Title: Security Accounts Manager | Author: Clark@hushmail.com | Last Updated: 31st May 2004
This article is based primarily on a local default setup of NT5.0 Professional or 2K (Windows 2000), however there maybe additional verified references to XP Professional and Server Editions. Much will apply across the NT range, but not all has been verified. Note that this is a partial update from the orginal version, there will be more additions, I just thought it was time to consolidate some stuff. Note that LC4 was used in the password testing, not LC5 which will be checked at a later date. This article has been written concisely and progressively, it is advisable not to skim read Some stuff is advanced, use a test machine where possible.Special thanks to:. (alphabetically ordered) esrever_otua: For pointing out something which I had missed about group memberships .fishy5: For coding XORCheck.exe which calculates the registry hive checksum.RattleSnake: For coding NTDate.exe which calculates the NT time format and the LastPolicyTimeVladimir Katalov: For the PWSEx product key.
Users and groups
Users Can Be Added Via a MMC with the "local users and groups" snap-in being present (windows include.ms two such mmcs) or via the [add ...] button in "users and passwords "- Found In Control Panel (Active Directory Uses and Computers Snap-in or) ALSO VIA CMD: C: C: /> NET USER% UserName% / Add
Another way that is usually forgotten is the Network Identification Wizard that shows up once when installing the 2K operating system On running it checks the current users, normally just Guest and Administrator and it also checks the RegisteredOwner value located here:. / HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / CurrentVersion / that was just entered earlier in the setup. If an account has not been created for the user listed, an administrative level one can be created here. Note you can not overwrite passwords of existing accounts. To re-trigger this dialog, boot from Petter Nordahl-Hagen's boot disk: Load the SOFTWARE hiveCd to / Microsoft / Windows NT / CurrentVersion / Ed RegisteredOwner value; if an account is already created by that name or if a different one is required Cd to / Winlogon. / NV 4 RunnetAccessWizarded RunnetAccessWizard = 0x1on Reboot Keep The Selection On Windows Always Assumes The Following User Has Logged ONTO THIS Computer: User Name from Dropdown List Should Be The RegisteredOwner, enter a password, next, finish The user will be automatically logged on Remember to uncheck:.... Users must enter a user name and password to use this computer In the Users and Password in Control Panel Also remember that since this method Uses The Secure Autologon Feature Any Existing Autologon Credentials Will Be Overwritten
This method also works in XP, however the process is alittle more complex. If there are three or more Administrator / (power) users accounts collectivily present, users can not be added via the re-triggered dialog, this is likely to be the case, hence you have to make it believe otherwise If there are two or less, skip the SAM editing sections Boot from Petter Nordahl-Hagen's boot disk:.. Load the SAM and SYSTEM hivesCd to / SYSTEM / Setup / Ed SetupType = 0x2Ed CmdLine = c : /windows/system32/oobe/msoobe.exe / f / retail (FYI: Just / f = full setup; license, key, activation & users) Nv 4 OobeInProgressEd OobeInProgress = 0x1Switch to the SAM hive.Cd to / SAM / SAM / Domains / Builtin / AliaseS / 00000220 / C (Administrators) CD to / Sam / Sam / Domains / Builtin / AliaseS / 00000221 / C (Users) CD to / Sam / Sam / Domains / Builtin / AliaseS / 00000223 / C (Power Users) Make a Note of the 4 bytes at Offset 2c and 30, Check The First User Number In 00000220 After The Description IS F4,01,00 (MOST LIKELY) Edit The C Values At Both Offsets fo R 00000220 & 00000221 with 00000000- for 00000223:: 2C 18 00 00 00 &: 30 02 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00- with that user name using a blank password. Run regedit.exe and write back the 00000221 and 00000223 C values. Amend the 00000220 C key, make a note of the new user number that has overwritten the orginal (F4,01,00,00 ONE, RESTORE TO ORGINAL AND THE, RESILAR 28 BYTE Entry At The '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '.
Another unorthodox method is to run the net command as a service. Boot from Petter Nordahl-Hagen's boot disk and load the SYSTEM hive. Cd to / CurrentControlSet001 / Services / create a two keys for the two commands. The editor seems to have a slight bug in that keys can not be created that are prefixed with an existing service name, eg: error on creating a key named foobar if a key named foo exists Remember that the services will be processed in alphabetical order.Cd in the first alpha newly created. key.Nv 4 ErrorControlEd ErrorControl = 0x1Nv 2 ImagePathEd ImagePath =% systemroot% / system32 / net.exe user foo / addNv 1 ObjectNameEd ObjectName = LocalSystemNv 4 StartEd Start = 0x2Nv 4 TypeEd Type = 0x20Cd in the second alpha newly created key.Repeat the steps above, but with: Ed ImagePath =% systemroot% / system32 / net.exe localgroup administrators foo / addReboot and login, remove the keys 2K creates a couple of system error event log so this may need removing..
One method that is often mentioned, that does not seem to work is changing the default screensaver to a program that allows usermanagement like cmd.exe or mmc.exe The settings are located here (anymore ()?): Regedit.exe -> / HKEY_USERS / .DEFAULT / Control Panel / Desktop / explorer.exe -> /%windir%/system32/config/DEFAULTSCRNSAVE.EXE=logon.scr - This is the screensave that will be used if nobody logs on locally for awhile.ScreenSaveActive = 1 - Active = 1 Inactive = 0ScreenSaveTimeOut = 600 - Number of idle seconds before screensaver activation (5mins) ScreenSaverIsSecure = 0 -. This is the "On resume, password protect" option Curious this option though, some kind of memory limit if set to 0. Important to note if more memory is used.However even if you update logon.scr the SYSTEM user, which is who you will be while the "Winlogon generic control dialog" lurks in the background, does not have permission to add or modify Any Users - System Error 5 Has Occured
Access Is Denied. if a user logs on, system Does Have Access, SOS HAVE ASSUMED BEORE LOGON. IT Maybe Possible Using A Custom Program, Certainly with Access to Regedit.exe a User Could Be Added Manually.
The SID number is used in file, registry, service and users permissions The machine SID is determined in hexidecimal form from here:. Regedit.exe -> / HKEY_LOCAL_MACHINE / SAM / SAM / Domains / Account / V (last 12 bytes) explorer. exe -> /% windir% / system32 / config / SAMIf the SAM file is missing at startup, a backup is retrieved in hexidecimal form here: regedit.exe -> / HKEY_LOCAL_MACHINE / SECURITY / Policy / PolAcDmS / @ (last 12 bytes) Explorer.exe -> /% windir% / system32 / config / securitysometimes the Sid Number is Reference in Decimal Form: Example:
2E, 43, AC, 40, C0, 85, 38, 5D, 07, E5, 3B, 2B
1) Divide the bytes Into 3 Sections:
2E, 43, AC, 40, C0, 85, 38, 5D, 07, E5, 3B, 2B
2) Reverse the bytes of each section:
40, AC, 43, 2E, 5D, 38, 85, C0, 2B, 3B, E5, 07
3) Convert Each Section INTO DECIMAL:
1085031214, 1563985344, 725345543
4) Add The Machine Sid Prefix:
SID NUMBER IN DECIMAL FORMAT.
NT stored time format is referenced in user keys, registry hives etc. The precision is to a very small fraction of a second from 1601.100,000 = one millisecond10,000,000 = one second600,000,000 = one minute36,000,000,000 = one hour864,000,000,000 = ONE DAYDATE TIME Debug View Reversed View Decimal01 / 01/1601 - 12:00 AM = 00,00, 00, 00, 0000 -> 00,00,00,00,00,00,00,00 -> 001/01/2000 - 12:00 AM = 00, 40, 6d, 25, EB, 53, BF, 01 -> 01, BF, 53, EB, 25, 6D, 40, 00 -> 125, 911, 584,000,000, 00001 / 01/2001 - 12:00 AM = 00, C0, 9D, C8, 85, 73, C0, 101 -> 01, C0, 73, 85, C8, 9D, C0, 00 -> 126, 227, 808,000,000, 00001/01 / 2002 - 12:00 AM = 00, 80, 64, 41, 57, 92, c1,01 -> 01, c1, 92, 57, 41, 64, 80, 00 -> 126, 543, 168, 0,000, 0001/01/2003 - 12 : 00 am = 00, 40, 2, ba, 28, b1, c2,01 -> 01, c2, b1, 28, ba, 2b, 40,00 -> 126,858,528,00,000,001/01/28 - 12:00 am = 00, 100, F2, 32, Fa, CF, C3, 01 -> 01, C3, CF, Fa, 32, F2, 100 -> 127, 173, 888, 200,000, 00003/21/2004 - 12:00 AM = 00, 00, FE, 73, D7, 0E, C4, 01 -> 01, C4, 0E, D7, 73, Fe, 00, 00 -> 127,243,008,000,000 000to save time in Calculating this value use ntdate.exeoprating system name
NT
Code
2000 Professional 2000 Server2000 Server with Active DirectoryXP HomeXP Professional2003 Server2003 Server with Active Directory
5.05.05.05.15.15.25.2
2p2s2axhxp3s3aThe codes in the table to the left are used in the below table in the far right column.Treat the OS column as an approximate guide as it depends on the configuration of the OS.The 2 character code eg, WD is used in the policy infs or security templates.Where -> is used, there is no 2 character code, the SID is used instead.Users RID's can be from 1000 or 1100 depending which OS is installed / upgraded The hexidecimal code is used in the registry, NTFS. And Services Permissions Plus User Groups.
