Win 10 2004H1(OS Build 19041.685) testing some commands

[Papotito123]

Hello: For the benefit of you and some other tools devs,for which I have some contact,I reinstalled Windows 10 2004H1.

Windows 10 2004H1 (OS Build 19041.685) fresh installation for local user account and Defender turned OFF.

So I ran again some commands;

C:\Users\TESTUSER\Desktop\TESTINGTOOLS\NTHASH>NTHASH-win64.exe /enumcred /system /verbose NTHASH 1.8 x64 by erwan2212@gmail.com Impersonate:SYSTEM CredEnumerateW failed, 1168 enumcred NOT OK

C:\Users\TESTUSER\Desktop\TESTINGTOOLS\NTHASH>NTHASH-win64.exe /enumcred2 /system /verbose NTHASH 1.8 x64 by erwan2212@gmail.com Impersonate:SYSTEM no patch mod for this windows version

For /dumpsecret /input: , only gives DPAPI_SYSTEM as option; C:\Users\TESTUSER\Desktop\TESTINGTOOLS\NTHASH>NTHASH-win64.exe /dumpsecret /input: /system /verbose NTHASH 1.8 x64 by erwan2212@gmail.com Impersonate:SYSTEM MyRegEnumKeys server: subkey:Security\Policy\secrets RegOpenKeyEx OK DPAPI_SYSTEM

I ran regedit as TrustedInstaller and as SYSTEM user but in HKLM\SECURITY\Policy\Secrets I only have DPAPI_SYSTEM with subkeys of:CupdTime,CurrVal,OldVal,OutputTime,SecDesc No others. Also there's no L$_SQSA_S-1-5-21-16xxxxxxxxxxxxxxxxx-100x found in registry.

And ran again , /logonpasswords; (NTLM/SHA1 are good ones) C:\Users\TESTUSER\Desktop\TESTINGTOOLS\NTHASH>NTHASH-win64.exe /logonpasswords /system NTHASH 1.8 x64 by erwan2212@gmail.com Impersonate:SYSTEM

---

LUID:0004855C username:TESTUSER domain:DESKTOP-2MQNEKR ->CredentialManager:1EAF98D11D0 -CREDENTIALW:1EAF98D78B0 CREDENTIALS.AuthID:00000003 ->Primary domain:DESKTOP-2MQNEKR username:TESTUSER ntlm:4E3835474A5319A5C13F66A6C196A9EF sha1:33D563D22110731E35F63D5A2BAED913FBB748D6

---

LUID:00048525 username:TESTUSER domain:DESKTOP-2MQNEKR ->CredentialManager:1EAF98D11D0 -CREDENTIALW:1EAF98D78B0 CREDENTIALS.AuthID:00000003 ->Primary domain:DESKTOP-2MQNEKR username:TESTUSER ntlm:4E3835474A5319A5C13F66A6C196A9EF sha1:33D563D22110731E35F63D5A2BAED913FBB748D6

---

LUID:000003E5 username:LOCAL SERVICE --- ........ -----

Thanks.

[erwan2212]

Looks like a new build : I need to review nthash code to ensure this build is supported by my code. It is not hard to add support for new windows builds.

[Papotito123]

Hello: Cool. This new Windows 10 2004H1 (OS Build 19041.685) installation is with no modifications. Just local user account. No third party AV .Just Defendet which I tutn OFF manually. I still left folders, like System32\config, that doesn't let me open it ,even the user account is Administrator. \Protect folder contents are not visible to user(but accessible from cmd and tools). Security/LSA registry keys are not visible even with running regedit as SYSTEM or TRUSTEDINSTALLER. What I seeing is that some info taken from registries are not visible but are still available thru other way As for LSA Secrets ,seems are not grab from registry keys.

So much thanks.

[erwan2212]

/dumpsam will now work with win10 2004

[erwan2212]

/dpapimk will now work with win10 2004

[erwan2212]

added /showkeymgr to open windows credential manager. /enumcred resulting in 1168 is usually the sign that there are no credentials saved.

fyi, the saved credentials shown by showkeymgr or enumcred or enumcred2 are the sames one you see with logonpasswords with type CREDENTIALW.

[erwan2212]

/enumcred2 will now work (aka decrypt) o win10 2004.

NTHASH-win64 /enumcred2 NTHASH 1.8 x64 by erwan2212@gmail.com 1

---

Flags:0 Type_:2 TargetName:test UserName:username CredentialBlob:p a s s w o r d

[Papotito123]

Hello: I'm testing. All NTLM/SHA1 hashes retrieved are good.

I ran some commands and worked well the 1st time. I shutdown computer and some hours later I loggred in, Some of the commands failed.

