A few months ago I reset my Windows password but my keyboard must have had a sticky key or two, effectively changing my password to an unknown password. Out of desperation and a little research I used PCUnlocker to forcefully reset my password. Little did I know that this would cause my
EFS encrypted files to be unreadable.
My understanding is that non-domain, local user, Windows 10 passwords are based on the
NTLM hashing algorithm.
Through much research I found an article describing that a tool such as Cain and Abel that can help crack my old password by making use of
rainbow tables and the old
After getting back into your system, you can install and run various
password cracking software (for example, Ophcrack, Cain and Abel) to
recover the old password in the original SAM file. After recovering
the password, change the current password to the old password and
you’ll gain access to the EFS encrypted files again.
I’ve created my own rainbow tables using the
Winrtgen utility that comes packaged with Cain and Able and luckily PCUnlocker automatically backed up my
SAM file. When cracking passwords with Cain and Able the UI asks for a
SAM file and the
SYSTEM file where the latter to my knowledge does not change when resetting a password. (Correct me if I’m wrong on this.)
The rainbow tables that I generated vary, however the one which I expected to work was based on the
mixalpha-numeric-all type i.e upper + lower-case of alphanumeric and all special characters. The password I used can range in between 25-33 characters (accounting for several sticky charters)
All in all I have not been successful in cracking my password with my old
SAM file, my current
SYSTEM file, and my custom rainbow tables.
- Are rainbow tables less effective the more potential characters there are? (e.g., lower-cased only vs. mixed-cased + special characters)
- Does the salted hash in the
SYSTEMfile change when changing passwords?
- Any other suggestions?