O'Reilly logo

Managing The Windows 2000 Registry by Paul Robichaux

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Encrypting HKLM\SAM with SYSKEY

Like Unix, Windows 2000 and NT don’t directly store user or machine passwords. Instead, they take the passwords and passes them through a scheme called a one-way function , or OWF. The OWF takes a password in and generates a new block of data that is related to, but doesn’t contain, the password. The “OW” in OWF comes from the fact that it’s not feasible to take the output of the OWF and “go backwards” to derive the original password. The output of the OWF is called a password hash. NT stores the password hashes instead of the password, so you can’t steal the hash and use it directly in place of a password. Windows 2000 also stores hashed passwords for local user and computer accounts, as well as for backward compatibility with older Win9x and NT clients.

In the spring of 1997, an enterprising group of hackers from L0pht Heavy Industries (http://www.l0pht.com) publicized the fact that it was possible to get the password hashes from a SAM database (or by sniffing them over the network) and feed them to a password-cracking tool. These types of attacks have been known for many years in the Unix community, but their appearance in the Windows NT world generated a lot of headlines. In practical terms, the actual risk was significant. Even though only administrators have access to the SAM to get the OWF’ed passwords in the first place, the hashes could be recovered from backup tapes or ERDs, and they could be sniffed off the network.

Accordingly, Microsoft ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required