I have been doing some research into identifying whether a Windows user account is password protected by examining the registry. Currently if we want to establish this we boot the HDD using VFC.
I have tested Access Data Registry Viewer and when the SAM and SYSTEM keys are loaded it will accurately show whether an account requires a password or not. This only seems to work for Win 7 - Windows 10 it couldn't work out.
Forensic User Info requires SAM, SYSTEM and SOFTWARE. In my tests it was only accurate for Win 7 and not 10.
I found some information about the 'F' key within the RID folder of the user account, and under Win XP the ACB Bits showed whether a password was required or not
Unfortunately these bits don't appear to get updated in Win 7 onwards when any changes are made to the user account password. I took the account password off and re-examined the F key and it stayed the same.
Has anyone had any success in ascertaining this information purely by examining the registry keys, without the assistance of specific software?
Thanks
Hello,
Is there a particular reason why you don't want to use any commercial software/tools for your findings?
Aside from using 'commericial' tools, RegRipper IMO does a fantastic job for registry artefact analysis, including determining as to whether a user account enforces a login password.
Furthermore, I just worked on a case whereby the system I was examining was running Windows 10. I used RegRipper for this and it was able to verify such aforementioned details.
Hope this helps.
To my knowledge, Regripper wont tell you if a password is enabled though
I think if you're able to get a password out of the account (I typically use a password cracking util to tell me if there's a hash to crack) then there's a safe bet there is or was one. The thing I havent tested is if you have a password, and then disable it, does it remove the hash
There's also the issue of the user using stored creds for a live account - I cant recall if there's a way to identify the password for that.