Windows 10 Virtuali...
 
Notifications
Clear all

Windows 10 Virtualisation & Microsoft user accounts  

  RSS
Brevs11
(@brevs11)
New Member

Morning all.

I've been attempting for a while to find a way to login to a Microsoft user account on a Windows 10 computer when that computer has been virtualised (FTK Imager to mount the forensic image, VFC and VMWare to create and run the VM). This has to be completed in a forensically sound manner as possible.

So the scenario I'm finding more often these days is that the user has either created from new, or migrated an existing local account to a Microsoft based password protected account. I know that when Windows 10 is installed Microsoft tries very hard to force users down the path of creating a Microsoft account rather than using a local account. A Microsoft based account must be protected with a password or PIN.

I have used the following 'hack' which allows you to enable and login to the local Administrator account, assuming that the user has not previously enabled it and added a password.

Enable Hidden Administrator Account in Windows 10 without Login

However, even logging in to the local Administrator account does not allow the changing or removal of another users's Microsoft created account.

All of the tools I'm currently using to examine the SAM incorrectly report Microsoft created accounts as having no password set, likewise running various boot disks to blank the NT password fail because there isn't one.

Depending on how the account was created when attempting to login to the account you will sometimes get "Your device is offline, please enter old password." Some online research for this message shows that there are numerous users who report either that they never set an earlier password or, they enter their old password and it doesn't work. If Windows does store an old password for offline local use, where is it?

Asking the user for the password is not always possible and of course the password could always be reset by logging into the Microsoft account on a different device, again not possible in this scenario.

I wondered if anyone has any success or ideas as to whether what I'm trying to achieve is possible, without the options available in the preceding paragraph.

Quote
Posted : 28/01/2019 10:09 am
keydet89
(@keydet89)
Community Legend

"…report Microsoft created accounts as having no password set…"

I'm curious…what tools are you using, and what are they telling you? What I mean is, what is the message, exactly worded, that you're seeing?

That might be helpful.

Thanks.

ReplyQuote
Posted : 28/01/2019 11:00 am
Brevs11
(@brevs11)
New Member

AccessData Registry Viewer, ophcrack, IEF, EnCase v6 & v8 all show the NT hash and password as empty in the SAM.

I did another little bit of research a while back and I stand to be corrected but this has been the case since Windows Version 1607 (Anniversary Update). I discovered it by accident, the tools were reporting no password set on the account but when I virtualised it there was a password, if it was a Microsoft based account.

Thanks

ReplyQuote
Posted : 28/01/2019 11:15 am
mjpetersen
(@mjpetersen)
New Member

The reason you are not seeing the account is because the passwords are not stored locally.

Have you tried the VFC Password Bypass? Did that work or did it only allow you to view the local files and not the on-line files?

ReplyQuote
Posted : 28/01/2019 6:04 pm
Brevs11
(@brevs11)
New Member

The reason you are not seeing the account is because the passwords are not stored locally.

Have you tried the VFC Password Bypass? Did that work or did it only allow you to view the local files and not the on-line files?

VFC reports that there is no password set on the account so the password bypass does not work.

I have a Microsoft account on a PC at home. I know the current and old (local account) passwords so I'll disconnect from the Internet and see if I get the "Your device is offline, please enter old password." message, although I've never been able to get it to work previously. And even if this does work I would imagine that it wouldn't work if the account was created from scratch as a Microsoft account.

If the old password is present, it must be stored somewhere but it doesn't seem to be in the SAM, certainly not where a normal local user account password is stored anyway.

ReplyQuote
Posted : 29/01/2019 7:52 am
randomaccess
(@randomaccess)
Active Member

Microsoft moved the location of the passwords for local systems last year.
Many tools haven't been updated. Mimikatz works though.

I wrote a post about it here

Unfortunately I haven't figured out the problem you're seeing.
I'm thinking that it stores the password the same way that it would cache it for a domain.
I ran mimikatz over a live-account-enabled test image today and didn't get very far.

I'll have to think through the problem; the password is stored somewhere, just where I don't know yet.

ReplyQuote
Posted : 29/01/2019 11:05 am
Brevs11
(@brevs11)
New Member

I'll have to think through the problem; the password is stored somewhere, just where I don't know yet.

Many thanks for the info.

It makes you wonder how many people are reporting that no password is set on an account based on the 'industry standard' tools when one is actually set. This is why I've been trying to run a VM in every case….to be sure.

