A collegue recently asked me whether it was possible to determine if a user is required to enter a password to login to Windows...Well I thought between RegExtract (and regripper, since RegExtract is based on regripper), AccessData Registry Viewer, MiTec Windows Registry Recovery and a hex editor I would have an answer, turns out I don't have a clear answer.

I did some research by creating three users, like so:

• "User 1": Had a password set and then removed
• "User 2": Did not have a password set
• "User 3": Had a password set

AccessData Registry Viewer showed that all three had the "Password Required" flag set, and that "User 1" and "User 3" had the "NTLMv2 Password Hash" set and none had the "LM Password Hash" set. This showed that even if you remove the password requirement for a user then the "NTLMv2 Password Hash" remains.

I think that some sensible conclusions need to be drawn that if an account does not have the "NTLMv2 Password Hash" and "LM Password Hash" values set, then you can be relatively assured that a password is not and has not been required, even more so if the "Password Reset Date" is invalid e.g. 00:00:00 1/1/1970.

It does appear to mean that a user may have had a password defined at some point, then removed it, so the user can currently login without a password, and yet the "NTLMv2 Password Hash" will still remain. So somewhere in the Registry, it must be storing whether to check if a password is required or not, I plan to continue looking, but if someone at Microsoft or anyone else for that matter, knows then feel free to save me some pain/time!

I am going to change the RegExtract "UsersGroups" plugin to determine if the "NTLMv2" and "LM" password hashes are set, plus extract the password hint for any users that have it defined.

UPDATE: You need to decode the hash to see if its an empty value, so it is not defined or its set to the "empty" value then a password is not required.