nishang
nishang copied to clipboard
Get-PassHashes not working on Windows 10
Get-PassHashes does not work on Windows 10 1607. It always returns empty LM/NTLM hashes on execution.
I attached a screenshot that shows the problem on a test machine. On the left side is the output from Get-PassHashes, on the right side is the (correct) output from mimikatz.
Hi, sorry for the late reply. Let me test the issue.
Hi,
thanks for looking into it. From what I can tell so far, the problem seems to be the powerdump code that gets the encrypted hashes from the SAM. At line 321 start two checks to verify the LM/NTLM header in the registry (-eq 20) and these checks never succed in Windows 10. I guess they changed something in the layout and therefore the hashes aren't located at the same offsets anymore. Do you know if there's some kind of documentation on this?
Thanks again, best regards
Christoph