Using Windows 7 password reset disk internal principle

In fact, the principle behind it is still very interesting, try to do simple analysis here.

methods and procedures:

in WindowsXP era, we know that when a user creates a password reset disk when, Windows system will automatically create a public and private, as well as a self-signed certificate. Next, the password of the user account will be encrypted with the obtained public key, and then saved in the registry key HKEY_LOCAL_MacHINESECURITYRecovery<SID>, where <SID> refers to the SID of the user. The private key is deleted from the computer and saved on a floppy disk.

to Windows7 era, we know the private key will be saved on a floppy disk or USB flash memory in the form of userkey.psw file.

But if we try to view HKEY_LOCAL_MacHINESECURITYRecovery registry keys found under is empty, and there is no user SID.

then encrypted with the public user passwords stored where in the end of it? Obviously, if the light has the private key and a copy of the public key encryption without a password account, you can not obtain the password for the user account.

after a study found (pots borrowed ProcessMonitor found, lazy, do not want to write a specific process, the process is simple), the original in the process of creating a password reset disk, Windows security subsystem process Lsass. Exe will automatically create a Recovery.dat registry hive file, saved in the C:WindowsSystem32MicrosoFTProtectRecovery folder. The Lsass.exe process will automatically load it into the registry HKLMC80ED86A-0D28-40dc-B379-BB594E14EA1B. C80ED86A-0D28-40dc-B379-BB594E14EA1B meaning is unknown, Google has no results, which boss knows, please don't hesitate to advise.

Because the password reset disk has been created, Lsass.exe process automatically unload the registry hive, so we can not look under HKLMC80ED86A-0D28-40dc-B379-BB594E14EA1B. But relatively easy to think that can be viewed by means of the following methods:

Open the Command Prompt window with administrator privileges, and run the following command to start the Registry Editor as LocalSystem (Recovery.dat need LocalSystem privileges to load):

Psexec-si-dregedit

select HKLM registry root key, and then click file, load hive, and navigate to C: WindowsSystem32MicrosoFTProtectRecoveryRecovery.dat file. www.Examda.CoM
exam to test a large

any given item name in the next dialog box, for example, can be a Test, and then expand the subkey under, you can see To the current SID of the login account, the default key value on the right side of the account is a copy of the account password encrypted with the public key.

client operating systems, Windows usage is highest. For Microsoft's latest Windows 7 operating system, although it can be said that it is currently the most secure operating system, but limited by the so-called "barrel principle", if you do not pay attention to the use, you may still encounter potential security risks, and may Lead to serious consequences. Therefore, the contents of the internal principles Using Windows7 password reset disk in small series about the above is very important, oh

down quickly learn