Everyone ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- CREATOR Group -------------------- Dialup --------------------------- NetWork - --------------------------------------------------------------------------------------------------------------------------------------- --- Interactive -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---- Anonymous Logon ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --- Enterprise Domain Controllers ---- Self --------------------------- Authenticated Users -------- ------ Restricted --------------------- Terminal Server User ------------- Remote Interactive logon - -------- this Organization ---------------------------------------- ---- Local service ------------------------------------------------------------------------------------------------------------------------------------------------------ ---------- Guest (builtin) ------------------------------------- ---------- Domain admin------------------ Domain Uses ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ----- Domain Guests ------------------- Domain computers ---------------- Domain controller ------------- Schema admins ------------------ Cert Publisher S ---------------- Enterprise Admins ---------------- Group Policy Creator Owners ------ Ras and IAS Servers ------------- DHCP Administrators -------------- DHCP Users ----------------- ------ DNSADMINS ------------------------ DNSUPDATEPROXY -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -Helpassistant ---------------------------------------------------- ------- ASPNET --------------------------- Ils_anonymous_user -------------- -IUSR_% MACHINENAME% --------------- iWam_% Machinename% --------------- IIS_WPG ---------- ---------------- NetShow Administrators ----------- NetShowServices ------------------ TelnetClients - ------------------ Terminal Server Computers ------------------------------------------------------------------------------------------------------------------------------------------------ WINS USERS ----------------------- WMUS_% MACHINENAM
E% ---------------% Specific user% ------------------% Custom Group% ------- ------------ Administrators ----------------------------------------- ----------- Guests --------------------------- Power Users --------- ------------- Account Operators ------------------------------- Print Operators ----------------------------- Replicator ---------- ------------- Pre-Windows 2000 Compatible AccessRemote Desktop Uses ------------- NetWork Configuration Operators - Incoming Forest Trust Builders --- Performance Monitor Uses - ------- Performance log users ------------ Windows Authorization Access GroupTerminal Server License Servers - NTLM Authentication -------------- Schannel Authentication-SchiNEnt Authentication --------- Digest Authentication --------------------------- WDCOCG-> NU-> iUSU -> - > EdpsAurc -> -> -> Sylsnslalg-> Dadudgdcdsacaeapars -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> Babubgpuaosopoborerudno -> -> -> -> -> -> -> -> ->
S-1-1-0 ------------ S-1-3-0 ------------ S-1-3-1 ----- ------- S-1-5-1 ------------ S-1-5-2 ------------ S-1-5 -3 ------------- 1-5-4 ------------ S-1-5-6 ---------- --S-1-5-7 ------------ S-1-5-8 ------------ S-1-5-9 --- --------- S-1-5-10 ----------- S-1-5-11 ----------- S-1-5 -12 ----------- S-1-5-13 ----------- S-1-5-14 ----------- S -1-5-15 ----------- S-1-5-18 ----------- S-1-5-19 -------- --- S-1-5-20 ----------- S-1-5-21-% SID%-500-S-1-5-21-% SID%-501 -S -1-5-21-% SID% -502 -S-1-5-21-% SID%-512 -S-1-5-21-% SID%-513-S-1-5-21-% SID% -514 -s-1-5-21-% sID% -515 -S-1-5-21-% sID% -516 -S-1-5-21-% SID%-518-S-1 -5-21-% SID% -517 -S-1-5-21-% SID% -519 -S-1-5-21-% SID%-520-S-1-5-21-% SID% -553 -S-1-5-21-% SID% -% RID% S-1-5-21-% SID% -% RID% S-1-5-21- & SID% -% RID% S-1 -5-21- & SID% -% RID% S-1-5-21-% SID% -% RID% S-1-5-21-% SID% -% RID% S-1-5-21-% SID% -% RID% S-1-5-21-% SID% -% RID% S-1-5-21-% SID% -% RID% S-1-5-21-% SID% -% RID % S-1-5-21-% SID% -% RID% S-1-5-21-% SID% -% RID% S-1-5-21-% SID% -% RID% S-1- 5-21-% SID% -% RID% S-1-5-21-% SID% -% RID% S-1-5-21-% SID% -% RID% S-1-5-21-% SID% -% RID% S-1-5-21-% SID% -% RID% S-1-5-21-% SID% -% RID% S-1-5-21-% SID% -% RID% S-1-5 -21-% SID% -% RID% S-1-5-32-544 ------- S-1-5-32-545 ------- S-1-5-32- 546 ------- S-1-5-32-547 ------- S-1-5-32-548 ------- S-1-5-32-549 - ------ S-1-5-32-550 ------- S-1-5-32-551 ------- S-1-5-32-552 --- ---- S-1-5-32-554 ------- S-1-5-32-555 ------- S-1-5-32-556 ----- --S-1-5-32-557 ------- S-1-5-32-558 ------- S-1-5-32-559 ------- S-1-5-32-560 ------- S-1-5-32-561 ------- S-1-5-64-10 -------- S -1-5-64-14 -------- S-1-5-64-21 -------- S-1-5-1000 ---------
01,01,000000000001,000000 -------------------------------- 01, 01, 1000000000003,000000 --- ------------------------------ 01,01,000000000003,01000000 ------------- -------------------- 01,01,000000000005, 01000000 ----------------------- ---------- 01,01,0000000005, 02000000 --------------------------------- 01,01,000000000000005, 03000000 --------------------------------- 01, 01, 1000000000005, 04000000 --- ------------------------------ 01,01,000000000005, 06000000 ------------- -------------------- 01,01,0000000005, 07000000 ----------------------- ---------- 01,01,0000000005, 08000000 --------------------------------- 01,01,000000000005, 09000000 -------------------------------- 01, 01, 10000000005, 0A000000 --- ------------------------------ 01, 01, 10000000005, 0B000000 ------------- -------------------- 01,01,000000000005, 0C000000 ----------------------- ---------- 01,01,0000000005,0d000000 --------------------------------- 01,01,000000000005, 0E000000 -------------------------------- 01, 01, 10000000005, 0F000000 --- ------------ -------------------- 01,01,000000000005, 12000000 ----------------------- ---------- 01,01,000000000005, 13000000 --------------------------------- 01,01,000000000005, 14000000 --------------------------------- 01, 05, 1000000000005, 15000000, xxxxxxxxxxxxxxxxxxxxxxxx, F401000001,05,000000000005,15000000, xxxxxxxxxxxxxxxxxxxxxxxx, F501000001,05,000000000005,15000000, xxxxxxxxxxxxxxxxxxxxxxxx, F601000001,05,000000000005,15000000, xxxxxxxxxxxxxxxxxxxxxxxx, 0002000001,05,000000000005,15000000, xxxxxxxxxxxxxxxxxxxxxxxx, 0102000001,05,000000000005,15000000, xxxxxxxxxxxxxxxxxxxxxxxx, 0202000001,05,000000000005,15000000, xxxxxxxxxxxxxxxxxxxxxxxx, 0302000001,05,000000000005,15000000, xxxxxxxxxxxxxxxxxxxxxxxx, 0402000001,05,000000000005,15000000, xxxxxxxxxxxxxxxxxxxxxxxx,
0602000001,05,000000000005,15000000, xxxxxxxxxxxxxxxxxxxxxxxx, 0502000001,05,000000000005,15000000, xxxxxxxxxxxxxxxxxxxxxxxx, 0702000001,05,000000000005,15000000, xxxxxxxxxxxxxxxxxxxxxxxx, 0802000001,05,000000000005,15000000, xxxxxxxxxxxxxxxxxxxxxxxx, 2902000001,05,000000000005,15000000, xxxxxxxxxxxxxxxxxxxxxxxx, xxxxxxxx01,05,000000000005,15000000, xxxxxxxxxxxxxxxxxxxxxxxx, xxxxxxxx01,05,000000000005,15000000, xxxxxxxxxxxxxxxxxxxxxxxx, xxxxxxxx01,05,000000000005,15000000, xxxxxxxxxxxxxxxxxxxxxxxx, xxxxxxxx01,05,000000000005,15000000, xxxxxxxxxxxxxxxxxxxxxxxx, xxxxxxxx01,05,000000000005,15000000, xxxxxxxxxxxxxxxxxxxxxxxx, xxxxxxxx01,05,000000000005,15000000, xxxxxxxxxxxxxxxxxxxxxxxx, xxxxxxxx01,05,000000000005,15000000, xxxxxxxxxxxxxxxxxxxxxxxx, xxxxxxxx01,05,000000000005,15000000, xxxxxxxxxxxxxxxxxxxxxxxx, xxxxxxxx01,05,000000000005,15000000, xxxxxxxxxxxxxxxxxxxxxxxx, xxxxxxxx01,05,000000000005,15000000, xxxxxxxxxxxxxxxxxxxxxxxx, XXXXXXX01, 05000000000005, 15000000, XXXXXXXXXXXXXXXXXXXXXXXXXX, XXXXXXXX01,05,0000000000 05,15000000, xxxxxxxxxxxxxxxxxxxxxxxx, xxxxxxxx01,05,000000000005,15000000, xxxxxxxxxxxxxxxxxxxxxxxx, xxxxxxxx01,05,000000000005,15000000, xxxxxxxxxxxxxxxxxxxxxxxx, xxxxxxxx01,05,000000000005,15000000, xxxxxxxxxxxxxxxxxxxxxxxx, xxxxxxxx01,05,000000000005,15000000, xxxxxxxxxxxxxxxxxxxxxxxx, xxxxxxxx01,05, 000000000005,15000000, xxxxxxxxxxxxxxxxxxxxxxxx, xxxxxxxx01,05,000000000005,15000000, xxxxxxxxxxxxxxxxxxxxxxxx, xxxxxxxx01,05,000000000005,15000000, xxxxxxxxxxxxxxxxxxxxxxxx, xxxxxxxx01,05,000000000005,15000000, xxxxxxxxxxxxxxxxxxxxxxxx, xxxxxxxx01,02,000000000005,20000000,20020000 ----- ------------------- 01,02,000000000005, 20000000, 20020000 ---------------------- --01,02,000000000005,1000000, 20020000 ------------------------ 01, 020000000005, 20000000,
23020000 ------------------------ 01, 02000000000005, 20000000, 24020000 -------------------------------------------- -------- 01,02,000000000005, 20000000, 25020000 ------------------------ 01,02,000000000005, 20000000, 26020000 ------------------------ 01,02,000000000005, 20000000, 27020000 ----------------- ------- 01,02,000000000005, 20000000, 200020000 ------------------------ 01, 02000000000005, 20000000, 2A020000- ----------------------- 01,02,000000000005, 20000000, 2B020000 ------------------ ------ 01,02,000000000005, 20000000, 2C020000 ------------------------ 01, 02, 1000000000005, 20000000, 2D020000 - ---------------------- 01,02,0000000005, 20000000, 2E020000 ------------------- ----- 01,02,000000000005, 20000000, 2F020000 ------------------------ 01,02,000000000005, 20000000, 30020000 --- --------------------- 01,02,000000000005, 20000000, 31020000 -------------------- ---- 01,02,000000000005, 40000, 0A000000 ------------------------ 01, 020000000005, 4000000, 0E000000 ---- -------------------- 01,02,000000000005, 4000000, 15000000 --------------------- --- 01,01,00 0000000005, E8030000 ---------------------------------
2P, 2S, 2A, XH, XP, 3S, 3A2P, 2S, 2A, XH, XP, 3S, 3A2P, 2S, 2A, XH, XP, 3S, 3A2P, 2S, 2A, XH, XP, 3S, 3A2P, 2S, 2A, XH, XP, 3S, 3A2P, 2S, 2A, XH, XP, 3S, 3A2P, 2S, 2A, XH, XP, 3S, 3A2P, 2S, 2A, XH, XP, 3S, 3A2P, 2S, 2A, XH, XP, 3S, 3A ------ 2A ---------- 3A ------ 2A ---------- 3A ----- -2A ---------- 3A2P, 2S, 2A, XH, XP, 3S, 3A ------ 2A ---------- 3A2P, 2S, 2A, XH, XP, 3S, 3A --------- XH, XP, 3S, 3A ---------------- 3A2P, 2S, 2A, XH, XP, 3S , 3A --------- XH, XP, 3S, 3A -------- XH, XP, 3S, 3A2P, 2S, 2A, XH, XP, 3S, 3A2P, 2S, 2A , XH, XP, 3S, 3A ------ 2A ---------- 3A ------ 2A ---------- 3A ------ 2A ---------- 3A ------ 2A ---------- 3A ------ 2A ---------- 3A-- ---- 2A ---------- 3A ------ 2A ---------- 3A ------ 2A --------- -3A ------ 2A ---------- 3A ------ 2A ---------- 3A ------ 2A ----- ----- 3A ------ 2A ---------- 3A ------ 2A ---------- 3A ------ 2A- --------- 3A ------ 2A ---------- 3A --------- XH, XP ------------ ----- XH, XP, 3s, 3A --------- XH, XP, 3S, 3A2P, 2S, 2A, XH, XP ------------ 2A- -------------- 2S, 2A ---- XP, 3S, 3A --- 2S, 2A ---- XP, 3S, 3A --------- ------ 3S, 3A ------ 2A --------------------------------- ------------ 3S, 3A ------------------ 3A --- 2S, 2A ---------- - ------ 2A ------------------------------ 3A2P, 2S, 2A, XH, XP, 3S, 3A2P , 2S, 2A, XH, XP, 3S, 3A2P, 2S, 2A, XH, XP, 3S, 3A2P, 2S, 2A, XH, XP, 3S, 3A2P, 2S, 2A, XH, XP, 3S, 3A2P, 2S , 2A ---- XP, 3S, 3A ------ 2A ---------- 3A ------ 2A ---------- 3A --- --- 2A ------- 3S, 3A2P, 2S, 2A ---- XP, 3S, 3A2P, 2S, 2A ---- XP, 3S, 3A ------ 2A --- ------- 3A ------------ XP, 3S, 3A ------------ XP, 3S, 3A -------- ---------- 3A --------------- 3S, 3A --------------- 3S, 3A --- --------------- 3A --------------------------------- --- 3a ------------------------------ 3A -------- ---------- 3A
When a user is added, the following keys are added: / HKEY_LOCAL_MACHINE / SAM / SAM / Domains / Account / Users / Names /% username% / @ This key determines the login name File location:. C: / WINNT / system32 / config / SAM The @ value holds a number which matches up to a 8 digit number (nulls are prefixed if less than 8) located here: HKEY_LOCAL_MACHINE / SAM / SAM / Domains / Account / Users /% 00000XXX% / Within are two REG_BINARY values; F and V.As mentioned before user numbers start from 1000. There are a couple of builtin accounts that start from 500. Since security permissions are determined by user number, no two users should ever have the same number. User number increment and are not Reused WHEN A User is Deleted. A Record of this Is Kept Here: / HKEY_LOCAL_MACHINE / SAM / SAM / DOMAINS / Account / Sam / Sam / Domains / Account / F Offset: 48 - Length: 4 - Stored in Reverse HEX. This Is The Next User Number That Will BE Used , FF, FF, FF IT Will Rollback and Starting Incrementing from 00,00, 0000, 00. that if a large number of accounts are used, a rather high spec machine will be required to make it viable All user numbers are also listed here: HKEY_LOCAL_MACHINE / SAM / SAM / Domains / Account / Groups / 00000201 / CAfter:. NoneOrdinary users - lists the user numbers at the end, like a group C value.Offset: 3C - length: 4bytes = length of user list (reverse hex) Offset: 40 - length: 4bytes = number of users (reverse hex) The system allocates 100 byte Blocks That Hold 25 User Accounts 4 Byte Usernumber, Padded with Nulls if Not All Used.user 00,00,00 Cannot Logon: Logon Message
The System Cannot Log You on Due To The Following Error:
The system can not find the message text for message number 0x% 1 in the message file for% 2.
