NT does store the hashes and not clear text. It store these credentials in
the HKLM\SECURITY\Policy\Secrets area of the registry as NL$1 to NL$10 and
it stores the lanman hash followed by the NT hash followed by 3 bytes of
'status'. (as per Paul Aston's posting to NTBUGTRAQ) I'd bet that these
hashes are not syskeyed.
>
>There are also a number of entries corresponding to previous logins by
>users. There is a way to turn this behavior off, but I don't recall at the
>moment exactly what it is.
>
>Essentially, it is there to allow you to log on if the domain controller
>can't be reached. I believe it stores hashes rather than clear-text.
>
>The RAS functionality can often be annoying as well - it tends to prompt me
>for my password even when I'm using a script (which of course contains the
>user-password pair in the clear). Not sure why it thinks it needs it - I
>just leave it blank, but a less astute user would probably type in their
>actual password.
>
>
>David LeBlanc |Why would you want to have your desktop user,
>dleblanc@mindspring.com |your mere mortals, messing around with a 32-bit
> |minicomputer-class computing environment?
> |Scott McNealy
>