cached logon credentials

[David J Laumann <djl () MILLER CS UWM EDU>]

hi,

i'm curious about nt's cached logon credentials. i've got a copy of a registry
and in it are keys HKLM\Security\Cache\NL$1 thru \NL$10 which ms kb article
q199071 indicates as being the cached logon credentials. is this data
already in a format that can be run through a passwd cracker like l0pht?
if not are there any ideas on how to convert it? a quick conversion to ascii
shows what looks like account names.

btw, i don't think syskey is installed as the key
HKLM\System\CurrentControlSet\Control\Lsa\SecureBoot does not exist, nor do
i think ntlmv2 is being used as the key
HKLM\System\CurrentControlSet\control\LSA\LMCompatibilityLevel does not exist.

i was also looking at another registry for an nt4 workstation sp6 that i
have used cached credentials to logon with and i don't see the
HKLM\Security\Cache key. where then are the cached logon credentials stored?

thanks,
dave