password in Windows
Hello, I was wondering if there is a way to discover if a PC with Windows has the User password or not.
Obviously I mean searching this information through an image file of the hard drive of the PC.
If you are looking for an automated tool
I haven't played with Mark's tool but it hasn't been updated in 4 years, so won't deal with the new location for the NTLM hash.
Microsoft moved the location in Win10 anniversary update (wrote about it here), so tools that haven't been updated will erroneously report that a password is blank.
You can pull the hashes with some tools, and I think it's reasonable to say that if there's a hash that isn't blank then a password is currently set. Caveats here are I don't know what happens if someone has a password and then removes it, or has a standard account and then changes it to a Microsoft online account (edge cases so havent tested).
The guaranteed way to check the password settings is to boot a VM/restored copy of the drive. GetData Forensic Explorer, VFC, and Arsenal Image Mounter (current tool of choice) have the capability of booting a VM. That will tell you pretty quickly that there's a password set or not.
Do not rely on the output of a registry parser that says password not required
Thank you for your infor.