Full Windows password hash location

Where windows passwords are really located ?


Some information about windows passwords are easy to find like the registry file where passwords are located : %windir%/System32/config/SAM

But the full path where to find the hash is hardest to find ; it's stored in the windows registry under the key :

"HKLM\SAM\SAM\Domains\Account\Users\00000XXX" (where "XXX" is the account number) in a value named "V".

The hash is stored at a variable offset that is stored at offset 0x9C and is a 4 byte little endian value.


With these informations, you can find directly in the registry password data and read, copy, or change it, without any non-microsoft windows software.


PS : Some authorization modification is necessary to access "SAM" key, even with Administative account.

The other way is to lauch registry editor as system account.