Please try again or consult your system administrator. Due to the way the registry is handled at hex level, user accounts 00,00 , 00, 00, 00, 100, 0B do not display their / hkey_local_machine / sam / sam / domains / account / users / names /% username% / @ value type correvently: 00/00 - Reg_none01 / 01 - reg_sz * 02/02 - REG_EXPAND_SZ03 / 03 - REG_BINARY * 04/04 - REG_DWORD05 / 05 - REG_DWORD_LITTLE_ENDIAN06 / 06 - REG_LINK07 / 07 - REG_MULTI_SZ08 / 08 - REG_RESOURCE_LIST09 / 09 - REG_FULL_RESOURCE_DESCRIPTOR10 / 0A - REG_RESOURCE_REQUIREMENTS_LIST11 / 0B - REG_QWORD On attempting to delete accounts 0- 999: Local Users and Groups
The following error occurred while attempting to delete the user% username:.
Can not perform this operation on builtin-in accounts If the user counter has the same number as an existing user (this should NOT * NORMALLY * HAPPEN) The Following Error Message IS Shown: Local Users and Groups
llowing error occured while attempting to create user% username% on computer% computername%
The user already belongs to this group. (More help is available by typing NET HELPMSG 2236) User 00,00,01, F6 (502) can not .. logon: Logon Message
your account has been disabled Please see your system administrator This is because this usernumber is already used by the system, krbtgt = Key Distribution Center Service Account - though I thought this was only for server edition The. Account is disabled / inactive and cannot be enabled.
Windows XP by default uses a fluffy welcome screen to logon users. This can be bypassed to the normal one by holding down the Ctrl and Alt / Alt Gr keys and pressing the Del / Delete key twice. To switch off long term see Users Accounts in Control Panel: Change the way users log on or off The list of users that is displayed in the Welcome screen is of note:. # Disabled / inactive accounts are not listed # If there are no other administrators the built-in is listed, else it is not listed # Administrators, Guests, Power Users & Users are listed # Backup Operators, helpservicesgroup, Network Configuration Operators, Remote Desktop Users & Replicator are not listed # User of no groups and users only member of custom groups are not listed # In safe mode only <= 2 administrators are listed, first two alphabetically from / SAM / SAM / Domains / Account / Users / Names // Security Settings / Local Policies / User Rights Assignment / Deny logon locally = user not listed # Upto 100 users can Be Displayed, First Alphabetical, as before, though things get alittle sluggish: # / HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / CurrentVersion / Winlogon / LogonType = X fluffy = 1 classic = 0 # Specific users or users preffixed with something can be set so not to be listed, The Record Is here: / hkey_local_machine / Software / Microsoft / Windows NT / CurrentVersion / WinLogon / SpecialAMEAME%: REG_DWORD0X0 = Exact Match or 0x10000 = prefixed match
If the username in /% RID% / V does not matchup with the key name in / Names /% username% the dialog "Users and Passwords" in Control Panel does not list the username. On attempting to get the users properties in lusrmgr. msc it will error with: Local Users and Groups
The following error occurred while attempting to read the properties for the user% username%:.
The user name could not be found If you rename the account back to the orginal One, A New Key IS CREATED IN / NAMES / - AS A Result of Having Two Name Keys with the Same User Number, Both Can Be Used to Logon with. LusRmgr.msc Does Not List Any Users At this Point While CMD Always Lists the users.2K has an interesting minor problem with the Users and Password dialog in Control Panel creating an account using the local machine name for a username On clicking finish, it will error with:. "The user% username% could not be (granted% Username% access _or_ added to the% groupname% group) Because% username% Does not exist "However the User is created of no group. xp and 2k3 will not allow the administrator or guest.
It is possible to create a user that does not appear at all in the user management and yet still be able to logon. In this proof-of-concept I have used group policy user logon / off scripts and insecure registry permissions, ideally this would be deployed via a small program running at system level Create a user and export and combine these two keys into a reg file and place in the logoff scripts folder:. HKEY_LOCAL_MACHINE / SAM / SAM / Domains / Account / Users /% usernumber% HKEY_LOCAL_MACHINE / SAM / SAM / Domains / Account / Users / Names /% username% Copy over the "Command-line registry manipulation utility" reg.exe to the system32 directory.Create a logon script: reg delete HKLM / SAM / SAM / Domains / Account / Users / Names /% username% / forcereg delete HKLM / SAM / SAM / Domains / Account / Users /% usernumber% / forceCreate a logoff script: regedit / s user.regAdd the scripts via gpedit.msc / Local Computer Policy / User Configuration / Windows Settings / Scripts (Logon / Logoff) WHEN A User Logs on The User Keys Are Removed, So The User Is Not ..........................
User names: c: /> net user% username% / add (can be rename via gui, not via cmd) Have to be> = 1 and <= 20. Cannot be dublicated of any existing users or groups of any case, caS . contain letters, numbers, special, extended and control characters If the username or password is incorrect at logon the following error message will be displayed: Logon Message
The system could not log you on Make sure your User name and domain are. . correct, then type your password again Letters in passwords, must be typed using the correct case Make sure that Caps Lock is not accidently on.Password: C: /> net user% username%% password% - have to be> =. 0 and <= 256c: /> net user% username% * (for private password entry, confirmation required to set - 3 Fails: a Valid Password Was Not Entered)
Full names: c: c: /> net user% Username% / fullname:% fullname% - Have to be> = 0 and <= 48cmd / 256gui
Descriptions / Comment: C: /> NET User% UserName% / Comment:% Description% - Have to be> = 0 and <= 48cmd / 256guiuser's Comment: c: /> net user% username% / usercomment:% usercomment% - Have to be> = 0 and <= 48cmd / nogui
Country Code: C: C: /> NET USER% UserName% / Country: xxxc: /> net user% UserName% / Countrycode: xxxwhere xxx can be:
000 (System Default) 002 002 (Netherlands) 032 (Belgium) 033 (France) 034 (SPAIN) 039 (ITALY) 041 (Switzerland) 044 (United Kingdom) 045 (DENMARK) 047 (Norway) 049 (Germany) 061 (Japan) 081 (Japan) 082 (Korea) 082 (TAIWAN) 099 (ASIA) 351 (Portugal) 358 ( Finland 785 (ARABIC) 972 (Hebrew) Not Sure What this Affects, Not Displayed Time or Keyboard Though
Account active / Account is enabled or disabled: C: /> net user% username% / active: yes / y / no / nLogon Message
Your account has been disabled Please see your system administrator.Account expires:. C: / > net user% username% / express: neverc: /> net user% username% / expires: 31/12/2004 (Prefixed Time of 12:00 AM) Logon Message
Your Account Has Expired. please you your system administrator .
Password Last Set: HKEY_LOCAL_MACHINE / SAM / SAM / DOMAINS / Account / Users / 000003EF / F: 18-Length: 8Bytes Stored NT Time Format
Password expires: Obtained from: / Security Settings / Account Policies / Password Policy / Maximum password ageLogon Message
Your password has expired and must be changed.A dialog appears to change the password, once completed (if allowed) logon commences Builtin. Administrator and Guest Accounts Never Expire.
Password changeable: Obtained from: / security settings / account policies / password policy = x days (0 = immediate)
Password Required: C: /> NET User% UserName% / PasswordReq: Yes / Y / NO / Nunsure What this Option is for the user must be blank or the user will not be book or the user will not becom To Logon - An Error As if INCORRECT UserName or Password Was Attempted.)
User May Change Password: C: /> NET User% UserName% / Passwordchg: Yes / Y / NO / NTHIS CAN DENY A Logon if the password expression, error: Change Password
You do not have.
WorkStations Allowed: C: /> NET User Foo / WorkStations:% ComputerName% C: /> NET User Foo / Workstations:% ComputerName1%;% ComputerName2%,% ComputerName3% C: /> NET User Foo / Workstations: (all) Maximum of 8 workstations allowed of> = 1 & <= 15 character in lengthLogon Message
Your account is configured to prevent you from using this computer Please try another computer.Logon script:. have to be> = 0 and <= 259 C: /> net user% username% /scriptpath:%folder/script.bat/cmd%Script Paths Are Made Relative to this Folder: C: / Winnt / System32 / RepL / Import / Scripts /
User profile: have to be> = 0 and <= 259cmd / 260gui c: /> net user% username% / profilepath:% c: / folder or // machine / folder% this option is for roaming profiles online if the machine name length <= 15By default user profiles determined here: / HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / CurrentVersion / ProfileList / REG_SZ: AllUsersProfile = The name of the folder for profile shared stuff (All Users) REG_SZ: DefaultUserProfile = The name of the "template" profile folder used for newly logged on users (Default User) REG_EXPAND_SZ: ProfilesDirectory = Where the profiles and the above folders are stored (% SystemDrive% / Documents and Settings) Each user that has a profile stored will have a subkey within this key in the form /% SID-RID% / REG_EXPAND_SZ:. ProfileImagePath = Location of the users profile - This not set by the net command This can be edited to point to different profiles Profiles can either be Local or Roaming!. . Local Are Stored in a Fixed Location and Are Normally Used by Standal one machines with a couple of users. Roaming copies a profile from a different location to the local ProfilesDirectory. At logoff this is copied back. Roaming profiles are normally used on domains whereby a user may logon to different machines and keep the same profile. User profiles are stored in a folder called X, where X follows this order if existing folders already exist:..% username %% username%% machinename %% username%% machinename% .XXX - where XXX is> = 000 and <= 999 The System Scans Up Decimally for the First Available Number. If All these Are Are Taken this Error Shows AT Logon: User Environment
Windows can not find the local profile and is logging you on with a temporary profile Changes you make to this profile will be lost when you log off Temporary folders follow this order, if existing folders already exist:.... TEMPTEMP% machinename% TEMP% machinename% .XXX - where XXX is> = 000 and <= 999, the system scans up decimally for the first available numberIf all these are take this error shows at logon: User Environment
Windows can not create a temporary profile directory Contact. .. your network administrator
DETAIL - The system can not find the file specified Next dialog is very similar: Windows can not log you on because the profile can not be loaded Contact your network administrator The user is returned to the logon screen If... an adminstrative level account, they are logged on under the default profile for the system This situation is not likely to occur however.Home directory:. C: /> net user% username% / homedir: c: / foo2 Have to be> = 0 and <= 259cmd / 247guigui can alternatively Map a logical drive letter to a remote share> = 0 and <= 259 //% MACHINENAME% /% ShareName%
Last Logon: HKEY_LOCAL_MACHINE / SAM / SAM / DOMAINS / Account / UserS /% Userno% / F: Offset8 / Length8 Stored NT Time Format.
