SAMKey : ERROR kull_m_crypto_genericAES128Decrypt

[Rezmalac]

I have the hive backup files from a locked laptop. (exported from the registry)
And lsadump::sam does not work. My guess is something wrong with the SAM file, but no clue:

Other stuff on my current PC seems to be working.

[Rezmalac]

UPDATE: I finally got the right SAM export file.
The locked laptop has bitlocker turned ON, so maybe this error because of that?

Do I have any chance, or it is undecryptable?

[eabase]

Nothing you say make sense. Obviously you need to decrypt the BL drive before you can extract anything. So how did you get the SAM out of it?

[Rezmalac]

Nothing you say make sense. Obviously you need to decrypt the BL drive before you can extract anything. So how did you get the SAM out of it?

What exactly does not make sense?

I can't decrypt the drive, because I don't have the key for it.
And I can't log in, because there is a password on it.
But... what I can, there is this troubleshooting mode (or whatever you call it in english) so you have a command prompt. You can't access to "c:" (where the system is), but it creates a "x:" for you and you can run commands. And I also have my USB drive so with "reg save HKLM\SAM" I could export registry data to files.

[eabase]

IDK for sure, but it certainly wouldn't make sense that the emergency/recovery shell is using the same SAM as the one in unlocked Windows. Sorry I can't help.

[Rezmalac]

IDK for sure, but it certainly wouldn't make sense that the emergency/recovery shell is using the same SAM as the one in unlocked Windows. Sorry I can't help.

IDK either, maybe you are right. On the other hand my guess is the whole registry is the same and doesn't matter from where you exporting it.
Also running "sekurlsa::logonpasswords" on that notebook is listing all users either, so I guess all the data are there, just double encrypted and I can't pass the bitlocker.