Location of Password Hashes on a Windows Local Machine?
C:\windows\system32\config\SAM
(Registry:HKLM/SAM
)- System memory
The SAM file is mounted in the registry as HKLM/SAM
. Windows locks this file, and will not release the lock unless it's shut down (restart, BSOD, etc). However, if you look at the SAM entry in the aforementioned registry section, you will not find the hash.
Therefore, it seems more than likely that the hash, or password, will also be stored in memory. In fact, there are quite a few password crackers that take your password directly from memory.
There is an additional location where they store cached domain credentials as MSCASH2 hashes:
HKEY_LOCAL_MACHINE\Security\Cache
So, if you are talking about a domain-joined machine, there are three places that you could find credentials stored.
- SAM file (need both C:\windows\system32\config\SAM, and C:\windows\system32\config\system)
- Registry (HKEY_LOCAL_MACHINE\Security\Cache for domain credentials, HKEY_LOCAL_MACHINE\SAM for local credentials)
- In-memory (dump with mimikatz) -- however this last one isn't "stored" as in written-to-disk.