Logon hours allowed: C: /> net user% username% / times: allSunday = su, sundayMonday = m, mondayTuesday = t, tuesdayWednesday = w, wednesdayThursday = th, thursdayFriday = f, fridaySaturday = s, sa, saturday / times: % Day%,% TIME% -% TIME%;% day%,% time% -% TIME% - EG: S, 9 AM-5PM; SU, 9 AM-12PM OR MF, 9 AM-1PM; MF, 2 PM-5P / Times:% day% -% day%,% time% -% Time% - EG: MF, 9 AM-5PMIF LOGON IS Attempted Outside of ALOWED LOGON TIMES: Logon Message
Your Account Has Time Restrictions That Prevent You from logging on At this Time. please try, lating. 3 bytes Are Assigned for Each Day of the week: | 01, 02, 03, 04, 05, 06, 07, 08, 09, 10, 11, 12, 13, 14, 15 , 16, 17, 18, 19, 20, 21, 22, 23, 24 | FF, FF, FF | FF, FF, FF | FF, FF, FF | FF, FF, FF | FF, FF, FF | FF , FF, FF | FF, FF, FF | 00, 01, 00 | Sunday | Monday | Tuesday | Wednesda | Thursday | Friday | Saturday | UnknownAdd for Combinations: FF, FF, FF = All Times01,00 = 12 AM- 01am (midnight) 02,00, 00 = 01 AM-02AM04, 100, 00 = 02 AM-03AM08, 100 = 03 AM-04AM 10, 100,000 = 04 AM-05AM20, 00, 00 = 05 AM-06AM40, 00, 00 = 06 AM-07AM (Morning) 80,00, 0 0 = 07 AM-08AM00, 01, 00 = 08 AM-09AM00, 02, 00 = 09 AM-10AM00, 04, 00 = 10 AM-11AM00, 08, 00, 10, 100 = 12 PM-01PM ( Noon 00, 20,00 = 01 PM-02PM00, 40, 00 = 02 PM-03PM00, 80, 100 = 03 PM-04PM00, 100, 01 = 04 PM-05PM00, 100, 02 = 05 PM-06PM (EVENING) 00, 00, 04 = 06 pm-07pm00, 100, 08 = 07 PM-08PM00, 100, 10 = 08 PM-09PM00, 100, 20 = 09 PM-10PM00, 200, 40 = 10 PM-11PM00, 100, 80 = 11 PM-12AM (Midnight) 00, 00, 00 = not this day
Regedit.exe -> / HKEY_LOCAL_MACHINE / SAM / SAM / DOMAINS / Account / UserS /% RID% / F (Fixed Length, 80) Explorer.exe -> /% WINDIR% / System32 / Config / SAM
Password never expire - 0 = secpoltime 2 = neverFor some unknown reason this value is set to 4 on a lockout and 0 on unlocking If the password is set never to expire the option to force the user to change their password on next logon is greyed. OUT.2 / 3/6/7 / A / B / E / F = Password Never Expires (2 = GUI Setting) 0/2/8 / A = Logonokay1 / 3/5/7/9 / B / D / F = Logon Message
The system can not log you on due to the following error:
The account used is a server trust account Use your global user account or local user account to access this server
Please try.. again or consult your system administrator.4 / 6 / C / E = logonokay - reset to X-4 though Last logon -. stored NT time format, nulls if never logged on Password last set - stored NT time format, nulls if not changed Account Expires - Stored NT Time Format, NULLS IF SET NOT To Expire Last Incorrect Password - Stored NT Time Format, Nulls if Not User Number - Stored In Reverse Hex Unsure - 0/2/6/8 / A / C / E = PWD / username invalid1 / 3/4 = logonokay5 / 7 / d / f = logon messa ge
The system can not log you on due to the following error:
The account used is an interdomain trust account Use your global user account or local user account to access this server
Please try again or.. consult your system administrator.9 / B = Logon Message
The system can not log you on due to the following error:.
The account used is a computer account Use your global user account or local user account to access this Server.
Please Try Again or Consult Your System Administrator. Account Active - 0 = Active 1 = NOT ACTIVE. Password Required - 0 = YES 4 = NO0 / 2/4/6/8 / A / C / E =
Logonokay - 1/2/5/7/9 / b / d / f = Accountdisabled / Inventive Country Code - Stored in Reverse Hex Invalid PWD Count - Stored in Reverse Hex, Reset After A Correct Logon No. of Logons - Stored in Reverse HEX, Gets Stuck AT FF, FFREGEDIT.EXE -> / HKEY_LOCAL_MACHINE / SAM / SAM / DOMAINS / ACCOUNT / USERS /% RID% / V (Variable Length, 424 ) Explorer.exe -> /% WINDIR% / SYSTEM32 / CONFIG / Samin this Anontation The 1st and 3rd Section Are Shown First Because The Relate To Each Other, Refer to The Hex Offset on The Left.
The first 12 bytes of the value are unknown, probably section headersThe first 4 bytes of each entry refer to the location of the entry relative to offset: CC Stored in reverse hexThe second 4 bytes refer to the entry length Space allocated is rounded up to. Nearest Multiple of 4 Bytes, Ignore The Surplus Data. Stored in Reverse HEXTHE THIRD 4 bytes Are Unknown
Username Fullname Comment User comment Unknown entry Homedir Homedirconnect Scriptpath Profilepath Workstations Hours allowed Unknown entry LM password hash NT password hash Unknown entry Unknown entry
This is the middle section of the V value The first 52 bytes are unknown No. of permissions. (Example: 4) Permission: Everyone Permission: Administrators Permission: Account Operators Permission: User in question 2x Administrators group SID (unknown reason) The 14 , 18, 24 in the first block of 4 bytes of the user / group permission are believed to state the entry length.The second 4 byte block holds the user / group permissions. If these settings follow similar storage methods to security settings then each nibble Holds 8 Combinations, Additions of 1, 2, 4 & 8. Not All these Options Are Known.5b, 03,02 = everyone444,00,02 = user in questions44,00,02 = user in questionff, 07,0f = cLL CONTROL® 00 , 00, 01,00 = List user detailsff, 01,00 = Change user settingsff, 01,01 = delete usercmd: system error 5 HAS Occurred.
access is denied.msc: local users and groups
the following ire occurred while attempting to read user / group proties: Access is Denied.The Full User / Group Sid Is Stated in The Last Section
By default new users are added to the Users group There are 6 built-in localgroups in 2K:... Administrators, Backup Operators, Guests, Power Users, Replicator & Users XP added Network Configuration Operators, Remote Desktop Users & HelpServicesGroup They are listed here: / HKEY_LOCAL_MACHINE / SAM / SAM / Domains / Builtin / Aliases / Names /% groupname% where a subkey's value points to: HKEY_LOCAL_MACHINE / SAM / SAM / Domains / Builtin / Aliases / 00000XXX / C which holds details about the group Not. all details are known at this point, however the group name, description / comment and groups members are stored here.Alias name C: /> net localgroup% groupname% / add - can be> = 1 and <= 256CMD / 254GUI only the first 25 characters are displayed at CMD Some problems are encounter with longer groups names Group names can be renamed to 255 characters via GUI, however it does error with:.. Local Users and Groups
The following error occurred while attempting to rename the Group% groupname%:
One or more input paramete rs are invalid However the group name will be renamed On attempting to access the group similar errors occur and on attempting to delete the group, this explanation is given:... An invalid Active Directory pathname was passed Strange since AD is not installed At. CMD any groupname> 25 can not be deleted:. The user or group account specified can not be found
More help is available by typing NET HELPMSG 3963. Adding users to a 254 length groups seems to trigger network activity, the user is added and Can Be Removed Via Gui Though. Cmd However Can Handle Adding / Deleting User To 255/256 Length Group Names, IF Deletion Is Attempted in GUI The FOLLOWING Error Occurs: Local User and Groups <
br> One or more errors occurred while recording group membership changes for user% username% Comment / Description C:. /> net localgroup% groupname% / comment: "% comments%"> = 0 and <= 256GUI / 2,133CMD which is basically limited by CMD's 2,170 buffer input handling GUI can render such a comment and rename, but only to a shorter length There is also another record stored here:.. / HKEY_LOCAL_MACHINE / SAM / SAM / Domains / Builtin / Aliases / Members /% dec_SID % /% hex_RID% / in 2K the default value can be view correctly in regedt32 by Displaying Binary Data. This value simply lists the groups in hex that each respective user is a member of. Local Groups are for workstations, Global Groups are for servers . Custom groups are added here: / HKEY_LOCAL_MACHINE / SAM / SAM / Domains / Account / Aliases / Names /% groupname% / and follow a similar pattern.regedit.exe -> / HKEY_LOCAL_MACHINE / SAM / SAM / Domains / Account / Aliases / % RID% / C (Custom Groups) regedit.exe -> / HKEY_LOCAL_MACHINE / SAM / SAM / Domains / Builtin / AliaseS / 0000022 0 / C (BUILTIN Groups) Explorer.exe -> /% WINDIR% / System32 / Config / SAM
Group key offsets are relative from 34 The group (user) number Group name Group description Length of user entires (reverse hex) Number of users (reverse hex) Number of group permissions Permission: Everyone Permission: Administrators Permission: Account Operators 2x Administrators group SID (unknown reason) Group membership represented by their SIDGroup permissions are similar to user permissions: 0C, 00,02 = Everyone1F, 00,0F = Administrators1F, 00,0F = Account Operators1F, 00,0F = Power users 09,00,00 = List group (cmd will list the group on 00 permissions) 0D, 00, 00 = add / remove group memory (all newly created users all) 1f, 00, 00 = Edit Groupname / Comment (MSC Only. 1F, 00, 01 = for cmd Edit) (Some) Security Settings
The main security settings are via configurated with secpol.msc or "Security Configuration and Analysis" in a MMC Here you can configure directly or import security templates You can also use Group Policy or gpedit.msc -..> / Local Computer Policy / Computer Configuration / Windows Settings / Security Settings / - this is the same thing and any settings are stored in the normal database and not the Registry.pol files in C: / WINNT / system32 / GroupPolicy / (Machine / User) / The security settings are stored in a separate database (* .sdb) and then written from there to various parts of the registry The builtin one is located:. C: /WINNT/security/Database/secedit.sdbHKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT / CurrentVersion / winlogon / GPExtensions / {827D319E-6EAC-11D2-A4EA-00C04F79F83A} / "LastPolicyTime" = dword: XXXXXXXX Where X = the number of minutes since 1st Jan 1980. (12797280 = 12:00 AM - 1st May 2004) To save time in Calculating this value use ntdate.exe this value is created on first alternating security y settings after install. It is then updated to the current time, when the security settings are refreshed / written. This will occur when closing a dialog on editing settings or at startup if the time stored is in the future or more than 16 hours behind the current time: Applying security policy ... (just before logon) An event; SceCli is logged under the Application Log when this occurs at startup You can update via also command line with C: /> secedit / refreshpolicy machine_policy / enforce.
