312-49 · Question #265
312-49 Question #265: Real Exam Question with Answer & Explanation
The correct answer is A: HKEY_LOCAL_MACHINE. Windows stores password-related data in two registry hives. HKEY_LOCAL_MACHINE (A) contains the SAM (Security Account Manager) subkey — specifically HKLM\SAM\SAM\Domains\Account\Users — which stores hashed credentials (NTLM and LM hashes) for all local user accounts on the ma
Question
Which part of the Windows Registry contains the user's password file?
Options
- AHKEY_LOCAL_MACHINE
- BHKEY_CURRENT_CONFIGURATION
- CHKEY_USER
- DHKEY_CURRENT_USER
Explanation
Windows stores password-related data in two registry hives. HKEY_LOCAL_MACHINE (A) contains the SAM (Security Account Manager) subkey — specifically HKLM\SAM\SAM\Domains\Account\Users — which stores hashed credentials (NTLM and LM hashes) for all local user accounts on the machine. This hive is protected and inaccessible to normal users or processes during runtime, only accessible to the SYSTEM account or forensic tools. HKEY_CURRENT_USER (D) stores profile and configuration data for the currently logged-in user, which can include cached credential references and security tokens associated with that user session. While HKLM\SAM is the primary location of password hashes, HKCU is included because it contains user-specific security context. HKEY_CURRENT_CONFIGURATION (B) stores hardware profile information, and HKEY_USER (C) — more properly HKEY_USERS — is the root for all user profiles but does not specifically contain the password file.
Topics
Community Discussion
No community discussion yet for this question.