User passwords in t...
 
Notifications
Clear all

User passwords in the Registry  

Page 2 / 2
  RSS
JSkier
(@jskier)
New Member

Thanks- sounds like the typical CYA documentation and testing- not much different in the US )

ReplyQuote
Posted : 17/05/2010 8:03 pm
JSkier
(@jskier)
New Member

00AC refers to the offset (172 decimal). I can't remember if Access Data Registry Viewer shows offsets in decimal or hex, but either way, if you have the V key open and get to the offset mentioned, the value 14 indicates that a password is present.

I did some research on this. Offset 172 seems accurate most of the time. I found an an XP Administrator account that had an offset of 14 but in fact the password was blank (likely had a password at one time). For me, PRTK or ophcrack that are capable of showing the NT Password field (either as blank or recovered / failed) as well as ForensicUserInfo have been accurate every time thus far on 3 different cases (confirming with LiveView).

ReplyQuote
Posted : 25/05/2010 1:52 am
Page 2 / 2
Share: