Join Us!

How to know if ther...
 
Notifications
Clear all

How to know if there is User Password in Windows  

  RSS
d3lete
(@d3lete)
New Member

Hello, I was wondering if there is a way to discover if a PC with Windows has the User password or not.
Obviously I mean searching this information through an image file of the hard drive of the PC.

Quote
Posted : 20/02/2020 2:18 pm
jaclaz
(@jaclaz)
Community Legend

At least for local accounts you need to check the SAM and other Registry files
https://www.forensicfocus.com/Forums/viewtopic/t=5539/

If you are looking for an automated tool
https://github.com/woanware/ForensicUserInfo

jaclaz

ReplyQuote
Posted : 20/02/2020 2:36 pm
randomaccess
(@randomaccess)
Active Member

If you are looking for an automated tool
https://github.com/woanware/ForensicUserInfo

I haven't played with Mark's tool but it hasn't been updated in 4 years, so won't deal with the new location for the NTLM hash.

Microsoft moved the location in Win10 anniversary update (wrote about it here), so tools that haven't been updated will erroneously report that a password is blank.
You can pull the hashes with some tools, and I think it's reasonable to say that if there's a hash that isn't blank then a password is currently set. Caveats here are I don't know what happens if someone has a password and then removes it, or has a standard account and then changes it to a Microsoft online account (edge cases so havent tested).

The guaranteed way to check the password settings is to boot a VM/restored copy of the drive. GetData Forensic Explorer, VFC, and Arsenal Image Mounter (current tool of choice) have the capability of booting a VM. That will tell you pretty quickly that there's a password set or not.

Do not rely on the output of a registry parser that says password not required

ReplyQuote
Posted : 22/02/2020 12:58 pm
Dyball
(@dyball)
New Member

Thank you for your infor.

ReplyQuote
Posted : 09/03/2020 8:44 am
Share: