Location of the Windows 7 password file?

[Yousuf Khan]

I'm attempting to test the passwords of various user accounts on my
system to find the effectiveness of their passwords. I'm gotten a couple
of utilities here, one called (1) "OPH Crack", and (2) another one
called "Offline NT Password & registry repair". The #2 seems to work but
what it does is it simply deletes the password so you can reset it
later; I don't want that I want to test the strength of the existing
password. But #1 seems to fail, as it can't find the physical location
of the Windows 7 passwords. I've tried the \windows\system32\config
folder, and as well as the Syswow64\config folder, but it's not located
in either place.

Yousuf Khan

 

[Gene E. Bloch]

I'm attempting to test the passwords of various user accounts on my
system to find the effectiveness of their passwords. I'm gotten a couple
of utilities here, one called (1) "OPH Crack", and (2) another one
called "Offline NT Password & registry repair". The #2 seems to work but
what it does is it simply deletes the password so you can reset it
later; I don't want that I want to test the strength of the existing
password. But #1 seems to fail, as it can't find the physical location
of the Windows 7 passwords. I've tried the \windows\system32\config
folder, and as well as the Syswow64\config folder, but it's not located
in either place.

Yousuf Khan

If it's like Unix and related systems, Windows stores the passwords in
encrypted form. The password is not recoverable from the encrypted form
(well, that's the hope, anyway).

When a user enters a password, it is encrypted by the same method, and
the result is compared to the stored form. They are supposed to match,
of course.

 

[Dave-UK]

I'm attempting to test the passwords of various user accounts on my
system to find the effectiveness of their passwords. I'm gotten a couple
of utilities here, one called (1) "OPH Crack", and (2) another one
called "Offline NT Password & registry repair". The #2 seems to work but
what it does is it simply deletes the password so you can reset it
later; I don't want that I want to test the strength of the existing
password. But #1 seems to fail, as it can't find the physical location
of the Windows 7 passwords. I've tried the \windows\system32\config
folder, and as well as the Syswow64\config folder, but it's not located
in either place.

Yousuf Khan

If you're running Ophcrack from within Windows then you
have to load the Local SAM file.
Ophcrack > Load > Local SAM with samdump2

 

[Paul]

I'm attempting to test the passwords of various user accounts on my
system to find the effectiveness of their passwords. I'm gotten a couple
of utilities here, one called (1) "OPH Crack", and (2) another one
called "Offline NT Password & registry repair". The #2 seems to work but
what it does is it simply deletes the password so you can reset it
later; I don't want that I want to test the strength of the existing
password. But #1 seems to fail, as it can't find the physical location
of the Windows 7 passwords. I've tried the \windows\system32\config
folder, and as well as the Syswow64\config folder, but it's not located
in either place.

Yousuf Khan

Ophcrack has different LiveCDs. Which one did you use ?

http://ophcrack.sourceforge.net/download.php?type=livecd

As far as I know, there are also different versions of rainbow tables
for Ophcrack. Depending on whether you include punctuation in the
character set, the table size expands (and the authors want money
for the larger tables). Only the smallest tables download from Sourceforge.
And judging by the larger tables and their descriptions, the scheme seems
to be "running out of steam".

http://ophcrack.sourceforge.net/tables.php

*******

The "Offline" tool probably resets the password, rather than
displaying the actual password. Cracking passwords is only
really necessary, if you're breaking into a system with the
intention of not getting caught. Flattening passwords is good
enough for "breaking into" a system (where the owner is going
to know someone has been in there).

If I needed to "break into" a system, I'd bring a Linux LiveCD,
an external hard drive, boot and just copy the entire computer
to the hard drive. With the right Linux LiveCD, no changes are
made to the file systems, and there should be no (easy) evidence
you've been there. The "power on hours" on the hard drive would
be different. And if you weren't careful, the Linux LiveCD can
change the system clock. There are still some details to get
right, and "practicing" before going on your "mission" would help

*******

If I needed to test Ophcrack, I'd probably load a disk image, and
the LiveCD, into a VM and let it run. That way, you'd be insulated
from an actual system while you "practice".

Paul

 

[Paul]

Forgot the article on SAM.

http://en.wikipedia.org/wiki/Security_Accounts_Manager

Paul

 

[Char Jackson]

The "Offline" tool probably resets the password, rather than
displaying the actual password. Cracking passwords is only
really necessary, if you're breaking into a system with the
intention of not getting caught. Flattening passwords is good
enough for "breaking into" a system (where the owner is going
to know someone has been in there).

If drive encryption is being used, such as Bitlocker, does flattening
the password make the volume inaccessible? I seem to vaguely remember
something about that but I don't remember what it was.

 

[Paul]

If drive encryption is being used, such as Bitlocker, does flattening
the password make the volume inaccessible? I seem to vaguely remember
something about that but I don't remember what it was.

That's a good observation, and I don't know the answer. If you have
an emergency recovery disk, I presume that helps with Bitlocker.
As without some form of emergency recovery capability, you'd be
screwed in many situations (even a trivial corruption).

Paul

 

[Yousuf Khan]

If you're running Ophcrack from within Windows then you
have to load the Local SAM file. Ophcrack > Load > Local SAM with samdump2

Yeah, I've tried that, but it doesn't work in Windows 7, perhaps the
password file is in a different location here?

Yousuf Khan

 

[Yousuf Khan]

Ophcrack has different LiveCDs. Which one did you use ?

http://ophcrack.sourceforge.net/download.php?type=livecd

I've tried the Vista/7 CD. I'm also using the version that installs
within Windows.

The "Offline" tool probably resets the password, rather than
displaying the actual password. Cracking passwords is only
really necessary, if you're breaking into a system with the
intention of not getting caught. Flattening passwords is good
enough for "breaking into" a system (where the owner is going
to know someone has been in there).

Well, I'm the owner, and I'll know I've been there no matter how
stealthily I go behind my back.

If I needed to test Ophcrack, I'd probably load a disk image, and
the LiveCD, into a VM and let it run. That way, you'd be insulated
from an actual system while you "practice".

Actually that's an idea, I do have a weekly disk image I make of my
system boot disk.

Yousuf Khan

 

[Yousuf Khan]

I'm attempting to test the passwords of various user accounts on my
system to find the effectiveness of their passwords. I'm gotten a couple
of utilities here, one called (1) "OPH Crack", and (2) another one
called "Offline NT Password & registry repair". The #2 seems to work but
what it does is it simply deletes the password so you can reset it
later; I don't want that I want to test the strength of the existing
password. But #1 seems to fail, as it can't find the physical location
of the Windows 7 passwords. I've tried the \windows\system32\config
folder, and as well as the Syswow64\config folder, but it's not located
in either place.

Yousuf Khan

Oh, never mind, I got the Windows-installed version to work, by simply
starting the OPH Cracker with Admin privileges. </smacking head>

Yousuf Khan