pypykatz icon indicating copy to clipboard operation
pypykatz copied to clipboard
verified publisher icon skelsec

Windows7 lsass.DMP under Pypykatz 069

Open sudo-joe opened this issue 1 year ago • 1 comments

Hello dumped lsass with taskmgr as admin on a Windows7.

[The file is located at:] [c:\Users\test\App Data\Local\Temp\lsass.DMP]

pypykatz lsa minidumd lsass.DMP

Surprisingly the output shows only the hash of one Windows7 user (the one i am mostly using) and it's password in cleartext The other Windows7 users are not listed.

If I am using ' pypykatz registry....´ all Windows users are listed...

Question: Any idea why Pypykatz 069 does only list one user?

Thanks a lot in advance for any feedback!

PS: No idea why the lsass.DMP is writtern to user test [c:\Users\test\App Data\Local\Temp\lsass.DMP] and not to user Admin..... since I logged into Windows as Admin

sudo-joe avatar Feb 29 '24 14:02 sudo-joe

I believe you're expecting the same information to be acquired from the registry and form the lsass but those are two different things which while do have some relation with one another ultimately don't store the same information.

skelsec avatar Apr 05 '24 20:04 skelsec