Instant extraction of Windows login passwords from Hibernation file or memory image

Instant extraction of Windows login passwords from Hibernation file or memory image

Windows stores account passwords for all the logged-in users in memory. This holds true for Windows XP through Windows 8. Passwords are encrypted and are not visible in plain text, but there is still a way to identify and decrypt those passwords.

When a computer hibernates, Windows writes all the physical RAM memory contents to C:hiberfil.sys file, creating a memory image. This image contains encrypted windows accounts and passwords.

As hiberfil.sys file is locked by Windows, you might need to use special tools (like WinHex) or boot the system into Windows Recovery Console in order to access the file.

Here’s how to access the hibernation file with WinHex. Click Tools|Open Disk… and select physical disk with the hibernation file:
WinHex: Open Physical Disk

Select Windows boot partition, locate hiberfil.sys in the root folder, right click, select Recover/Copy… and select the target folder for the hibernation file:
WinHext: Copy hiberfil.sys

Please note that hiberfil.sys has both “System” and “Hidden” attributes set and you might need to change Explorer settings (Tools|Folder Options…) to display hidden and system files:
Explorer: Show hidden and system files

Launch Passware Kit and select “Analyze Memory and Decrypt Hard Disk” option:

Then select “Windows User” option:

The software scans memory (or a hibernation file) for windows user account passwords:
Passware Kit: Progress

And displays a list of all the logged-in users and passwords:
Passware Kit: Passwords Found

It usually takes under 10 minutes to get all the passwords extracted and decrypted and this does not depend on password strength, character set, etc.

The same results could be achieved by using live memory image instead of the hibernation file.