Vous êtes sur la page 1sur 6

Windows Password Files Torn Apart By Ankit Fadia ankit@bol.net.


All Windows, users would probably be familiar with the infamous pwl files or the files
where the Windows lo!in passwords are stored. Well, this manual is aimed at,
simplifyin! how the authenti"ation works when you type in your #ser name And
password, what e$a"tly .pwl files "ontain, where e$a"tly they "ome into the pi"ture and a
whole lot of related thin!s.

The %.pwl files are basi"ally files in whi"h the Windows &o!in Passwords are stored in.
These files "an be found in the 'Windows dire"tory by the name of the #ser, whose
password it "ontains. For ($ample, if your Windows lo!in #sername is ankit, then the
"orrespondin! password would be stored in ")'windows'ankit.pwl *et it+ These .pwl files
are readable in any te$t editor like ,otepad, but they are definitely not understandable. A
typi"al e$ample, of the "ontents of a .pwl file is as follows)


p u.2345r26789:; <=>h?@.A B CDEFGH$IJ6WK-L8MG+NOPQRSTUV4'W9VX4Y(Z[\]m^\
_`a. B NBbc2...d@

This is definitely not somethin!e a normal person "an "omprehend or make sense of.

,ow, besides the Windows re!istry, fi"rosofts poli"y of se"urity by obs"urity "an also
be seen in the "ase of what .pwl files. Althou!h the ori!inal usa!e of .pwl files was a
standard to be used, by all appli"ations, fi"rosoft simply does not offi"ially progide any
type of information on the standards of .pwl files.

To !et a list of .pwl files in your system or in other words to find out whi"h all passwords
usin! the .pwl te"hnolo!y JWhat a !ood friend of mine likes to "all themh are bein!
stored on a parti"ular system, then simply open ")'windows'system.ini in a plainte$t
editor like ,otepad and look under the iPassword &istsj se"tion. A typi"al line from this
se"tion would be in the followin! format) #k(1,Af(lPath_of_pwl_file

For ($ample,

iPassword &istsj

This tells us that the .pwl "ontainin! the password for the #sername ankit is stored at)

Anyway, the al!orithm whi"h is used in the "ase of storin! information in the .pwl files
Jrather in the .pwl se"urity optionh, refers to su"h files as databases, with ea"h re"ord
"onsistin! of three fields/)

1esour"e name
1esour"e password
1esour"e type Jm..:nnh
Before, ` moge onto !igin! details about the aboge three fields, let us dis"uss, how
e$a"tly the #ser Authenti"ation pro"ess takes pla"e in Windows J`n the "ase of the lo!in
,oT() The below pro"ess is what happens in the "ase of the Windows lo!in password.

When you first set a new a""ount on Windows, it deriges an en"ryption key from the
spe"ified password and "reates ")'windows'username.pwl file, where username is the,
well, 6uite obgious. one, thin! to note here is that the .pwl file does not, ` repeat does not
store the lo!in password, nor does it store the #sername.JAlthou!h its name is same as
the #sername for whose authenti"ation it is used.h What it stores, will be"ome "learer
on"e you read the below para!raph.

,ow, the ne$t time, you boot your system and type in your #sername and password, then
de"rypts the .pwl "orrespondin! to the #sername progided, usin! the de"ryptin! key
obtained from the password progided. on"e, the .pwl file has been de"rypted usin! the
de"ryption key obtained from the progided password, Windows, gerifies the "he"ksum. `f
the "he"ksum is "orre"t or mat"hes, then the user is authenti"ated else, try a!ain. `n the
pro"ess of "he"ksum gerifi"ation, the username progided plays an important role.

Both the #sername and ?he"ksum are en"rypted usin! a simple al!orithm) 1?V.

pA?q`,* T1#Tp) Althou!h, almost always, the name of the .pwl file is same as the
#sername, sometimes the name does differ. For ($ample, if, ` use : to W different
appli"ations usin! .pwl se"urity and then use the same username i.e. ankit in all of them
to store passwords, then the namin! of the .pwl files would be as follows)
The first .pwl would be named) ankit.pwl, the se"ond would be named) ankitmmm.pwl , the
third would be) ankitmmr.pwl and so on.
And, ` am not too sure, but from what ` !ather, Windows neger eger ogerwrites a .pwl

