Hey, I want to write a function with the following signature -

BOOL checkPassword( char * input );

In this function I want to be able to check this password against the stored windows password in the SAM database. I'm completely new to this idea, so I would like to read up on the documentation of SAM, any API's that exist that would assist me in accessing it, and which encryption methods are used in the database so that I could apply it to my input and check against the password entry.

Thanks.

Edited 3 Years Ago by diafol: fixed formatting

That would probably be a password cracker's dream come true. Seriously, do you really think there's going to be an easy way to access encrypted Windows passwords like that?

(I am aware of programs which do this, but only by re-starting the computer and using a linux boot CD to bypass all the usual windows security stuff)

To check a password on MS-Windows os all you have to do is attempt to log in with the user name and password -- there are win32 api functions that allow programs to do that, assuming it has appropriate permissions first.

Yeah, I'm not after password cracking or anything, I simply want to be able to check if a password entered in my application matches the one for the currently logged on user.

Which API's would be used for this then Ancient Dragon?

Thanks.

Ah ok, sorry I misunderstood the original post - I thought you were after something that would allow reading the contents of the windows password files.

Just what I was looking for thanks.

But is there anything you can use when you don't have such permissions, i.e.

the user of which you would like to impersonate is already logged on already and can therefore enter their password to confirm authorization?

Just what I was looking for thanks.

But is there anything you can use when you don't have such permissions, i.e.

The program must be running as administrator, then it will have permissions.

the user of which you would like to impersonate is already logged on already and can therefore enter their password to confirm authorization?

Doesn't matter if the user is already logged in. You can log in as many times as you want.

This article has been dead for over six months. Start a new discussion instead.