Analysis on the internal principle of resetting a Windows 7 password Disk

Some brothers may think that resetting a password disk is a rare skill, which is very simple, or even a chicken. Since we are not afraid of having to create a password resetting disk, how can we forget the password so carelessly?

In fact, the principle behind it is still very interesting. Here we will try a simple analysis.

In the Windows XP era, we know that when a user creates a password to reset a disk, Windows automatically creates a pair of public and private keys and a self-signed certificate. Next, the user's account password will be encrypted with the obtained public key, and then saved in the Registry key hkey_local_machinesecurityresid <SID>, where <SID> refers to the user's SID. The private key is deleted from the computer and saved on a floppy disk.

In the Windows 7 era, we know that the private key will be stored in a floppy disk or USB flash memory in the form of a userkey. psw file.

However, if we try to view the HKEY_LOCAL_MACHINESECURITYRecovery registry key, we find that it is empty and there is no user SID.

So where is the user password encrypted with the public key stored? Obviously, if there is a private key without a copy of the account password encrypted by the public key, the password of the user account cannot be obtained.

After research, it is found that (the basin uses Process discovery to automatically create a Recovery. dat registry configuration single-element file, which is saved in the C: WindowsSystem32MicrosoftProtectRecovery folder. The lsass.exe process automatically loads it into the registry HKLMC80ED86A-0D28-40dc-B379-BB594E14EA1B. C80ED86A-0D28-40dc-B379-BB594E14EA1B meaning unknown, Google has no results, which boss knows, please don't hesitate to advise.

After the password reset disk is created, the lsass.exe process automatically uninstalls the Registry Configuration unit, so we cannot view the content under the HKLMC80ED86A-0D28-40dc-B379-BB594E14EA1B. However, it is easy to think that you can use the following methods to view:

Open the Command Prompt window with the administrator privilege and run the following command to start the Registry Editor as a Local System (rediscovery. dat can be loaded only with the Local System privilege ):

Psexec-s-I-d regedit

Select the HKLM registry Root Key, click the file, load the Configuration unit, and locate the C: WindowsSystem32MicrosoftProtectRecoveryRecovery. dat file.

In the following dialog box, specify any item name, for example, Test, and expand the subitem to view the SID of the current Logon account and the default key value on the right, that is, a copy of the account password encrypted with the public key is saved.