[System Access] (F0,3F, FE) secpol.msc -> / Account Policy / Password Policy / and / Account Policy / Account Lockout Policy / regedit.exe -> / HKEY_LOCAL_MACHINE / SAM / SAM / Domains / Account / Fexplorer. Exe -> /% windir% / system32 / config / samauto-inccess maximum password agge (> = 0 & <= 999) Days Reverse Bytes, Minus from Qword: FF 1 = Seconds X 10 Million Minimum Password Age (> = 0 & <= 998) Days Reverse Bytes, Minus from Qword: FF 1 = Seconds X 10 Million Account Lockout Duration (> = 0 & <= 99, 999) Minutes Reverse Bytes, Minus from Qword: FF 1 = Seconds X 10 Million Reset account lockout counter after (> = 1 & <= 99,999) minutes Reverse bytes, minus from qword: ff 1 = seconds x 10 million Next created users RID (mentioned in the users and groups section) Store password using reversible encryption for all user In The Domain (enabled = 1 / disabled = 0) Password Must Meet Complexity Requirements (enabled = 1 / disabled = 0) minimum password length (> = 0 & <= 14) Characters (in hex) enforce password history (> = 0 & <= 24 ) PASSWORDS Remembed (in HEX) Account Lockout Threshold (> = 0 & <= 999) Attempts (Revsere HEX) Part of Syskey (Mentioned In The Passwords Section)
[EVENT AUDIT] (26, 40, Fe) SECPOL.MSC -> / Local Policies / Audit Policy/@regedit.exe -> /HKEY_LOCAL_MACHINE/Security/policy/poladtev/@explorer.exe -> /% WINDIR% / system32 / config / security
01 if any audits are enabled, if none: 00 Unsure: 2K = FF0600 XP = 000700 - reset to nulls Audit system events Audit logon events Audit object access Audit privilege use Audit process tracking Audit policy change Audit account management Audit directory service access Audit account Logon Events No. of Policies: 9 - Reset IF Removedthe Type of Policy Applied Is Determined WHERE X = Setting, As Defined Below: SUCCESS
Failure
Setting
NO
NO
0
YES
NO
1
NO
YES
2
YES
YES
3
[Privilege Rights] (00,40, FE) secpol.msc -> / Local Policies / User Rights Assignment / explorer.exe -> /% windir% / system32 / config / SECURITYThis group of settings are stored in two locations / formats: regedit.exe -> / HKEY_LOCAL_MACHINE / SECURITY / Policy / Accounts /% SID% / ActSysAc / @ A simple fixed 4 byte hex value - add for combinationsregedit.exe -> / HKEY_LOCAL_MACHINE / SECURITY / Policy / Accounts /% SID% / Privilgs / @ A variable length Hex Value, of The Following Layout:
The first byte states the number of the privilges; followed by 7 nulls Privilege: Shut down the system Privilege: Bypass traverse checking Privilege: Remove computer from docking stationEach privilege is stored in a 12 byte block The first byte states the privilege followed by 11. NULLS. The privileges do not apear to be stored in Any ORDER
Access this computer from the network ------------------------ Act as part of the overrating system ------------- ------------- Add Workstations to Domain --------------------------------- --Back Up File and Directories --------------------------------- Bypass Traverse Checking ------- ----------------------------- Change the system time ---------------- ----------------------- Create a pagefile ------------------------ -------------------- Create a token Object -------------------------------------------------------------------------------------------------------------------------------------------- -------------- Create a Global Objects ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ------ Create Permanent Shared Objects ----------------------------- Debug Program -------- --------------------------------------- Deny Access to this computer from the network --- ------------- Deny Logon as a batCh job ------------------------------- ----- Deny Logon as a service ------------------------------------ Deny Logon Locally ----------------------------------------- Enable Computer and User Accounts To Be Trusted for DelegationForce SH Utdown from A Remote System -------------------------- Generate Security Audits -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------- Impersonate a clientAfter authentication -------------------- Increase quotas - ------------------------------------------- Increase Scheduling Priority --- ------------------------------ Load and unload devices --------------- ---------------- LOCK PAGES in Memory ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------- Log on as a batch job --------------------------------- ------- Log on as a service -------------------------------------- ---- LOG ON LOCALLY ------------------------------------------- ---- Manage Auding and Security Log ------------------------------- Modify Firmware Environment Values ------ --------------------- Profile Single
Process --------------------------------------- Profile System Performance ------- --------------------------- Remove Computer from Docking Station ----------------- -------- Replace a process level token ------------------------------- Restore Files and Directories - ------------------------------- Shut Down the system --------------- ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ------ Take Ownership of File or other Objects --------------------- Senetworklogonright ----------- setcbprivilege - --------------- SemachineaccountPrivilege ----- Sebackupprivilege ------------- SechangeNotifyPrivilege ------- SESYSTEMTIMEPRIVILEGE -------- --- secreatepagefileprivilege ----- secreatetokenprivilege -------- secreateglobalprivilege ------- secreatepermanentprivilege ---- sedebugprivilege -------------- sedenynetworklogonright --- ---- Sedenybatchlogonright --------- SedenyServiceLogonright ------- SedenyinteractiveLogonright --- SeenableDelegationPrivilege --- SeremoteshutDownprivile ge ----- seauditprivilege -------------- seimpersonateprivilege -------- seincreasequotaprivilege ------ seincreasebasepriorityprivilegeseloaddriverprivilege --------- selockmemoryprivilege - ------- Sebatchlogonright ------------- SSERVICELOGONRIGHT ---------- SeinteractiveLogonRight ------- SeecurityPrivilege ---------- --- sesystemenvironmentprivilege --seprofilesingleprocessprivilegesesystemprofileprivilege ------ seundockprivilege ------------- seassignprimarytokenprivilege -serestoreprivilege ------------ seshutdownprivilege ------- ---- SESYNCAGENTPRIVILEGE --------- setakeownershipprivilege ----------
ActSysAcPrivilgsPrivilgsPrivilgsPrivilgsPrivilgsPrivilgsPrivilgsPrivilgsPrivilgsPrivilgsActsysacActsysacActsysacActsysacPrivilgsPrivilgsPrivilgsPrivilgsPrivilgsPrivilgsPrivilgsPrivilgsActSysAcActSysAcActSysAcPrivilgsPrivilgsPrivilgsPrivilgsPrivilgsPrivilgsPrivilgsPrivilgsPrivilgsPrivilgs02,00,00,00070611170C0F021E101480,00,00,0000,01,00,0000,02,00,0040,00,00,001B18151D050E0A0404,00,00,0010,00,00,0001,00,00,0008160D0B190312131A09
[Registry Values] (2C, 40, FE) secpol.msc -> / Local Policies / Security Options / regedit.exe -> Various locationsexplorer.exe -> /% windir% / system32 / config / SAM | SOFTWARE | SYSTEMAdditional restrictions for . anonymous connectionsNone Rely on default permissions = 0Do not allow enumeration of SAM accounts and shares = 1No access without explicit anonymous permissions = 2HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Control / Lsa / "restrictanonymous" = dword: 0000000XAllow Server Operators to schedule tasks (Domain Controllers Only) Enabled = 1 or Disabled = 0HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Control / Lsa / "submitcontrol" = dword: 0000000XAllow system to be shutdown without having to log onEnabled = 1 or Disabled = 0HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / CurrentVersion / Winlogon / "ShutdownWithoutLogon" = "X" Allowed to eject removable NTFS mediaAdministrators = 0Administrators and Power Users = 1Administrators and Interactive Users = 2HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / CurrentVersion / Winlogon / "allocatedasd" = "0" Amount of idle time required before disconnecting session (> = 0 & <= 99999) minutes (0 = Do not disconnect clients) HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services / lanmanserver / parameters / "autodisconnect" = dword: 000XXXXXAudit the access of global system objectsEnabled = 1 or Disabled = 0HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Control / Lsa / "auditbaseobjects" = dword: 0000000XAudit use of Backup and Restore privilegeEnabled = 1 or Disabled = 0HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Control / LSA / "fullprivilegeauditing" =
hex: 0XAutomatically log off user when logon time expires (local) Enabled = 1 or Disabled = 0HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services / lanmanserver / parameters / "enableforcedlogoff" = dword: 0000000XClear virtual memory pagefile when system shuts downEnabled = 1 or Disabled = 0HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Control / Session Manager / Memory Management / "ClearPageFileAtShutdown" = dword: 0000000XDigitally sign client communication (always) Enabled = 1 or Disabled = 0HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services / lanmanworkstation / parameters / "requiresecuritysignature" = dword : 0000000XDigitally sign client communication (when possible) Enabled = 1 or Disabled = 0HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services / lanmanworkstation / parameters / "enablesecuritysignature" = dword: 0000000XDigitally sign server communication (always) Enabled = 1 or Disabled = 0HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlset / Services / Lanmanserver / Parameters / "RequireSecuritySignature" = DWORD: 0000000xDigitally sign server communication (when possible) Enabled = 1 or Disabled = 0HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services / lanmanserver / parameters / "enablesecuritysignature" = dword: 0000000XDisable CTRL ALT DEL requirement for logonEnabled = 1 or Disabled = 0HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / policies / system / "disablecad" = dword: 0000000XDo not display last username in logon screenEnabled = 1 or Disabled = 0HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / policies / system / "dontdisplaylastusername" =
dword: 0000000XLAN Manager Authentication LevelSend LM & NTLM responses = 0Send LM & NTLM - user NTLMv2 session security if negotiated = 1Send NTLM response only = 2Send NTLMv2 response only = 3Send NTLMv2 response only / refuse LM = 4Send NTLMv2 response only / refuse LM & NTLM = 5 HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Control / Lsa / "lmcompatibilitylevel" = dword: 0000000XMessage title for user attempting to log on (> = 1 & <= 16,383) characters | - bug dialog = 30,000, if over 16,383 characters (?) removes all / most security values within the keyHKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / policies / system / "legalnoticetext" = "X" Message title for users attempting to log on (> = 1 & <= 16,383) characters | - bug (?) dialog = 30,000, if over 16,383 characters removes all / most security values within the key HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / policies / system / "legalnoticecaption" = "X" Number of previous logons to cache (in case Domain controller is not available (> = 1) <= 50) logons (0 = Do not cache logons) HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / CurrentVersion / Winlogon / "cachedlogonscount" = "X" Prevent system maintenance of computer account passwordEnabled = 1 or Disabled = 0HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services / Netlogon / Parameters / "DisablePasswordChange" = dword: 0000000XPrevent users from installing printer driversEnabled = 1 or Disabled = 0HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Control / Print / Providers / LanMan Print Services / servers / "addprinterdrivers" =
dword: 0000000XPrompt user to change password before expiration (> = 0 & <= 999) daysHKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / CurrentVersion / Winlogon / "passwordexpirywarning" = dword: 00000XXXRecovery Console: Allow automatic administrative logonEnabled = 1 or Disabled = 0HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / CurrentVersion / Setup / RecoveryConsole / "SecurityLevel" = dword: 0000000XRecovery Console: Allow floppy copy and access to all drives and all foldersEnabled = 1 or Disabled = 0HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / CurrentVersion / Setup / RecoveryConsole / "SetCommand" = dword: 0000000XRename administrator account (> = 1 & <= 20) characters | - bug dialog = 30,000 (can not be any existing group / user names) HKEY_LOCAL_MACHINE / SAM / SAM / Domains / (?) Account / users / 000001F4 / V ("Towards the end") hkey_local_machine / sam / sam / domains / account / users / name guest account (> = 1 & <= 20) Characters | - BUG (?) Dialog = 30,000 (Cannot Be any existing group / user names) HKEY_LOCAL_MACHINE / SAM / SAM / Domains / Account / Users / 000001F5 / V ( "towards the end") HKEY_LOCAL_MACHINE / SAM / SAM / Domains / Account / Users / Names /% username% Restrict CD-ROM access to locally logged-on user onlyEnabled = 1 or Disabled = 0HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / CurrentVersion / Winlogon / "allocatecdroms" = "X" Restrict floppy access to locally logged-on user onlyEnabled = 1 or Disabled = 0 HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / CurrentVersion / Winlogon / "allocatefloppies" = "x" Secure Channel: DIGITALLY ENCRYPT or SIGN Secure Channel Data (ALWAYS) enabled =
1 or Disabled = 0HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services / Netlogon / Parameters / "requiresignorseal" = dword: 0000000XSecure channel: Digitally encrypt secure channel data (when possible) Enabled = 1 or Disabled = 0HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services / Netlogon / Parameters / "sealsecurechannel" = dword: 0000000XSecure channel: Digitally sign secure channel data (when possible) Enabled = 1 or Disabled = 0HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services / Netlogon / Parameters / "signsecurechannel" = dword: 0000000XSecure channel: Require strong ( Windows 2000 or later) session keyEnabled = 1 or Disabled = 0HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services / Netlogon / Parameters / "requirestrongkey" = dword: 0000000XSend unencrypted password to connect to third-party SMB serversEnabled = 1 or Disabled = 0HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlset / Services / LanmanWorkStation / Parameters / "EnableplaintextPassword" = dword: 0000000xshutdown System Immedierately if Unable to log security auditsen abled = 1 or Disabled = 0HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Control / Lsa / "crashonauditfail" = dword: 0000000XSmart card removal behaviourNo Action = 0Lock Workstation = 1Force Logoff = 2HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / CurrentVersion / Winlogon / "scremoveoption" = "X" Strengthen default permissions of global system objects (eg Symbolic Links) Enabled = 1 or Disabled = 0HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Control / Session Manager / "ProtectionMode" = dword: 0000000XUnsigned driver installation behaviourSilently succeed = 0Warn but allow installation =
1Do not allow installation = 2HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Driver Signing / "Policy" = hex: 0XUnsigned non-driver installation behaviorSilently succeed = 0Warn but allow installation = 1Do not allow installation = 2HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Non-Driver Signing / " Policy "= HEX: 0X
secpol.msc -> / Event Log / Settings for Event Logs / regedit.exe -> HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services / Eventlog / (Application / Security / System) /explorer.exe -> /% windir% / system32 / config / System [Application Log] (24, 40, Fe) | [SECURITY LOG] (22, 40, Fe) | [System Log] (20,40, Fe) Maximum Log Size for (Application / Security / System) LOG > = 64 & <= 4,194,240) KBytes | 64byte IncrementHKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services / EventLog / (Application / Security / System) / "MaxSize" = dword: XXXXXXXXRestrict Guest access to (Application / Security / System) LogEnabled = 1 or Disabled = 0HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services / Eventlog / (Application / Security / System) / "RestrictGuestAccess" = dword: 0000000XRetain (Application / Security / System) Log (> = 1 & <= 365) days (stored in seconds, only visable if Retention method is by days) HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services / Eventlog / (Application / Security / System) / "Retention" = dword: 0XXXXXXXRetention method for (Application / Security / Syst em) LogOverwrite events by days = As above (days * seconds) Overwrite events as needed = 0Do no overwrite events (clean log manually) = FFFFFFFFHKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services / Eventlog / (Application / Security / System) / "Retention" = DWORD: XXXXXXXX [EVENT AUDIT] (26, 40, Fe) Shutdown System When Security Audit Becomes Fullenabled = 1 Or Disabled = 0HKEY_LOCAL_MACHINE / Security / Policy / PoladTFL / @ = HEX (0): 0x, 00
[Group Membership] (08, 40, Fe) SECPOL.MSC -> / Restricted Groups / Regedit.exe -> NOT Defined Herexplorer.exe -> /%windir%/security/database/secedit.sdblisted Area Groups: administrators, Backup Operators, Guests, Power Users, Replicator & Users.In the members tab users can be defined in the security database to belong to the respective group. When the security policy is applied the registry group membership is matched with the list in the database, hence if a new administrator is added to the machine, but not listed in the security policy, it will be removed on policy application This setting is only defined in the security database.In the Member of tab is the text:. The groups to which This Group Belongs Should Not Be Modified. Unsure, this Setting Doesn't "Seem" to work Since Local / Custom Groups - DC Only? [Service General Setting] (2E, 40, Fe) SECPOL.MSC -> / system services / regedit.exe -> HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES /% VARIOUS% Explore R.EXE -> /% windir% / system32 / config / systemservice startup mode (fyi: 0 = boot, 1 = system, 2 = automatic 3 = manual, 4 = disabled, 5 = unknown) 2 = Automatic3 = manual4 = DisabledHKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services /% service% / "Start" = dword: 0000000XService SecurityHKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services /% service% / Security / "Security" = hex: 01,00,14,80 ...
