Windows Cached Credentials Storage: AD Domain vs. Local SAM Hashing Mechanisms Explored


1 views

Windows caches domain credentials to allow users to log in when a domain controller is unavailable. These cached credentials are stored differently from local SAM database accounts and use stronger protection mechanisms.

Cached domain credentials are stored in the registry at HKEY_LOCAL_MACHINE\SECURITY\Cache as NL$ hashes (NT LAN Manager), while local accounts use SAM database storage. The key differences:

// Registry path for cached credentials
HKEY_LOCAL_MACHINE
    └── SECURITY
        └── Cache
            ├── NL$1
            ├── NL$2
            └── ...

Windows uses different hashing mechanisms for cached domain credentials:

// Sample structure of cached credential hash
typedef struct _NL_HASH {
    DWORD Version;
    BYTE Salt[16];
    BYTE Hash[16];  // MD4 of (username + domain + password)
} NL_HASH;

The key security improvements for cached credentials include:

  • Unique per-machine salt (prevents rainbow table attacks)
  • Stronger iteration count (Windows 10+ uses 10,000 iterations)
  • Username/domain incorporation in hash calculation

While possible to extract, the process requires SYSTEM privileges. Example PowerShell snippet:

# Requires elevated privileges
$regPath = "HKLM:\SECURITY\Policy\Secrets\NL$KM\CurrVal"
$data = (Get-ItemProperty -Path $regPath)."(default)"
$key = $data[0..15]  # First 16 bytes are the encryption key

To enhance cached credential security:

# Group Policy setting to disable credential caching
Computer Configuration
  └── Windows Settings
      └── Security Settings
          └── Local Policies
              └── Security Options
                  → "Interactive logon: Number of previous logons to cache" = 0

Implementing Credential Guard on supported systems provides hardware-isolated storage of credentials.

When a Windows client authenticates to an Active Directory domain, it typically caches credentials to allow logons when the domain controller is unavailable. These cached credentials are not stored in the SAM database like local accounts, but rather in a separate registry hive under:

HKEY_LOCAL_MACHINE\SECURITY\Cache

The storage format differs significantly between Windows versions:

Uses the older MS-CACHE v1 format which stores:

  • Username (in cleartext)
  • Domain name (in cleartext)
  • NTLM hash of the password (salted)

Example registry structure:

NL$1:DOMAIN\username
NL$2:{binary NTLM hash data}

Implements the more secure MS-CACHE v2 format featuring:

  • PBKDF2 derivation with 10,000 iterations
  • Per-user unique salt (16 bytes)
  • SHA-256 hashing instead of NTLM

Sample PowerShell code to detect cache format:

Get-ItemProperty -Path "HKLM:\SECURITY\Policy\Secrets\NL$KM\CurrVal" |
Select-Object -Property *

While rainbow tables are ineffective against properly salted hashes, several attack vectors exist:

  1. Mimikatz technique (requires SYSTEM privileges): 
    privilege::debug
sekurlsa::logonpasswords
  2. Registry dump via Volume Shadow Copy: 
    vssadmin create shadow /for=C:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp\

For modern Windows environments:

  • Enable Credential Guard (uses virtualization-based security)
  • Set HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount to 0
  • Implement LSA Protection with:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"RunAsPPL"=dword:00000001