In the past I have cracked Windows passwords with a Live Linux disk and navigating to the SAM file. In windows 10 it seems this information is stored on the cloud. Is there a way to find this locally on the machine?
Asked
Active
Viewed 4.2k times
1 Answers
7
The SAM hive still exists in Windows 10, and it's in the same place. For local non-Microsoft accounts, the format does not appear to have changed; the NTLM hash is still the 16 bytes before the last 8 bytes of the V value.
For accounts that sign in with a Microsoft account password, the CachedLogonInfo value contains the cached password (source). Unfortunately, it's not just an NTLM hash, so normal Windows hash cracking tools won't work on it. If that page is correct and the algorithm is indeed much stronger - which would make sense, since it would be very bad if an MS account password could be retrieved from a workstation - then cracking it would take an extremely long time considering the complexity requirements Microsoft puts in place.
Ben N
- 42,308