?omin!, ba"k to the fields. Both the resour"e name and resour"e password fields "an be
binary or simply en"rypted and they are inter"han!eable by the appli"ation ingolged. The
1esour"e Type field "an hage different numeri"al galues dependin! upon the software
ingolged. For ($ample, A#,, Aial #p kerger and Windows &o!in, uses P as the galue
for the 1esour"e Type field. While, `nternet ($plorer uses rs as the galue of the same

one thin! to note about Windows &o!in password al!orithms is that, the first time it was
introdu"ed, the al!orithm was gery gery weak and allowed passwords to be easily
de"rypted. poweger, with ea"h new release, the al!orithms used hage been improgin!.
poweger, it still has not rea"hed a reliable legel.
`n the al!orithms used by garious operatin! kystems to en"rypt their lo!in passwords, the
al!orithm used by Windows is the worst. kome "ommon defe"ts are/)

The "ipher al!orithms ingolged are relatigely lame. i.e. 1?V and fAn. They "an easily
be broken. 1efer to) http)99ha"kin!truths.bo$.sk'al!orithms.htm for more info on garious
(n"ryption al!orithms.
All passwords are "ongerted to upper"ase
#n/a""eptably lame or weak method of stora!e.
tarious poles e$istin! in the Password ?a"hin! Fa"ility. The followin! tisual ?44
pro!ram demonstrates further as to how this gulnerability "an be e$ploited.

J"h rssu, sv titas 1aman"hauskas
#se tisual ?44 to "ompile this into winW: "onsole app.
This "ode progided for edu"ational purpose only.
GG ,o WA11A,TE, ,o k#PPo1T GG
win"lude Mwindows.hx
win"lude Mstdio.hx
typedef stru"t ta!PAkkWo1A_?A?p(_(,T1E y
Wo1A "b(ntrye 99 size of this entry, in bytes
Wo1A "b1esour"ee 99 size of resour"e name, in bytes
Wo1A "bPassworde 99 size of password, in bytes
BET( i(ntrye 99 entry inde$
BET( nTypee 99 type of entry
BET( ab1esour"eirje 99 start of resour"e name
99 password immediately follows resour"e name
I PAkkWo1A_?A?p(_(,T1Ee
"har %buf, %obre
int "nt l me
Boo& ?A&&BA?q p"eJPAkkWo1A_?A?p(_(,T1E %$, AWo1Ah
memmogeJbuf, $/xab1esour"e, $/x"b1esour"ehe
bufi$/x"b1esour"ej l me
?harTooemJbuf, obrhe 99 for non/(n!lish users
printfJ7Y/Wms ) 7, obrhe
memmogeJbuf, $/xab1esour"e4$/x"b1esour"e, $/x"bPasswordhe
bufi$/x"bPasswordj l me
?harTooemJbuf, obrhe
printfJ7Ys'n7, obrhe
return T1#(e
goid mainJh
buf l new "harirm:Vje
obr l new "harirm:Vje
putsJ7There is no se"urity in this "razy worldG'n7
7Winsn PW& giewer gr.mr J"h rssu, sv titas 1aman"hauskas'n7
7GThis pro!ram intended to be used for le!al purpose onlyG'n7
7This pro!ram shows "a"hed passwords usin! standard Jbut undo"umentedh'n7
7Windows AP` on lo"al ma"hine for "urrent user Juser must be lo!!ed inh.'n7
7Eou may ingoke pwlgiew in this way) pwlgiew xx te$tfile.t$t'n7
7to sage passwords in file Jdondt for!et to press enter twi"eh'n7
7Press (nter to be!in...'n7he
p`,kTA,?( hi l &oad&ibraryJ7mpr.dll7he
putsJ7?ouldndt load mpr.dll. This pro!ram is for Windows sn only7he
Wo1A J__std"all %enphJ&PkT1, Wo1A, BET(, goid%, AWo1Ah l
JWo1A J__std"all %hJ&PkT1, Wo1A, BET(, goid%, AWo1Ahh*etPro"AddressJhi,
putsJ7?ouldndt import fun"tion. This pro!ram is for Windows sn only7he
J%enphJm,m, m$ff, p"e, mhe
putsJ7,o passwords found.'n7
7Probably password "a"hin! was not used or user is not lo!!ed in.7he
putsJ7'nPress (nter to 6uit7he

Ankit Fadia

To re"eige tutorials written by Ankit Fadia on egerythin! you eger dreamt of in your
`nbo$, {oin his mailin! list by sendin! a blank email to) pro!rammin!forha"kers/

Wanna ask a 6uestion+ *ot a "omment to make+ ?riti"ize, ?omment and more|..by
sendin! me an `nstant fessa!e on fk, fessen!er. The `A that ` use is)