This is the output: Papotito123_Win 2004 testing commands.txt

I noticed that Edge (chromium) version 87.0.664.75 (Official build) (64-bit) did not save passwords in Credential Manager(Web Credentials) as Edge(non-chromium) do.

When running /dumpsecret ,shows subkey from info is taken(subkey:Security\Policy\secrets).. In Win2004 there's only DPAPI_SYSTEM key with subkeys of:CupdTime,CurrVal,OldVal,OutputTime,SecDesc, In Win 1909 and before you could see in HKLM\SECURITY\Policy\Secrets keys , L$_SQSA_S-1-5-21-16xxxxxxxxxxxxxxxxx-100x user key for each User and NL$KM key.From these subkeys the LSA Secrets Questions and Answers are taken, This is something that some devs are not take into consideration. I sent some posts to https://github.com/G0ldenGunSec/SharpSecDump/issues/2 about this "security improvements" in Win2004. With these Q&A any can do Reset to user password because having the answers will granted login.

So much thanks,

[erwan2212]

reviewing your log file.

in the meantime i have added : NTHASH /setlsasecret /input:keyname /password:secret [/server:hostname] this way you can test setting/getting secrets.

also, if you run system.cmd then secrets.cmd you can check the secrets registry for yourself.

[Papotito123]

Hello: I ran same commands with latest NTHASH code in W1909. Some errors in some commands.

Papotito123_testing commands(W1909).txt

See that /logonpasswords(Bad hashes) and /dumphashes(Good hashes) gives differents NTLM hashes. Also /dumpsam gives error.

So much thanks.

[Papotito123]

Hello: Win 2004 x64 Defender Disabled.

cmd > cd ".\nthash folder"

C:\Users\TESTUSER\Downloads\NTHASH-FPC(18ENE2021)\NTHASH-FPC-master\NTHASH-FPC-master\NTHASH>system.cmd /system NTHASH 1.8 x64 by erwan2212@gmail.com Impersonate:SYSTEM OK

Microsoft Windows [Version 10.0.19041.685] (c) 2020 Microsoft Corporation. All rights reserved.

C:\Users\TESTUSER\Downloads\NTHASH-FPC(18ENE2021)\NTHASH-FPC-master\NTHASH-FPC-master\NTHASH>secrets.cmd /system

C:\Users\TESTUSER\Downloads\NTHASH-FPC(18ENE2021)\NTHASH-FPC-master\NTHASH-FPC-master\NTHASH>echo you must be system you must be system

C:\Users\TESTUSER\Downloads\NTHASH-FPC(18ENE2021)\NTHASH-FPC-master\NTHASH-FPC-master\NTHASH>reg.exe query hklm\security\policy\secrets

HKEY_LOCAL_MACHINE\security\policy\secrets (Default) REG_NONE

HKEY_LOCAL_MACHINE\security\policy\secrets\DPAPI_SYSTEM

C:\Users\TESTUSER\Downloads\NTHASH-FPC(18ENE2021)\NTHASH-FPC-master\NTHASH-FPC-master\NTHASH>

That's all I got. In Win 1909 I got all subkeys.

Thanks again.

[erwan2212]

Hello: I ran same commands with latest NTHASH code in W1909. Some errors in some commands.

Papotito123_testing commands(W1909).txt

See that /logonpasswords(Bad hashes) and /dumphashes(Good hashes) gives differents NTLM hashes. Also /dumpsam gives error.

So much thanks.

just download a win10 1909 version. will do some tests shortly.

[erwan2212]

new version uploaded. win10 1909 should be ok now : tested dumpsam, logonpasswords, dpapimk, enumcred/enumcred2.

[Papotito123]

Hello: Tested latest nthash zip in W 1909 x64. NTHASH 1.8 x64 by erwan2212@gmail.com Windows Version:10.0.18363-1909 Architecture:AMD64 Username:TESTACCOUNT IsAdministratorAccount:True IsElevated:True DebugPrivilege:True LSASS PID:804

dumpsam/logonpasswords NTLM-SHA1 hashes are good. dpapimk values are good.

enumcred/enumcred2 throws CredEnumerateW failed, 1168 .So that means there's no credentials saved. So this "Credentials" should be the ones saved in Credential Manager > Windows Credentials ? If yes, then there's no saved here. (only the VirtualApp whatever is) But I have 1 in Web Credentials.

Much thanks.

[erwan2212]

the saved credentials shown by /showkeymgr or /enumcred or /enumcred2 are the sames one you see with /logonpasswords with type CREDENTIALW.

