Jan 242021

Every time that you change the login password on your system, Windows stores the hashes of the previous password in the CREDHIST file (Located in %appdata%\Microsoft\Protect\CREDHIST ).

Lets play with the credhist file and NTHASH then.

-User test created with Password1
-I then logged in and changed password twice to Password2, then Password3.

I retrieved credhist file for that user, took it offline, then ran the below:
nthash-win64 /decodecredhist /binary:.\credhist-test.

The contains 2 entries (everytime I changed password,i.e twice).


Decryption is based on a hmac key generated from the sha1 password + the user SID.

Lets get the SHA1 of the current user password (the user SID is known in the credhist file).

NTHASH-win64.exe /widestringtohexa /input:Password3 | NTHASH-win64.exe /gethash /mode:SHA1
NTHASH 1.8 x64 by erwan2212@gmail.com

Now lets decrypt last credhist entry i.e #1.

nthash-win64 /decodecredhist /binary:.\credhist-test /password:31F8F4DFCB16205363B35055EBE92A75F0A19CE3 /key:1

I get

This is sha1/ntlm for Password2.
Now lets decrypt previous (and first) entry i.e #0.

nthash-win64 /decodecredhist /binary:.\credhist-test /password:2277C28035275149D01A8DE530CC13B74F59EDFB /key:0


This is sha1/ntlm for Password1.


That’s it : we have seen the logic behing this credhist file and how to decrypt it.

  2 Responses to “Lets play with windows credhist file”

  1. Hi Erwin, I followed your article but I am not getting the SHA1.
    My problem is that I might changed the password of the user and I am not able to decrypt anymore files encrypted with EFS.

    I also notice that while running your tool cmd when it comes to showing the SID I get an extreme length string on multiple lines.
    My CREDHIST does have only one entry so I tried to use Key0 in the last command and the last thing returned is the psecret
    Do you have any suggestion?

  2. I just wanted to say that you have very valuable information and it is easy to read.

    For example, the Arduino articles you have written, are very easy to understand compared to many others.

    Thank you!

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>



Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.