Hacking Windows Passwords Using Live System

Everyone in the world now knows that setting a password is a useful measure to protect all types of personal data from unauthorized access. Of course, passwords and the mechanisms for entering and checking them are also a very popular target for hackers. Once a password is successfully cracked, the data is often left exposed without any protection. This article shows how easy it is to read password data.

Below we'll look at how easy it is to bypass a user's password on a regular Windows laptop to gain access to user data. Basically, there are many ways to crack passwords. There are many attack vectors: from keyboard stickers to recording transmitted passwords as part of a man-in-the-middle attack. Here we focus on the ability to run the system through external media and the ability to read password data through the live system.


When installing the Windows operating system, the user is prompted to enter a username and password. When you log into the respective system in the future, you will be asked for so-called “credentials”, that is, a name and a password. This may indicate perceived security, which, unfortunately, can very quickly lead to the leakage of sensitive data if additional security measures are not taken.

Let's say a hacker somehow got hold of someone else's laptop. This can happen in different ways. A classic example is the so-called "Evil Maiden" attack. The situation is something like this: the victim checks into a hotel and leaves the laptop in the room, and then, for example, goes to have breakfast and leaves the room for a while. During this time, anyone with access to the room can undetectedly access the laptop to manipulate it or steal data from it.

Of course, the laptop could also be stolen or taken away using physical force. However, it is much more insidious to allow the victim to believe that the data is still safe. If the hacker has access to the laptop for a certain period of time, the data can be accessed without any problem. The Windows password can be easily bypassed by running the laptop separately with the so-called Live System, for example from an inserted USB flash drive.

How does Live System work?

Live System is an operating system that you can run without installing it on your hard drive. This is often a variant of Linux, examples of which are Knoppix or Kali Linux. As a rule, it is installed on a bootable USB flash drive or CD/DVD. Getting a working system up and running often takes only a minute or two. When booting, Live System is loaded into RAM.

Because RAM is removed when the computer is turned off and data is not typically written to the hard drive, a running system leaves no trace. The normally installed operating system does not start in this situation and therefore does not notice anything. The running system now has the ability to access all hardware components as it controls the computer.

Thus, a hacker can also access the data on the hard drive through this system. This means that an attacker can simply copy any data to the hard drive using only a USB drive, without removing the hard drive or leaving any traces on the system. If a hacker has a lot of time, the entire internal hard drive of a laptop can be mirrored using another connected hard drive so that the data can be viewed later at their leisure.

However, the attacker often has little time and must concentrate on a small amount of data. If you have a running Linux system running on a computer with Windows installed, you can check all Windows system files. Typically, Windows tries to hide many internal processes and files from the user, but a running system allows a hacker to navigate through all directories and files. It's a bit like putting the Windows system under anesthesia, like during surgery, while the Live System allows you to examine the internal organs.

Local Windows Password File

The file that is of particular interest to hackers is the so-called SAM file, which stands for Security Account Manager. Windows stores local account passwords as a hash value in the SAM file at C:\WINDOWS\system32\config. A hacker could also surreptitiously copy this file through the Live System. The hashes can then be cracked at one's leisure and with the appropriate computing power.

There are various password cracking programs available on Windows and Linux. "John the Ripper" is a prime example of such programs. Password cracking is then carried out using predefined password lists whose hashes are compared with entries in the SAM database, or a brute force method in which each character combination is systematically checked. Ultimately the hashes must match.

Protective measures

Of course, there are several ways to protect yourself from these attacks. The best option is to completely encrypt your laptop hard drive. There are various programs for this, such as Bitlocker, developed by Microsoft itself, as well as free alternatives. You can also set a password that must be entered during boot in order to be able to start the device.

Since password cracking relies on an attacker guessing the password, strong and well-chosen passwords are an important tool for effective password protection. Even attackers with extensive resources will find it difficult to guess a correctly chosen password from a variety of characters, including upper and lower case letters, numbers and special characters.

Additionally, setting a password in "BIOS" can prevent the boot order from being changed. This means that it is no longer possible to simply start a running system from a USB drive if the boot sequence is configured accordingly and no longer allows the system to be started from a USB drive.

Mainton Company - custom software development and testing, SEO and online advertising since 2004.