[Papotito123]

Hello: Testing latest nthash zip in W2004. D:\NTHASH>NTHASH-win64.exe /context NTHASH 1.8 x64 by erwan2212@gmail.com Windows Version:10.0.19041-2004 Architecture:AMD64 Username:TESTUSER IsAdministratorAccount:True IsElevated:True DebugPrivilege:True LSASS PID:564

D:\NTHASH>system.cmd NTHASH 1.8 x64 by erwan2212@gmail.com Impersonate:SYSTEM OK

D:\NTHASH>secrets.cmd

D:\NTHASH>echo you must be system you must be system

D:\NTHASH>reg.exe query hklm\security\policy\secrets

HKEY_LOCAL_MACHINE\security\policy\secrets (Default) REG_NONE

HKEY_LOCAL_MACHINE\security\policy\secrets\DefaultPassword HKEY_LOCAL_MACHINE\security\policy\secrets\DPAPI_SYSTEM

D:\NTHASH>NTHASH-win64.exe /getlsasecret /input:DPAPI_SYSTEM /symbol /system NTHASH 1.8 x64 by erwan2212@gmail.com Impersonate:SYSTEM Full:xxxxxxxxxxxxxxxxxxx............... Machine::xxxxxxxxxxxxxxxxxxx............... User::xxxxxxxxxxxxxxxxxxx...............

D:\NTHASH>

Now system.cmd gives DefaultPassword asreg key.

Still NTHASH-win64.exe /dumpsecret /input:* /system NTHASH 1.8 x64 by erwan2212@gmail.com Impersonate:SYSTEM DefaultPassword DPAPI_SYSTEM

doesn't gives Secrets reg keys in format of ; L$_SQSA_S-1-5-21-16xxxxxxxxxxxxxxxxx-100x

As for /enumvault I tested in W1909 and gives the credential saved(Edge Internet Explorer) in Web Credentials. As for /enumvault in W2004 doesn't gives Edge (chromium) version 87.0.664.75 (Official build) (64-bit) because doesn't not save passwords in Credential Manager(Web Credentials) as Edge Internet Explorer(non-chromium) do.

Thanks.

[Papotito123]

Hello

[Papotito123]

Hello: I did recovered W2004 Edge(chromium) login with Offline method(copying neccessary files to USB.) in W1909 using nthash and worked well.

I automate the Offlline process with a bat that inclueds some .hta for Input ,few .vbs(one of them for trim string) and recover chrome/edge(chromium) logins saved to a txt. Don't expect a beautiful-short and maybe some redundant batch script.But works in W1909 and W2004.

Thanks.

[erwan2212]

I would be happy/interested to look at your scripts

[erwan2212]

About "questions and answers" to reset a user password, you were right. it is no more a secret in the form of "L$_SQSA_S-1-5-21-xxxxxxxxxxxxxxxxxxx-100x". It has been moved to a new location in the registry (SAM) starting with win10 1909 (and it is not crypted anymore...). Latest nthash version can retrieve it with /dumpresetdata /system. or offline : /dumpresetdata /offline .

[Papotito123]

Hello: Testing latest nthash zip.

I did /dumpresetdata /offline for W2004(copying hives to nthash folder) and ,yes, recovered the account Q&A for the only user. I will create other user account to see if recover all users Q&A.

I tested in Win 1909 and also worked well.Only retrieved for the logged user(not for the other 4 accounts)

Cool.

So much thanks.

[Papotito123]

Hello: Well I send this; I used a defender tool to disable (it creates a security key code) before run nthash or other. I prepared this to run from USB.

from USB.zip

I hope you did not infart when look at the code.

So much thanks.

[Papotito123]

Hello: Regarding /dumpresetdata /offline for W2004I created a second local user and did ran Offline. It retrieves LSA Secrets Q&A for both accounts. I can speculate that when running /dumpresetdata /system (Online) only retrieves for the logged user account? I copied SAM,SYSTEM,SECURITY,SOFTWARE and place into nthash folder and ran as /offline .Still only retrieves logged user Q&A.

Or /dumpresetdata is more related to run for W2004?

Much thanks.

[Papotito123]

Hello: I sent you a from USB.zip before.

This was so messy.

I edit .bat to make it more readable.Also fix some errors. This localstate.bat works well when right-clicking and choose Run As Admin.

from USB.zip

But I can't compile to exe.The wrong is in the :LOCALSTATE subroutine.Using Call somehow changes working dir to %temp% and doesn't change back to USB. I read and tried some but no success.

Just explain this behaviour in case you are trying to compile.

Hope no brain damage for this.

So much thanks.

