Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, May 1, 2018 3:10 AM
I have the registry key
Computer\HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000003E9
I know that the NTLM password hash is stored in the V REG_BIANARY key. But I would like to know where exactly in the V value it is.
Thanks.
All replies (3)
Tuesday, May 1, 2018 7:23 AM ✅Answered
Hi,
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Names contains the list of all user accounts on the machine. Every user account in here has a key containing a hex value which is the RID (Relative Identifier) of the account or group.
In HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users each account is defined by a different subkey which is the RID (Relative Identifier) of that account or group.
For every user account, this key contains two REG_BINARY values (F and V) which contains some of the data.
The following information can be extracted from the V value:
Address Information
0x0c Offset of the account name
0x10 Length of the account name
0x18 Offset of the complete account name
0x1c Length of the complete account name
0x24 Offset of the comment
0x28 Length of the comment
0x48 Offset of the homedir name
0x4c Length of the homedir name
0x9c Offset of the final password hashes (SAM)
0xc4 Number of hashes from history
In order to extract a value, we must add 0xcc to the offset value from the table above.
For example, the final hashes offset is computed as being V[0x9c] + 0xcc, the first one starting at the computed offset being LMHash, followed by NTHash.
this article should be helpful to you:
http://www.beginningtoseethelight.org/ntsecurity/index.htm
Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, May 1, 2018 4:48 PM
Thank you very much! This has to be the best explanation!
Wednesday, May 2, 2018 1:08 AM
Hi,
If your issue was resolved, please mark the helpful reply as answer in order that other community members could find the helpful reply quickly.
If no, please reply and tell us the current situation in order to provide further help.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].