The internal principle of using Windows 7 password reset disk

In Windows7 system, for data security, you can configure the login password when setting up a user account. If you don't pay attention to forgetting the login password, don't worry! You can ask for the gadget that comes with Windows7 —— “Password reset disk” reset password. There may be brothers who think that the password reset disk is a small trick, very simple, even chicken, because since you are not afraid of creating a password reset disk, how can you forget the password carelessly?

In fact, the principle behind it Still very interesting, try to do a simple analysis here.

Methods and Steps:

In the Windows XP era, we know that when a user creates a password reset disk, the Windows system automatically creates a pair of public and private keys, and a self-signed Certificate. Next, the password of the user account will be encrypted with the resulting public key, and then saved in the registry key HKEY_LOCAL_MACHINE\\SECURITY\\Recovery\\< SID>, where < SID> refers to the SID of the user. The private key is deleted from the computer and saved on a floppy disk.

In the Windows 7 era, we know that the private key will be stored in a floppy or USB flash drive as a userkey.psw file.

But if we try to view the HKEY_LOCAL_MACHINE\\SECURITY\\Recovery registry entry, we find that it is empty and there is no user SID.

So where is the user password encrypted with the public key stored? Obviously, if there is a private key, and there is no copy of the account password encrypted by the public key, the password of the user account cannot be obtained.

After research, it was discovered that the basin was discovered by using Process Monitor. It was lazy and didn't want to write a specific process. The process was simple. In the process of creating a password reset disk, the Windows security subsystem process Lsass .exe will automatically create a Recovery.dat registry hive file, saved in the C:\\Windows\\System32\\Microsoft\\Protect\\Recovery folder. The Lsass.exe process will automatically load it into the registry HKLM\\C80ED86A- 0D28-40dc-B379-BB594E14EA1B. C80ED86A-0D28-40dc-B379-BB594E14EA1B meaning is unknown, Google has no results, which boss knows, please don't hesitate to advise.

Since the password reset disk is created, the Lsass.exe process will automatically uninstall the registry hive, so we can't view the contents of HKLM\\C80ED86A-0D28-40dc-B379-BB594E14EA1B. However, it is easy to think that you can view it by:

Open a command prompt window with administrator privileges, and run the following command to start the Registry Editor as Local System (Recovery.dat is required) Local System permissions can be loaded):

Psexec -s -i -d regedit

Select the HKLM registry root key, then click File, Load Hive, and navigate to C:\\Windows \\System32\\Microsoft\\Protect\\Recovery\\Recovery.dat file. www.Examda.CoM exam to the exam

In the next dialog box, you can arbitrarily specify an item name, such as Test, and then expand the sub-items below, you can see the SID of the current login account. , the default key value on the right side, that is, a copy of the account password encrypted with the public key is saved.

In the field of client operating systems, Windows usage is the highest. For Microsoft's latest Windows 7 operating system, although it can be said that it is currently the most secure operating system, but limited by the so-called "wooden barrel principle", if you do not pay attention to the use, you may still encounter potential security risks And can cause serious consequences. Therefore, Xiaobian mentioned in the above is the use of the internal principle of the Windows7 password reset disk is very important, and quickly learn it