So I know there is a way to do this but I have since forgotten how.

I know there is a registry path that you can go to in any windows system or least vista and up that will show you the password pertaining to the user profile.

Does anyone know the path to go to?

2 Years
Discussion Span
Last Post by Smalls

Yes, there is. But it is encoded, and you cannot see the contents of the Security hive from within windows. Pretty much all you could do is delete it, anyway, and there are much easier ways of doing that if you are in windows already.


I know there are other ways of doing it, but a friend of mine that is no longer with me knew of a way while in windows to go into the registry and go to i think it was hklm>softare>microsoft>windows nt>winlogon but i go there and there is no password, i don't want to have to use software and boot the customer up using offline nt or anything like that.


If I remember correctly, the password is stored in a file called 'SAM' with no extension. The password is padded with NULL bytes to make it 14 bytes, converted to upper case, split into 2 7 byte keys, then stored as the LN/NT hases in SAM. It can be found, but its a m#####f##### to turn back into a password on your own. The last time I needed to 'retrieve' a password instead of just wipe it out and reset it I used Ophcrack. I think Cain & Abel might be able to do what you are talking about but most people are afraid of it as its flagged by every AV as a trojan/keylogger/backdoor/and a few others. But thats to be expected from a utility like this.


Kind of ^ but the SAM file can be accessed by the system 'only', so if you need to retrieve the file you'd have to use a different OS such as live usb of linux, as you won't be able to copy/open or any operation with the SAM file if the pertition it is on is working. It will be completely locked. Also, in order to read the hashes from the SAM file you need to get the bootkey, which is stored in the SYSTEM file, no extension. Cain & Abel can help you crack the hash but if the password is longer than 8 chars, it is just not really worth it to try to brute force as it would take weeks/months/years/decades. A dictionary attack is what could be performed and if that doesn't solve the issue might as well just stop there unless you have computational power such as cloud(there are alternatives but they are expensive as well)



It is better to reset password for Administrator instead of searching for Password in registry and you have to follow below steps :

1) Open your CPU Cabinet while the system is running .
2) Restart your computer
3) On MotherBoard there is a Battery just remove the battery for 1 minute and replace the Battery.
4) Now restart your Computer
5) It will ask for Credentials
6) Enter administrator and hit enter
7) without entering password
8) It will directly login to System without password
9) Once you are able to login
10) Reset password of Administrator or User.

Please follow above steps as it is and you are done with entering into Locked computer without knowing password .


As far as I am aware, these steps will only reset your CMOS and have nothing to do with the OS

Back on topic, Ophcrack comes with 'rainbow tables' which I believe are tables of passwords already hashed out so finding the password is realatively quick unless its not in the table... then it offers brute force, dictionary, and a few other methods i think

Edited by Smalls

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.