Instant extraction of Windows login passwords from Hibernation file or memory image
Windows stores account passwords for all the logged-in users in memory. This holds true for Windows XP through Windows 8. Passwords are encrypted and are not visible in plain text, but there is still a way to identify and decrypt those passwords.
When a computer hibernates, Windows writes all the physical RAM memory contents to
C:hiberfil.sys file, creating a memory image. This image contains encrypted windows accounts and passwords.
hiberfil.sys file is locked by Windows, you might need to use special tools (like WinHex) or boot the system into Windows Recovery Console in order to access the file.
Here’s how to access the hibernation file with WinHex. Click Tools|Open Disk… and select physical disk with the hibernation file:
Please note that
hiberfil.sys has both “System” and “Hidden” attributes set and you might need to change Explorer settings (Tools|Folder Options…) to display hidden and system files:
Launch Passware Kit and select “Analyze Memory and Decrypt Hard Disk” option:
Then select “Windows User” option:
The software scans memory (or a hibernation file) for windows user account passwords:
And displays a list of all the logged-in users and passwords:
It usually takes under 10 minutes to get all the passwords extracted and decrypted and this does not depend on password strength, character set, etc.
The same results could be achieved by using live memory image instead of the hibernation file.