creddump icon indicating copy to clipboard operation
creddump copied to clipboard
verified publisher icon moyix

ERR: Couldn't find subkey PolSecretEncryptionKey of Policy

Open GoogleCodeExporter opened this issue 10 years ago • 4 comments 

C:\>python cachedump.py SYSTEM SECURITY
ERR: Couldn't find subkey PolSecretEncryptionKey of Policy


How do I obtain the subkey PolSecretEncryptionKey of Policy?


Thanks,
Enda

Original issue reported on code.google.com by [email protected] on 17 May 2013 at 12:35

GoogleCodeExporter avatar Apr 06 '15 00:04 GoogleCodeExporter

Appears this particular issue still exists

seanfuture avatar Nov 19 '15 13:11 seanfuture

What version of Windows did the hive files come from?

It appears that in Vista and later, the key name has changed. Volatility has an implementation of the updated algorithm that could be ported over (both creddump and Volatility shared the same implementation originally).

https://github.com/volatilityfoundation/volatility/commit/8e7d5dab9e5c3a57087dde24eb8df6b957790e02

If you want to do this and submit a pull request I'd be happy to merge it.

moyix avatar Nov 19 '15 19:11 moyix

Windows 8 was the source, so that's likely the issue.

seanfuture avatar Jan 21 '16 21:01 seanfuture

I ran into the same issue on win8, but it works with the patches linked above, which happen to be already merged in https://github.com/Neohapsis/creddump7

JensTimmerman avatar Sep 11 '18 14:09 JensTimmerman