Constant for all service security values Length from start to the first SYSTEM SID at the end Length from start to the second SYSTEM SID at the end Header length Length from beginning to start of permissions The section (audit / permission) prefix, the second two bytes state the section length The number of users / groups within the section Audit: Everyone permission: SYSTEM permission: Administrators permission: Authenticated Users permission: Power Users SYSTEM SID - unsure of purposeThe audit and permission entries hold several sections of data.The third byte in THE FIRSTD HOLDS The entry Length.The Second DWord Holds The Permion / Audit Setting: (Add for Combination) FF, 01, 0F, 00 = Query Template02,00,00 = Change Template04,00,00 = query status08,00,00 = enumerate dependents10,00,00 = start20,00,00 = stop40,00,00 = pause and continues80,00 = pause and company 00 = interrogate00, 01,00 = user-defined control00, 00, 01,00 = delete00, 00, 02,00 = read Permissio NS00, 00, 04, 00 = Change Permissions00, 00, 08, 00 = Take Ownership The section is a dword - unsure of purpose. [registry keys] 14,40 , FESECPOL.MSC -> /REGISTRY/Regedit.exe -> Stored in Sk Values That Are Not Actually Viewable Via Regedit / RegedT32 -> Security -> Permissions ... Explorer.exe -> /% WINDIR% / System32 / CONFIG / (SAM / Security / Software / System) AND% UserProfile% / NTUSER.DATTHIS Part Is Explained in The Registry Structure section.
[File Security] 18, 40, FESECPOL.MSC -> / file system / regedit.exe -> not stored hereexplorer.exe -> Differs from NT4 (NTFSV1.2) and 2K / XP (NTFSv3.0 / 3.1) this is IS should possibly be expanded into a whole different article on NTFS, however here are afew brief details In NT4 the privilege is stored within each respective $ MFT entry In 2K / XP each $ MFT entry has a numbered permission assigned to it -.. all the permissions are stored in the $ Secure file in numbered permission blocks. This allows multiple files to point to the same permission block, saving space. Storage format is very similar to other permissions with the first dword specifying the length, followed by the privilege and then THE SID. IF you are using xp home , 00, 100, 10,00 = Read attributes08,00, 10,00 = read ed extended attributes02,00,10,00 = CREATE FILES / WRI TE DATA04, 100, 10, 100 = CREATE FOLDERS / APPEND DATA00, 01, 10, 00 = Write Attributes10,00, 10,00 = Write Extended Attributes40,00, 10,00 = Delete Subfolders and Files00,00,11,00 = Delete00, 100, 12,00 = Read Permissions00, 00, 14,00 = Change Permissions00, 200, 00 = Take OwnershipRegistry Structure
Apart from the audit log (.Evt), EFS keys, file security, group policies (.pol), and security databases (.sdb), all security settings are stored in the registry. In the second table the filenames are with respect to ..................
Location and filename
Brief Function
APPR SIZE
C: / Winnt / System32 / Config / Default -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -------------------------- C: / Winnt / System32 / Config / Sam ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ -------------------------------------------------- ------ C: / WinNT / System32 / Config / Security ---------------------------------- ------------------------------ C: / Winnt / System32 / Config / Software --------- -------------------------------------------------- ------ C: / Winnt / System32 / Config / System ---------------------------------- -------------------------------- C: / Winnt / System32 / Config / UserDiff ------- -------------------------------------------------- -------- C: / Documents and settings /% username% / NTUSER.DAT ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------- C: / Documents and settings /% username% / local settings / application data / microsoft / windows / usrclass.datc: / documents And settings / default user / ntuser.dat ----------------------------------------- -------- System Profile --------------- Users and groups ------------- Security settings ------- ----- USER / OS Software Se TTINGS ---- Hardware Settings & Services -unsure, Not Loaded Either? --- Individual User Settings -------------- DEFAULT SETTINGS for new users
- 122, 880 - 20, 480 - 20, 4806, 119, 4242, 428, 928 - 139, 264-225, 280 --- 8, 192- 118, 784
Filename
Mounted
Rootkey
Subkeys
A & P
DEFAULT
HKEY_USERS / .DEFAULT /
$$$ Proto.hiv
Appevents, Console, Control Panel, Environment, Identities, Keyboard Layout, Software, Unicode Program Groups
6
Sam
HKEY_LOCAL_MACHINE / SAM /
Sam
Sam
2
Security
HKEY_LOCAL_MACHINE / SECURITY /
Security
Policy, rxact
5
Software
HKEY_LOCAL_MACHINE / SOFTWARE /
$$$ Proto.hiv
Classes, Clients, Intel, Microsoft, ODBC, Policies, Program Groups, Secure, Voice, Windows 3.1 Migration Status
87
SYSTEM
HKEY_LOCAL_MACHINE / SYSTEM / $$$ PROTO.HIV
Controlset001, Controlset002, MountedDevices, SELECT, SETUP
397
Userdiff
Not mounted
$$$ Proto.hiv
61 Numbers Ranging 1137 to 2138
1
NTUSER.DAT
HKEY_CURRENT_USER / HKEY_USERS / SID-RID /
$$$ Proto.hiv
Appevents, Console, Control Panel, Environment, Identities, Keyboard Layout, Printers, RemoteAccess, Software, Unicode Program Groups
36
USrClass.dat
HKEY_USERS / SID-RID_CLASSES /
SID-RID_CLASSES
None
1
NTUSER.DAT
Not mounted
$$$ Proto.hiv
Appevents, Console, Control Panel, Environment, Identities, Keyboard Layout, Software, Unicode Program Groups
5
This image is a scale diagram of a sam registry hive: (1 horizontal pixel = 32 bytes)
Header Surplus space - filled with nulls hbin entries - repeated every 4096 (8192/12288) from offset 4096 Registry keys, values, data and permissions etc At the end of the entries a dword states the length inclusively to the end of the file followed by FF, FF, FF, FF SURPLUS SPACE - NULLS or JUNK
The Header Section IS 512 BYTES, BECAUSE The Middle Section Does Not Appear To Be Used, this Is Absent From The Diagram Below - Note Offsets:
regf; a constant identifier Twin increment for adding / removing data in memory; appears to add by 2, the left before the right Last disk write - shutdown, logoff and other times; stored NT time format Constants, unsure of; the 2nd one is set to 05000000 in default, software, system & userdiff in XP The 2nd from last is 32 bytes -. possible hbin reference Length of data section to the end of the last hbin The filename and path, counting backwards Surplus space -? nulls or junk DWORD XOR CHECKSUM of the first 508 bytes
Filename
Path
defaultNTUSER.DATSAMSECURITYsoftwareSYSTEMuserdiffUsrClass.datstemRoot / System32 / Config / DEFAULTettings / Administrator / ntuser.dat / SystemRoot / System32 / Config / SAMemRoot / System32 / Config / SECURITYemRoot / System32 / Config / SOFTWARESYSTEM1 / WINNT / SYSTEM32 / CONFIG / userdiff / Microsoft / Windows / Usrclass.datthe path in the ntuser.dat in the default profile directory is set to nulls.emroot / Stemroot IS SystemRoot without the% 1 / Winnt is probably: / device / harddiskvolume1 /
1st bit:
1
1
0
0
2nd bit:
1
0
1
0
Xored:
0
1
1
0You could usecalc.exe to XOR; scientific viewand switch to BinInstead you could use xorcheck.exe to save time in calculating the checksumC: /> Usage: xorcheck
The Hbin Entry:
hbin; a constant identifier Offset of entry with respect to offset 1000 Either the length of entry or offset to next entry relative to this one Normally 1000/4069 but can switch between 2000 and 3000 part way through Surplus space - nulls or junk 2K Constant. ? - MOSTLY JUNK or NULLS IN XP
The registry appears to be made up of 7 different types of entries: All offsets are relative to 1000, xx denotes no constant identifier01 nk = (sub) keys (links to the following 4 types) 02 lf / lh = Subkey list03... XX = Value List (Links to Type No. 6) 04. SK = permissions05. xx = class information (regedt32 input on key creation) 06. VK = value (links to type no. 7 Though Data can be within the value) 07 . xx = data
The NK Entry:
Entry length, 100000000 - reversed bytes nk; a constant identifier Keytype: 2C = Rootkey 20 = Subkey Constants - unsure of purpose NT date format, set at key creation and modified the key is renamed or if values within are added or changed Does.. NOT CHANGE for Any Subkey Changes Parent Key Offset, What The Root Key Points To Is Unclear of Maximum, IF None; Filled WITH 00, 00 Subkey List (LF) Offset, IF None; Filled with FF, FF, FF, FF Number of Values, Unsure of Maximum, IF None; Filled WITH 00, 00, 00 Values List Offset, IF None; Filled With FF, FF, FF, FF Audit and Permissions (SK) Offset Class Entry Offset, IF None; FiLled with FF, FF, FF, FF The Maximum Subkey's Name Length X 2, IF None; Filled With 00,00,00. Possibly A Memory Feature: in The System File, The Maximum Key Length Stated IS 22 -> 17 Which = CurrentControlset, Which is Not Stored in The Actual File. The Maximum Subkey's Class Size, IF None; Filled With 00,00,00 The maximum value's n Ame Length, IF None; Filled With 00,00,00 THE MAXIMUM VALUE'S DATA SIZE, IF NONE; FILLED WITH 00, 00 Surplus Space - Nulls or Junk Keyname Length - NB: IF The length is set to 1 more than the "real" length and a null suffixed to the end of the name, the key will be handled similarly to these subkeys: SAC, SAI, XATM etc in HKEY_LOCAL_MACHINE / SECURITY / Policy / Secrets / (FYI: XATM is thought to stand for: XA Transaction Manager, unsure of purpose The SA key are used for scheduled tasks) regedit.exe -> Error Opening Key
Can not open% keyname%:.. Error while opening key regedt32.exe -> greyed out ; Security -> permissions ... ->
UNABLE to Display Security Information. Class Length (MAX = D0, 07 -> 07, D0 = 2,000 (Unicode Stored, Hence 1000 Char) Keyname; Stored In ASCII Format. Ignore Surplus Bytes, Length Is StateDsubkey List:
Entry length, 100000000 - reversed bytes lk; a constant identifier No. of subkeys (can be obtained from the key though) Offsets to subkeys, followed by the first four characters of the subkey name Surplus space - nulls or junkXP uses a checksum instead of The 1st Four Characters on The Following 4 Files: Default, Software, System & Userdiff
As above, with this difference: lh; a constant identifier (for checksumed lists) The subkeys are: Control, Enum, Hardware Profiles & Services respectfully.Calculating the checksum: Control = 43,6F, 6E, 74,72,6F, 6C -> 43, 4F, 4E, 54, 52, 4F, 4C (Control) USE CALC.EXE, View = Scientific, Length = DWORD43 4F = 92 (43 x 24) = 9FE9FE 4E = A4C (9FE X 24) = 1720417204 54 = 17258 (17204 x 24) = 357AE8357AE8 52 = 357B3A (357AE8 x 24) = 7BAC3DA7BAC3DA 4F = 7BAC429 (7BAC3DA x 24) = 1DFE4ED11DFE4ED1 4C = 1DFE4F1D (1DFE4ED1 x 24) = 55C16481 -> 55, C1, 64, 81 -> 81, 64, c1, 55
VALUES LIST:
Entry Length, 100000000 - Reverse Bytes Offsets To Values Surplus Space - Nulls or Junk
Audit and permissions:
Entry length, 100000000 - reversed bytes sk; constant identifier * mostly * FF, FF / 00,00 though other values noted - unsure of purpose Next sk entry in the "sequence" - see right -> Previous sk entry in the "sequence" see right -> Constant 01,00,00,00 - unsure of purpose Length of entry (not surplus) from offset 18 (which is right after this dword) All offset here after are with respect of offset 18 unsure, however the lower nibble of the last byte determines propagation -> Allow inheritable permissions from parent to propagate to this object -> Allow inheritable auditing entries from parent to propagate to this object -> Owner of item; offset to SYSTEM SID; offset to Audit entries; offset to - 00,00, 00, 00, 0000-00. CAN be added. Audit / Permissions - The 1st / 2nd bytes Are 02,00 - Constan TS. 3rd / 4th = Length of Audit Section Entry (if None: 02,00,08,00 - this and next) Number of audit / permission entries (if none: 00, 00, 00) There Are Some Difference in THE FIRST 2 BYTES BETWEEN AUDIT (Right) Entries. Audit: 1st Byte = 02 - Constant? 2nd Byte, Lower Nibble Denotes The Type of Audit: 48c
AllowDenyAllow & deny - if both settingsare identical, else two entriesare created 2nd byte, upper nibble denotes the scope of the audit / permission See table on the right -.> 3rd (& possibly 4th) byte is the length of this audit / permission entry Owner of item, sid of system sid - unsure of purpose surplus space - nulls or junk
SK
NXT SK
ORDERPRV SK
ORDER
12345
107811782F8836603AB0
11, 783a, b010, 782f, 8836, 60
12543
2F, 8810, 7836, 603A, B011, 78
15234IF 1 SK, Both Point to Itselfif 2 SK, Both Point To Each Othernext: 1078, 1178, 3Ab0, 3660, 2F88 -> Prev: 1078, 2F88, 3660, 3AB0, 1178 <-
0x
PROPAGATION
89AB
Inherit Bothinherit Audits Onlyinherit Permissions Onlyno Inheritswhen Applying Permissions OR Audits To a Parent Key, Propagation Will Check There-The And Update Any Subkeys Flagged
Debug
Setting
01,00,000,000,000,000,000,000,000,00,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 00, 08, 0000, 100, 02, 003F, 00, 0F, 00
Query ValueSet ValueCreate SubkeyEnumerate SubkeysNotifyCreate LinkDeleteWrite DACWrite OwnerRead ControlFull ControlPermissions: 1st byte: allow = 00 / deny = 012nd byte, lower nibble = 02nd byte, upper nibble denotes the scope of permission:
0x
This key online
26
THIS Key and SubkeysApply these Permissions to Objects and / Orcontainers With Container Only
AE
Subkeys onlyApply these permissions to objects and / orcontainers within this container only Deny entries take priority over Allow entries, which can cause unintended effects due to group membership Deny permissions entries are ordered before allow entries -. A possible exit on 1st deny, access on 1st Allow?
Class: This is a kinda hidden attribute of registry keys, since it is not displayed in regedt32 / regedit gui The only way other than programatically or debug to view the class information is to "Save Subtree As ..." in regedt32 and check. the Class Name: for values other than
Values:. There appears to be two types of values, values that contain data and values that point to data The name is optional for both types, but if a value is not asigned a name, regedit renders it (Default); regedt32
Named value that contains data: Named value that links to data: Unnamed value that links to data: Unnamed value that contains data in the form of its value type: Entry length, 100000000 - reversed bytes vk; constant identifier Unsure of purpose Length of value's . data 00,80 = contains data 00,00 = linked to data Data contain within the value Offset to linked data value type -. see table below 00 = no named value 01 = named value value's name Surplus space - nulls or junk
0x
Type
Reedt32
regedit
000102030405060708090A0B
REG_NONEREG_SZREG_EXPAND_SZREG_BINARYREG_DWORDREG_DWORD_LITTLE_ENDIANREG_LINKREG_MULTI_SZREG_RESOURCE_LISTREG_FULL_SOURCE_DESCRIPTORREG_RESOURCE_REQUIREMENTS_LISTREG_QWORD
REG_SZREG_EXPAND_SZREG_BINARYREG_DWORDREG_MULTI_SZ
StringBinaryDWORDRegedit can only handle REG_SZ and REG_EXPAND_SZ values of data size 3F, FF or less, anything above and the value disappears - regedt32 can handle up to 30,000 Regedit and regedt32 can both handle REG_BINARY values of data size 3F, FF or less DWORD value.. Have a data size of 4 bytes. regedit can only handle reg_multi_sz values of data size 3f, fe - this is because of the null incruded at the end - regedt32 can handle up to 7, ff, fc Which is 4 bytes Short of 1 / 2 a megabyte - Anything over Errors: Registry Editor Could Not Accomplish The Requested Operation.Data:
Entry Length, 10000000 - Reverse bytes Data
Examples of Sam and Security Registry Files
Passwords
The SAM file appears to be "fairly" secure - however if physical access to the machine is possible it is not so secure; Microsoft have admitted this The SAM file is locked It is not possible to delete / copy / move / rename it.. windows via within explorer. Access to RAM is also restricted if not in the administrator group. Disk hexeditors can only be used within windows if logged in with administrative privileges, else direct disk access is denied. Administrative privileges are needed to defragment a volume so the sam file may need assembling if direct access of the disk is used. If the machine can be (re) booted from a different device eg, floppy or the hard disk removed and / or copied, there are possibilities. Passwords are not stored in the sam file, password hashes are This means that the password has to be hashed and then compared -. passwords can not be directly extracted Once the hashes have been obtained, they can be tested with dictionary files or for all possible combinations The t.. ime this takes depends on the complexity and length of the password for the account To prevent simple dumping of the hashes from the registry, syskey.exe -. SAM Lock Tool was introduced into service pack> = 3 for NT4 Enabling syskey is a one. way process, once enabled it can not be disabled -... according to Microsoft Service pack 3 did not automatically enable syskey, the administrator had to set it In 2K it is enabled by default Syskey adds an extra level of encryption to the hashes and makes THE HASHES UNIQUE TO THE SYSTEM AND THE User.syskey Can Work in One of Three Different Ways - With Trickery All Three Can Be Deployed At The Same Time ;-) SecureBoot
Option
Explanation
123
Store Startup Key LocallyPassword StartupStore Startup Key on Floppy DiskStores a key as part of the operating system, and no interaction is required during system start.Requires a password to be entered during system start.Requires a floppy disk to be inserted during system start.A non-determining record of which option is enabled is stored here: HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Control / Lsa / "SecureBoot" = dword: 0000000X If option 2 or 3 is chosen a prompt will appear at startup, just as the mouse appears. Either the correct floppy disk needs to be in the drive or the correct password entered to proceed to the regular login. If option 3 is chosen a 16 byte file will be saved to floppy disk by the name of "startkey.key" by default option 1 is selected in 2K / XP and this is believed to be the most commonly used option.Although the hashes are encrypted, the correct hashes can be obtained with pwdump via lsass.exe if logged on in the Administrators group of the system in question. T Here Are Other Programs That Use Similar / Same Techniques To Todd Sabin's That Can Retrive The Hashes.
Local privilege escalation:.. If access to a account in Administrators groups is not available, raise the user level of an existing one There maybe many to chose from, but assume that there is not One account that is probably always available is the builtin Guest . The computer needs to be booted from a different device, either from a FD / CD (BIOS may need altering / cracking) or remove the disk and connect to another machine to make the changes. More stealthy is to dd / image the target temporarily disk and carry out the procedure on a similar machine elsewhere Boot from Petter Nordahl-Hagen's boot disk:. (windows users may want to read up on the commands cp and mount) 01 (optional) Make a copy of the SAM and SECURITY files. OR Note All Changes Made. this is in case of any errors.02. (optional) Make a copy of the evenet log file: Application (APPEVENT.EVT) Security (Sysevent.evt) or Note The Audit Settings and The Security Policy Refresh Time and Tempooraralay Switch Off auditing. This is to prevent Windows based auditing.03. Check the username for user 000001F5. If (not a * BLANK * password) or (an unknown one) set one. 04. Activate the Guest or user account (see users and groups section) 05. Change the permission level to Administrator (see users and groups section) 06. Increase the number of Administrators (see users and groups section) 07. Check security policies, can the user logon -? change if not (see users and ....................................
Exporting the syskey: The sys part of syskey does not refer to the hardware, thus it can be moved to another system This method also requires booting from a different device, but actual booting of the target disk is not needed, which makes this method. Passive. Bootup and Copy The Following Information: 01. / Sam / Sam / Domains / Account / F (Data of) - The 48 Bytes At The end minus 8 bytes. (see security settings section) 02. / sam / sam / Domains / Account / Users / 000001F4 / V (Data of) - 2 x 16 Bytes at the end minus 8 bytes. (See passwords section) 03. / Security / policy / @ (data of) - The Last 64 Bytes , Basical All of this value.04. / system / controlset001 / control / lsa / data / (class of) - 8 BYTES OF HEX IN TEXT (See The Registry Structure Section) 05. / System / Controlset001 / Control / LSA / GBG / (Class of) - as Above06. / System / ControlSet001 / Control / LSA / JD / (Class of) - as Above07. / System / Controlset001 / Control / LSA / SKEW1 / (Class of) - AS ABOVEON A Second System Create OR Use an acco unt with a usernumber different from the one you are importing, raise the privileges of this user to Administrator if not already Set this account's password to blank -. not via GUI but in the registry at HKEY_LOCAL_MACHINE / SAM / SAM / Domains / Account / Users / Xxxxxxxx where x is the user's account number. This is a Similar Process to setting a blank password with petter nordahl-hagen '
S BOOT DISOUT SPECIFING A PASSWORD - ALTER TOTES AFTER DATA for The Logon Hours Allowed to read: 01,02,00,00,07,00,00, 00, 01,00, 01,00, 01,00, 01,00, 01,00, 01,00, 01,00, 01,00 dam 0 d, add 8 to the offset of the unknown entry for the LM hash, then 4 for the NT, then 4 for the unknown entry, and finally 4 again for the last unknown entry. Reboot for update. If you do not already have a user of the same user number of the account you are importing either create one by modifying the next user number counter (see users and groups section) or you could edit a dummy user's account, user's number and the group values. Import the specific data into the host computer. For the F and V values IT Maybe Quicker To Export The EXISTING VALUE, PASTE IN The Specific New Data And Import. Just Import PolsecretencryptionKey Striaght As There. for the Class Data probably quicker to export as reg files, delete the keys, use regedt32 to create new keys with new classes, then import the exported reg files. Reboot and login as the user with the * blank * password, and dump the correct hashes.
