OfflineReg and Windows password

 offlinereg  Add comments
Fév 032018
 

From an offline SAM hive (could be from winpe), run the below command, reboot and log in with a blank password.
CAREFULL : make a backup of your hive first !


OfflineReg-win32 "c:\windows\system32\config\SAM" sam\domains\account\users\000003e8 setvaluebyteat v 0 160
OfflineReg-win32 "c:\windows\system32\config\SAM" sam\domains\account\users\000003e8 setvaluebyteat v 0 172

See here for more details about setvaluebyteat details.

000003e8 is my custom local admin account.
000001f4 would be the default windows account.
0xA0 (160) and 0xAC (170) are the offset for the LM and NTLM hash lengths: setting this to 0 effectively set the password to blank.

Use the below command line to enum accounts in your SAM db.


OfflineReg-win32 "c:\windows\system32\config\SAM" SAM\Domains\Account\Users enumkeys

 Posted by at 14 h 45 min

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.