ReplyQuote
Posted : 29/01/2019 11:57 am
Brevs11
(@brevs11)
New Member

I'm running the latest build of Windows 10, with a Microsoft account protected with a PIN. I removed the Ethernet cable rebooted and I could still login with the same PIN so it's cached locally somewhere.

ReplyQuote
Posted : 30/01/2019 8:03 am
randomaccess
(@randomaccess)
Active Member

Yep it's cached.
I get the feeling it's just treated like a domain account. You can login to a domain account offline
Where does windows cache the passwords there?

ReplyQuote
Posted : 30/01/2019 12:04 pm
Brevs11
(@brevs11)
New Member

Where does windows cache the passwords there?

It seems as though only Microsoft and the person who wrote MimiKatz know )

The MimiKatz notes get really heavy but I was reading that it's stored in memory somewhere.

I've had a little bit of success this morning extracting a Windows 10 NT Hash using MimiKatz and then using Ophcrack and Rainbow Tables to decode the hash. So it's do-able but not pretty.

What I'm really looking for now is something that will allow you to overwrite the NT hash as blank rather than having to extract the hash and then crack it.

Unfortunately I'm not clever enough by a long way to do it myself oops

ReplyQuote
Posted : 30/01/2019 12:49 pm
MrMacca
(@mrmacca)
New Member

I've been doing some experimentation with VM's and I've had about 90% success rate on systems that have a Microsoft account attached rather than a Local account.

Here was my method

Software required
Aomei Backupper standard
Passware 2019 - Password removal disk created using this.
Virtual Box.
Arsenal Recon Image Mounter

1 - Mount the E01 image of the laptop you want to Virtualise with Arsenal Recon image mounter.
2 - Run Aomei Backupper to view the mounted drive and calculate the required size of the drive + 30gb extra
3 - Create a VHD of the required size that is fixed.
4 - Attach this VHD so that Disk management in windows can see it, then format it to GPT
5 - Now open up AOmei Backupper Standard and then clone the E01 image that is mounted to this new blank VHD. The reason I use Aomei Backupper is so that it condenses the drive down to its required size.
6 - Detach this VHD using Disk management and then make a backup copy of it.
7 - Once this is cloned, create a new VirtualBox and attach the VHD to it. Configure the settings of Virtual box to hopefully get it to boot successfully.
8 - If it doesnt boot, then download the Windows ISO 1703 version(I had to use this version as the bootrec commands sometimes didn't work properly). Boot the VM using this ISO and then run a repair. Run the bootrec /Fix MBR, /Fixboot /, /Scanos and /rebuildbcd. (run them individually)
9 Hopefully the image now boots to the login screen. If it does, shut it down.
10 - Add the PASS WARE Password removal ISO tool to the boot and boot into it. (I had to change to and from UEFI to get this to work)
11 - Pass ware password removal should then give you the option to modify the password of the Microsoft account. It will change the password to 12345678
12 - Finalize the changes, reboot and then when back at the login screen, enter 12345678 as the password, and it should log in.

This has allowed us to gain access to other programs such as Roboform and retrieve passwords for additional accounts.

ReplyQuote
Posted : 30/01/2019 2:19 pm
Brevs11
(@brevs11)
New Member

I've been doing some experimentation with VM's and I've had about 90% success rate on systems that have a Microsoft account attached rather than a Local account.

If you had VFC could you just create a VM and then attach the Passware ISO image as a virtual CD-ROM drive and then boot to it?

According to the Passware website it does support Windows Live ID's but it doesn't specify if it supports the change to the NT hash location that was made with Windows 10 Anniversary Edition, perhaps that's where your 10% failure rate lies?

ReplyQuote
Posted : 30/01/2019 2:48 pm
MrMacca
(@mrmacca)
New Member

I will do some testing regarding the latest version of Windows and see if that is indeed the issue.

The tool would say that it was changing the password, but when loading up the users and entering the changed password, it would just reject it.

ReplyQuote
Posted : 30/01/2019 2:58 pm
sdenis
(@sdenis)
New Member

I've been able to reset the password for a Microsoft account on a virtual machine with Reset Windows Password from https://www.passcape.com/

This was with an early version of Windows 10, I haven't needed it since.

ReplyQuote
Posted : 11/03/2019 7:11 pm
Cuisser
(@cuisser)
New Member

I will do some testing regarding the latest version of Windows and see if that is indeed the issue.

The tool would say that it was changing the password, but when loading up the users and entering the changed password, it would just reject it.

The tool won't take any responsibility if the work fails,remove the password again https://www.windows10passwordreset.com/
and then set a new password for the Windows computer.

ReplyQuote
Posted : 21/05/2019 3:36 am
Share: