Extracting Passwords From The Acquired Windows Registry

The Microsoft Windows operating system stores passwords and other login data for the installed applications on a system disk in the user profile directory, as well as in a hierarchical Windows registry database. By acquiring this database from a target system, computer forensics gain a source of invaluable data essential for an investigation.

An examiner can use a set of external registry hives and user profile files acquired from the target computer or its disk image for password recovery and electronic evidence discovery.

The “Standalone System” option, which is used to extract logins and passwords, is available in the Forensic edition of the Passware Kit only.

Registry files required

Registry files are locked by the operating system. For this reason, they should be extracted from a hard disk image of the target computer by using accepted forensic practices or software that provides direct access to the hard disk, such as DiskInternals Linux Reader.

Windows user passwords are stored in the Security Accounts Manager (SAM) file in a hashed format (in LM hash and NTLM hash). To recover these passwords, we also need the files SECURITY and SYSTEM. All of them are located at: “Windows\system32\config”.

Password recovery for Windows hashes is a brute-force process, which can be accelerated with GPU and distributed computing. An average speed on a single NVIDIA 2080ti is 19 billion passwords per second. Rainbow Tables can also be used to decrypt the hashes and recover the passwords. To recover a Windows PIN, additional folders from the “C:\Windows\” directory are required, such as:
– Windows\ServiceProfiles,
– Windows\System32\config\systemprofile, and
– Windows\System32\Microsoft\Protect.


Get The Latest DFIR News!

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

After the Windows user password or PIN is recovered, Passware Kit can instantly extract passwords for websites, network connections, and email accounts from the “Users” folder located in the root of the C: drive by default.

For successful password extraction, the structure of the target registry files should be saved: when specifying a path to the folder “config” in Passware Kit, make sure that the folder “Microsoft” is also located together with “config”, just as it appears in the “system32” folder in Windows.

Windows user password recovery depending on the sign-in options

For Windows 7 and earlier systems, a Windows user password can be recovered using either a brute-force approach or a Rainbow Tables attack.

Windows systems starting from Windows 8 can be protected with PIN and Picture password in addition to the regular user password (Windows Hello options). In fact, these additional sign-in options undermine Windows security and allow instant recovery of the user password. Here’s what Passware Kit can do to recover user passwords depending on the sign-in options.

*For Windows 10, in case a PIN needs to be recovered, Passware Kit first detects whether it is fully numerical (default settings) or not. If the PIN contains numbers only, Passware Kit automatically recovers it with the predefined settings. If the PIN is a combination of letters and numbers, Passware Kit asks a user to customize the brute-force settings.

After Passware Kit recovers the PIN or password for some Windows user, it immediately checks it for other Windows users.

Extraction of passwords and data after a user password is recovered

After a Windows user password is recovered, Passware Kit proceeds to instant extraction of passwords and other data stored in registry for this particular user. It is possible to recover passwords for Outlook and Outlook Express email clients, website passwords saved in web browsers (Internet Explorer, Google Chrome, Mozilla Firefox, Safari, Opera, Yandex, Microsoft Edge), and network connections passwords:


All the recovered passwords are saved in the Passware Kit “Previous Passwords” dictionary to be reused for other password-protected items, and can also be saved in CSV reports.

Leave a Comment

Latest Videos

Magnet Forensics' Matt Suiche on the Rise of e-Crime and Info Stealers

Forensic Focus 12th January 2023 3:00 am

Just like your current holiday shopping for last minute presents a lot of the good stuff has gone off the shelves already. You reach to the back and find the toy nobody really wanted but it’s the thought that counts, you stare down at Si and Desi’s Holiday Special 2022 podcast. 

Please join these two as they lament over the year that was, discuss all the things they didn’t do but promise they will do them next year, query whether putting a NAS in the storage of a roller door is a good idea, and finally arrive at what they’re looking forward to bringing you in the new year.

Show Notes:

Arduino PLC IDE - https://docs.arduino.cc/software/plc-ide
Mycroft Mark II (open source Alexa) - https://www.kickstarter.com/projects/aiforeveryone/mycroft-mark-ii-the-open-voice-assistant
Christa’s new blog - https://christammiller.com/
Si’s holiday reading - https://amzn.to/3iJyGrR
Desi’s holiday reading -  https://inteltechniques.com/
Strange event for the end of the year - https://www.reuters.com/world/europe/25-suspected-members-german-far-right-group-arrested-raids-prosecutors-office-2022-12-07/
Si’s wishful thinking - https://www.youtube.com/watch?v=GXnRgXclLd0
Si’s list to do before the EOY - https://intrepidcamera.co.uk/products/intrepid-4x5-camera
Desi’s list to do before EOY - https://www.wired.com/story/how-to-reset-your-phone-before-you-sell-it/
“Cleaning your office” - https://www.manfrotto.com/uk-en/vintage-collapsible-1-5-x-2-1m-ink-sage-ll-lb5720/
Conference recorder - https://amzn.to/3UBmre5
Desi’s blog - https://www.hardlyadequate.com/

Just like your current holiday shopping for last minute presents a lot of the good stuff has gone off the shelves already. You reach to the back and find the toy nobody really wanted but it’s the thought that counts, you stare down at Si and Desi’s Holiday Special 2022 podcast.

Please join these two as they lament over the year that was, discuss all the things they didn’t do but promise they will do them next year, query whether putting a NAS in the storage of a roller door is a good idea, and finally arrive at what they’re looking forward to bringing you in the new year.

Show Notes:

Arduino PLC IDE - https://docs.arduino.cc/software/plc-ide
Mycroft Mark II (open source Alexa) - https://www.kickstarter.com/projects/aiforeveryone/mycroft-mark-ii-the-open-voice-assistant
Christa’s new blog - https://christammiller.com/
Si’s holiday reading - https://amzn.to/3iJyGrR
Desi’s holiday reading - https://inteltechniques.com/
Strange event for the end of the year - https://www.reuters.com/world/europe/25-suspected-members-german-far-right-group-arrested-raids-prosecutors-office-2022-12-07/
Si’s wishful thinking - https://www.youtube.com/watch?v=GXnRgXclLd0
Si’s list to do before the EOY - https://intrepidcamera.co.uk/products/intrepid-4x5-camera
Desi’s list to do before EOY - https://www.wired.com/story/how-to-reset-your-phone-before-you-sell-it/
“Cleaning your office” - https://www.manfrotto.com/uk-en/vintage-collapsible-1-5-x-2-1m-ink-sage-ll-lb5720/
Conference recorder - https://amzn.to/3UBmre5
Desi’s blog - https://www.hardlyadequate.com/

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_BhrBg5_sAKo

Si and Desi Holiday Special 2022

Forensic Focus 16th December 2022 12:00 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...