User passwords in the Registry
Thanks- sounds like the typical CYA documentation and testing- not much different in the US )
00AC refers to the offset (172 decimal). I can't remember if Access Data Registry Viewer shows offsets in decimal or hex, but either way, if you have the V key open and get to the offset mentioned, the value 14 indicates that a password is present.
I did some research on this. Offset 172 seems accurate most of the time. I found an an XP Administrator account that had an offset of 14 but in fact the password was blank (likely had a password at one time). For me, PRTK or ophcrack that are capable of showing the NT Password field (either as blank or recovered / failed) as well as ForensicUserInfo have been accurate every time thus far on 3 different cases (confirming with LiveView).