[MeKLiN2]

i am a windows registry tweaker and i have been trying to create these profiles from scratch. so far i have: c:\windows\system32\config\sam\sam\account\users\000001F9 and 0000001F6 with their F reg binary set to the correct 0x1f9 (505?). as 00000001F5 (501) is 0xF501 on offset 30 as shown in its binary data, 0000001F4 is admin aka 0xF401 (500), as shown on offset 30 in its binary data. that is all from the SAM\Domains\Account\Users\Names which had all 4 default subkeys pwd reset and /active'd with binary regediting done by dism++ offline (i can do it without as well). then i copied them as template to unused 1F6 and 1F9 hoping it will be a supper hidden key (but probably wouldnt work without the SID set right in SECURITY hive, and im not doing that on this experiment.) after setup Users/Names with , what ive done many tests, and now settle with experimenting TrustedInstaller and SYSTEM user names. but the weird thing is when referring to their binary sid, like as in ProfileList (SOFTWARE mic wint cv) ProfileImagePath, the references of such a sid like Administrator user's (S-1-5-18) shows 01 01 00 00 00 00 00 05 12 00 00 00 i have purely failed trying to change these referenced parts all over, to this 'SID in hex'. such as SOFT mic wint cv Winlogon's AtoLogonSID reg_sz ... have used many, and successfully got s-1-5-18 aka Administrator/BUILTIN (useless profile) aka the once powerful safemode profile is now useless, and we should be looking back to XP's registry to find out what has changed. what i think that profile does is execute as SYSTEM\NT AUTHORITY more easily and SHARES permissions with NT AUTHORITY(?)\TrustedInstaller. it has a ProfileList entry making it a public, open, usable profile for people to login, yet the power remains hidden. they leave it ambiguous, and S-1-5-21 is the true power profile. so we want to study difference between 'first logon pe shell MINWINPC$' SYSTEM profile also showing whoami/all as being s 1 5 18... but is logged on with special DWORDs somewhere, and is real, and usable , with weird permissions difference like no using shutdown (seen in process hacker token inspect). next is the SID being referenced as 01 02 00 00 00 00 00 05 12 00 00 00 and that must be how they hide it, referencing this customly in all places to use that profile while never being able to login it. anyways i have set many, many things in Winlogon and ProfileList (user manager and authentication are useless keys to tinker) and now im going to try to set one for SID reg_binary 01 01 00 00 00 00 00 05 15 00 00 00 which is s-1-5-21 see if it logs in, but i need you guys to do the NT HASH stuff... im busy working in regedit! sincerely, dr meklin (author of the fastest windows 7 iso ever made, 7700 archive.org/details/@meklin

so all that needs is the SecDesc ActSysAc and Sid (easy for me to edit) under created Accounts in c:\windows\system32\config\SECURITY aka SECURITY\Policy\Accounts wher eu will notice ur account s-1-5-21-19873498274 is referenced with the 'group' name sids, meaning they can be used and one of them is even the owner of itself, a group ownign a group, builtin\administrator which is the easiest to login despite it constantly wanting to create a new s-1-5-21 named administrator. one easy way is to leave windows setup from audit mode ctrl shift f3 and control userpasswords2 after net user /active /passwordreq:no and net user administrator "" which sets pwd blank. please help. the sid reference in SECURITY\Policy\Accounts\S-1-5-19 is 01 01 00 00 00 00 00 05 13 00 00 00 its decimal to binary so 19 = 13 like in binary above.. but when its S-1-5-32-544, the sid is 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 .... why is it starting as 01 02?? all others are 01 01... when creating , as they are now here, in this SECURITY\Policy\Accounts hive and subkeys, what should they be created as? even weirder trusted installer and wdi(service) or system?host s-1-5-80-3139157870 is starting 01 06 .... i think its undocumented that these 'group' sids (01 02's) are actually accounts as shown by whoami/all describing a few sids in the list and it does say builtin\administrators is named that and has a full sid s-1-5-32-544 which is one number in each group that it needs from my limited understanding (s 1 5 = 01 01 groups = 01 02 so 'administrators' is who we want to create as a master power account, and the throwoff they put is the Administrator account which doesnt even have an account in SECURITY POLICY ACCOUNTS hive key key , so thats a decoy. that sid is 01 01 00 00 00 00 00 00 05 12 and IS used by safemode but doesnt do anything, i think it just logs in as it but all the underworkings of safemode and peshell mode are under the hood and linked to SYSTEM which is who u are in PE SHELL .. but its s-1-5-18... and echo %userprofile% shows c win sys32 config sysprofile... and that is truly the safemode useless profile. and that profilelist key ProfileImagePath is useless, its all about the SID and Winlogon DefaultUserPassword DefaultDomain DefaultLogin as well as maybe, dword 1, SystemAutoLogon as well as, maybe, SETUPEXECUTE , oh u didnt know that key in Session Manager Memory Management Ennviroment? search prefetchparameters in regedit. anyway, other brainstorming. c:\windows\system32\config\SYSTEM/controlset001\ctrl\sesman\enviroment Safeboot option_minimal = our only real access to power mode like XP. just add all the services from Ctrlset001\services into there = regular power desktop + all services on? idk... MiniNT key? help!