What's New?

It's been a while since pwdump2 was first released, and it's time for an update. This new version adds two new features:

-It can now dump password hashes from Active Directory. (The original version wasn't able to do this.)
-It can determine the pid of lsass automatically, so you don't need to supply it on the command line.
What is pwdump2?

This is an application which dumps the password hashes (OWFs) from NT's SAM database, whether or not SYSKEY is enabled on the system. NT Administrators can now enjoy the additional protection of SYSKEY, while still being able to check for weak users' passwords. The output follows the same format as the original pwdump (by Jeremy Allison), and can be used as input to l0phtcrack, or used with Samba. You need the SeDebugPrivilege for it to work. By default, only Administrators have this right, so this program does not compromise NT security.

How do I use it?

First, of course, back your system up, and try it on a test machine. Take both the pwdump2.exe and samdump.dll files and place them together in a directory on your NT box's local file system. Then, just run

[c:\pwdump2] pwdump2

and the contents of the SAM will be written to the console. To capture the output in a file, run, e.g. "pwdump2 > passwd.txt".

This newer version of pwdump2 is able to find the pid of lsass.exe automatically. Several people send me source code to do this, but they all required an extra DLL, which is why I never incorporated them. Recently, Gary Nebbett published Windows NT/2000 Native API Reference, an invaluable reference, documenting virtually every undocumented NT kernel call. Among other things, it demonstrates a method of determining pids without linking to more DLLs. pwdump2 now includes code which does this. If for some reason pwdump2 fails to determine the proper pid, it will complain and exit. You can still specify the pid on the command line, to work around this possibility. Determine the process id of lsass.exe. (You can do this with Task Manager.). Then, assuming the pid is, e.g. 43, run:

[c:\pwdump2] pwdump2 43