Ineffective NTFS permissions on the file boot.ini in 2K only could allow a user to delete the file and replace it with their own. The new one could add a new entry in the [operating systems] list to point to a different, recently copied custom system directory of which an Administrator account is known, since users have permission to create folders in the root directory. Once booted into this new system the host operating system could be modified. One such method of creating the mobile system is as follows. On a different system start the 2K setup from floppy disk When the copying finishes reboot from a floppy / other system and edit these files: C: /TXTSETUP.SIF -> DefaultPath = / WINNTC:. / $ WIN_NT $ ~ LS / I386 /. HIVESFT.INF -> DEFAULT_PROFILES_DIR = "% SystemDrive% / Documents and Settings" Point them to different locations so they do not interfer with the target system setup Continue with the setup On completion disable the Recycle Bin & hibernation feature, delete unneeded files.. And shrink the page . File in order to reduce the total size of the system Add any usefull programs also, but avoid / delete the "Program Files" directory as you will not have permission to overwrite on the target system Also visit this page:. Http: // Support.microsoft.com/default.aspx?scid=kb; [LN];
Q314082 - it states this only applies to XP, but basically they just updated KBQ271965 slightly which applied to 2K and then deleted the orginal one * frowns at MS * On the target system open and resave the current boot.ini elsewhere, replace with one. that will also point to your setup. Copy the mobile setup over, you will probably need to run attrib -r / s / d on the folder if copied from CD. Reboot and select your setup. Press F8 and boot into safe mode, this is very important as it allows the keyboard and mouse to be detected properly. Reboot in normal mode for full access, some drivers may need to be added for fully system functionality. There are a couple of counters to this procedure. If disk quota is switched on you may not have enough space to copy over the mobile install Also the administrator simply needs to run:.. attrib r boot.ini to fix the NTFS problem Hyperthetically the new% SystemRoot% could hold a modifed setup or other "ntldr friendly Coded Program INSTEAD.
. If the SAM file is deleted, Windows onboot will simply recreate one - 1 Administrator and 1 Guest with blank passwords, Guest disabled If this procedure is attempted on XP the following error occurs on bootup: lsass.exe - System Error
Security Accounts Manager initialization failed because of the following error:. A device attached to the system is not functioning error Status:.. 0xC0000001 Please click OK to shutdown this system and reboot into Safe Mode, check the event log for more detailed information Rebooting into safe mode produces the same error, however if you boot from Petter Nordahl-Hagen's boot disk and change this registry value: / HKEY_LOCAL_MACHINE / SYSTEM / Setup / SystemSetupInProgress to 0x1 - reboot - it will error with: Windows Message
The system is not Fully Installed. Click Ok to Reboot and Change The Value Back to 0x0 and Reboot Again. A New Sam File Will of Been Created.
The lsass process caches the plain text password of the user logged on in its memory space. This exists while in logged on, logged off, standby and hibernate modes. As soon as a different person logs on, the previous cache is wiped / overwritten. Since lsass loads fairly low down the chances of this appearing in pagefile.sys are small and since you need administrator level privileges to access lsass memory space it is reasonably secure locally, however if the machine is on a network this could be a problem, example : C: /> pslist lsass //192.168.0.49 -u administrator -p pass (GET PID OF LSASS) C: /> psexec.exe //192.168.0.49 -c pmdump.exe 220 foo.dat (220 = LSASS PID At Time of this test) C: /> Move //192.168.0.49/admin $/system32/foo.dat C: Open and search for: 0e003f000001080000000000 WHERE 3F Is A Wildcard (WinHex). The logon / domain password is located 20 Bytes after this. An Administrator Could Find Out Users Passwords Instantly, bypassing part of the security model. Also in network environment s, Administrators may tend to set the same Administrator password across many client machines and not update it. Thus reasonably effort could be made to test the hashes of the administrator account, knowing that if successfull, access to other accounts is possible.
Wordlists are very effective on weak passwords. For example a 2.59mb file contains 235,007 words and common passwords, all these can be checked in seconds. LC4 can run hybrid tests, using the wordlist, combinations of numbers and special characters are appended to the end of each tested word, this is also very effective Interestingly LC4 adds the "letters like numbers" feature mentioned in my previous article under the option "Common letter substitutions" A quick look at the lc4.exe file at offset:.. 727E4 shows: "A4 @ 8b8 E3 H # i1! L1 o0 s $ 5 T 7" I have added spaces to divide each section. This will find passwords like p455w0rd very quickly.passwords That Are "Random"
CAN Take More Time. There is The Lan Manager (Lanman Or LM) Hash and THE NT (New Technology (?)) Hash. The LM Hash Is DES (Data Encryption Standard) IS Used for backwards compatibility network access with default 9x / NT4 systems. The NT hash is MD4 (Message Digest Version 4) and is used to logon locally / locked screen or more securely via networks. The same passwords create the same hashes, thus a database * . could * be formed of all possible hashes The advantages of this would be pretty much instant passwords every time using minimal processor power, the main disadvantage is space Such a database would be huge, however some research has been done into reducing the size.: http://www.antsight.com/zsl/rainbowcrack/The method of LM hashing is not that secure. LM hashing can not be applied to password of length 15 or more, if such a password is set the LM hash will be AAD3B435B51404EEAAD3B435B51404EE, Which is a blank password.letters ar e converted into uppercase, reducing letter combinations by 26, example: PASSWORD: password: LMHash = E52CAC67419A9A224A3B108F3FA6CB6D NTHash = 7B592E4F8178B4C75788531B2E747687 LMHash = E52CAC67419A9A224A3B108F3FA6CB6DNTHash = 8846F7EAEE8FB117AD06BDD830B7586C The password is then split into two sets of 7 and hashed _independently_ of each other This means only combinations of. Upto 7 Character in Length Have To BE Tested, Even for a 14 Character Length Password, Example:
12345671234567: LMHash = 0182BD0BD4444BF8 0182BD0BD4444BF8NTHash = 2D1B7B6660258186 BAA95B6F64003667Programs test the DES hash first, then test NT hash for the correct case The latter part takes very little time Due to this weakness service pack 2 for Windows 2000 updated the samsrv.dll to allow the.. option of not storing a LM hash Simply add a subkey to Lsa named NoLMHash - located here:.. HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Control / Lsa / NoLMHash reboot and change passwords for update XP updated this a little to be a value instead: HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Control / Lsa / "nolmhash" = dword: 00000001 no reboot is required, but passwords must be changed for update This option is GUI configurable via secpol.msc / Security Settings / Local Policies / Security Options / Network Security. : Do Not Store Lan Manager Hash Value on Next Password Change.test OS WINDOWS 2000 Professional. Processor IS 1 X AMD Athlon XP 3000 . In this test only US special character . E special character group 2 other characters are of note for UK keyboards the [Alt Gr] key combinations - these are not included They are not completely handled correctly by LC4 or PWSEx - this table details the errors:. LC4LC4PWSExPWSEx
LMCaseAccent NTCaseAccent LMCaseAccent NTCaseAccent € 80/128 N - N - N - N - N - Y - Y - | A6 / 166 N - N - Y - Y - ¬ AC / 172 N - N - Y - Y - á C1 / 193 yyn nnn yyn nnné c9 / 201 nnn nnn yyy yyyí cd / 205 yyn nnn yyn nnnó d3 / 211 yyn nnn yyn nnnú da / 218 yyn nnn yyn nnná E1 / 225 ynn nnn ynn nnné E9 / 233 nnn nnn yyy yyyí ED / 237 ynn nnn ynn nnnó F3 / 243 ynn nnn ynn nnnú FA / 250 ynn nnn ynn nnnThe times are the maximum - all combinations up to and including that length. Most of the tests have only been carried out once. A few were double checked, but it was found that the times only varied by seconds, however due to the length of time some of the tests take, some background system processes may slow the process down slightly leeding to a couple of minutes variation to calculate the number of permutations, do permutations to the power of length, eg:. a 4 length, letters only password has 456,976 permutations (26x26x26x26) .When the test is carried out You Have to Specify The Level O f complexity at the beginning. An improvement here would be to test progressively. First test letters only, then test combinations with letters _and_ numbers, as just letters have already been tested. Special characters could also be tested progressively, many people would probably only use . one or two special characters Once letters and numbers have been tested for that length add in each special character individually -. then increase the number of special characters to test for the remaining combinations (letters) ABC or AaBcCc = ABCDEFGHIJKLMNOPQRSTUVWXYZ or AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz respectfully (numbers ) 123 = 0123456789 (Special)! @ $ = Space! "# $% & '() * , -. / :; <=>? @
[/] ^ _ `{|} ~ = 02 = 03 = 04 = 05 = 06 = 07 = 08 = 09 = 10 = 11 = 12 = 13 = 14 = 15 Testing LM Hashes (NT Hash Verified Quickly 01 = 02 = 03 = 04 = 05 = 06 = 07 = 08 = 09 = 10 = 11 = 12 = 13 = 14 = 15 Testing NT Hashes Only (no lm Hash) ABC (26) ABC 123 (36) ABC 123! @ $ (69) AABBCC (52) AABBCC 123 (62) AABBCC 123! @ $ (95) Very Short Timevery Short Time 38 SEC22 MIN 38 SEC22 MIN 38 SEC22 min 39 sec22 min 39 sec22 min 39 sec22 min 39 sec22 min 39 sec22 min 39 secNo LM hashVery short timeVery short timeVery short timeVery short time9 sec5 min 34 sec3 hrs 21 min 52 sec3 hrs 21 min 49 sec3 hrs 21 min 49 sec3 hrs 21 min 49 sec3 hrs 21 min 51 sec3 hrs 21 min 51 sec3 hrs 21 min 50 sec3 hrs 21 min 52 secNo LM hashVery short timeVery short timeVery short time4 sec5 min 26 sec6 hrs 15 min 47 secEstimate ~ = 18 daysEstimate ~ = 18 daysEstimate ~ = 18 Daysestimate ~ = 18 daysestimate ~ = 18 daysestimate ~ = 18 daysestimate ~ = 18 daysestimate ~ = 18 Daysno LM Hashvery Short Time Short timeVery short time6 sec5 min 35 sec4 hrs 50 min 25 secEstimate ~ = 11 days> 1 x PC req @ CPUVery short timeVery short timeVery short time13 sec13 min 34 sec14 hrs 01 min 00 secEstimate ~ = 37 days> 1 x PC req @ CPUVery short Time1 MIN 11 Sec1 HRS 53 min 13 SECESTIMATE ~ = 8 days> 1 x PC Req @ cputesting program is pwsex:
01 = 02 = 03 = 04 = 05 = 06 = 07 = 08 = 09 = 10 = 11 = 12 = 13 = 14 = 15 Testing LM Hashes (NT Hash Verified Quickly) 01 = 02 = 03 = 04 = 05 = 06 = 07 = 08 = 09 = 10 = 11 = 12 = 13 = 14 = 15 Testing NT Hashes ONLY (NO LM HASH) ABC (26) ABC 123 (36) ABC 123! @ $ (69) AABBCC (52) AABBCC 123 (62) AABBCC 123! @
$ (95) Very short timeVery short timeVery short timeVery short time01 sec51 sec23 min 38 sec23 min 45 sec23 min 45 sec23 min 45 sec23 min 45 sec23 min 45 sec23 min 45 sec23 min 47 secNo LM hashVery short timeVery short timeVery short timeVery short time9 sec05 MIN 56 Sec3 HRS 49 MIN 42 Sec3 HRS 49 min 50 Sec3 HRS 49 min 57 Sec3 HRS 49 min 56 Sec3 HRS 50 min 11 Sec3 HRS 50 min 03 Sec3 HRS 50 min 55 Sec3 HRS 50 min 59 Secn LM Hashvery Short Timevery Short Timevery Short time03 sec03 min 59 sec4 hrs 58 min 10 secNo LM hashVery short timeVery short timeVery short time02 sec01 min 02 sec53 min 21 secVery short timeVery short timeVery time02 sec2 min 28 sec2 hrs 32 min 44 secVery short short timeVery short timeVery short time13 sec20 min 48 secnow you can see why hashing two sections independently makes slightly longer passwords no more secure, and why disabling the LM hash is a _really_ good idea. Where does your current password / hash fit into and when was the last time you changed it? Reme mber this is only one standard machine, testing times will fall dramatically on a distributed setup (more than one machine) .NT has Unicode support. Not only control and extended characters be used, but all the second byte combinations of unicode. Many programs can not test for this and many would not even try as the _extremely_ high permutations make testing futile Although the ime is disabled when entering passwords, letters can be entered via the alt numpad (alt fn numpad on laptops) method.Copyright Notice.: You Must Get Permission from The Respective Author Before Reproduction.
