In Windows7 system, for data security, you can configure the login password when establishing a user account, what if you don't pay attention to forgetting the login password? Don't worry! Can you please download Windows7 With the gadget ——“password reset disk” reset password. There may be brothers who think that the password reset disk is a small trick, very simple, even chicken, because since you are not afraid of creating a password reset disk, how can you forget the password carelessly?
The principle behind it is still very interesting. Here, try to do a simple analysis.
Methods and Steps:
In the Windows XP era, we know that when a user creates a password reset disk, the Windows system automatically creates a pair of public and private keys and a self-signed certificate. Next, the password of the user account will be encrypted with the resulting public key, and then saved in the registry key HKEY_LOCAL_MACHINE\\SECURITY\\Recovery\\< SID>, where < SID> refers to the SID of the user. The private key is deleted from the computer and saved on a floppy disk.
In the Windows 7 era, we know that the private key will be stored in a floppy or USB flash drive as a userkey.psw file.
But if we try to view the HKEY_LOCAL_MACHINE\\SECURITY\\Recovery registry key, we find that it is empty and there is no user SID.
So where is the user password encrypted with the public key stored? Is it obvious that if there is a private key and there is no copy of the account password encrypted by the public key, the password of the user account cannot be obtained.
After research, it was discovered that the basin was discovered by using Process Monitor. It was lazy and didn't want to write a specific process. The process was simple. In the process of creating a password reset disk, the Windows security subsystem process Lsass.exe would Automatically create a Recovery.dat registry hive file, saved in the C:\\Windows\\System32\\Microsoft\\Protect\\Recovery folder. The Lsass.exe process will automatically load it into the registry HKLM\\C80ED86A- 0D28-40dc-B379-BB594E14EA1B. C80ED86A-0D28-40dc-B379-BB594E14EA1B meaning is unknown, Google has no results, which boss knows, please don't hesitate to advise.
Since the password reset disk is created, the Lsass.exe process will automatically uninstall the registry hive, so we can't view the contents under HKLM\\C80ED86A-0D28-40dc-B379-BB594E14EA1B. However, it is easy to think that you can view it by the following methods:
Open the Command Prompt window with administrator privileges, and run the following command to start the Registry Editor as Local System (Recovery.dat requires Local System permission) To load):
Psexec -s -i -d regedit
Select the HKLM registry root key, then click File, Load Hive, and navigate to C:\\Windows\\System32\\Microsoft\\Protect\\Recovery\\ Recovery.dat file. www.Examda.CoM exam to the exam big
arbitrarily specify an item name in the next dialog box, for example, can be Test, and then expand the sub-items below, you can see the SID of the current login account, right The default key value on the side, which is a copy of the account password encrypted with the public key.
In the field of client operating systems, Windows usage is the highest. For Microsoft's latest Windows 7 operating system, although it can be said that it is currently the most secure operating system, but limited by the so-called "wooden barrel principle", if you do not pay attention to the use, you may still encounter potential security risks And can cause serious consequences. Therefore, Xiaobian mentioned in the above is the use of the internal principle of the Windows7 password reset disk is very important, and quickly learn it