Series

Offline Windows credential dumping

4 posts in this series. Read them in order or jump to any one.

How the Windows boot key (syskey) works
The boot key is the root of all offline credential dumping. Here is where it lives, why it is scrambled across four registry keys, and how to reassemble it from the SYSTEM hive.
Decrypting local account hashes from the SAM hive
From the hashed boot key to a user's NT hash: the F and V structures, the RC4 vs AES storage formats, and the per-RID DES layer that wraps every Windows password hash.
LSA secrets and cached domain credentials
The SECURITY hive stores service passwords, the machine account, DPAPI keys, and offline logon caches. Here is how the LSA key unlocks them — and why DCC2 is salted but still dumpable.
Inside NTDS.dit: the ESE database and the PEK
A domain controller stores every account hash in an ESE database. Here is how the datatable is laid out, how the Password Encryption Key is derived, and how each hash is unwrapped.

All posts in this series

The boot key is the root of all offline credential dumping. Here is where it lives, why it is scrambled across four registry keys, and how to reassemble it from the SYSTEM hive.

6/16/2026

windowscredentialsregistrysyskey

Decrypting local account hashes from the SAM hive

From the hashed boot key to a user's NT hash: the F and V structures, the RC4 vs AES storage formats, and the per-RID DES layer that wraps every Windows password hash.

6/16/2026

windowscredentialssamntlm

LSA secrets and cached domain credentials

The SECURITY hive stores service passwords, the machine account, DPAPI keys, and offline logon caches. Here is how the LSA key unlocks them — and why DCC2 is salted but still dumpable.

6/16/2026

windowscredentialslsadcc2

Inside NTDS.dit: the ESE database and the PEK

A domain controller stores every account hash in an ESE database. Here is how the datatable is laid out, how the Password Encryption Key is derived, and how each hash is unwrapped.

6/16/2026

windowsactive-directoryntdsese