	Pwdump4.02 FAQ
		-- bingle

Q1: why you provide /r option?

A1: someone complain that the old file name 'PWDump4' & service name 'pwservice' maybe noticed
by admin, and even block it. So I provide /r to rename the filename and the service name freely. 
 

Q2: The dll changed from LsaExt.dll to PWDump4.dll, Is the dll file name fixed at PWDump4.dll?

A2: No. But should same as the execute file main part. If you rename the PWDump4.exe to 
PWDump4.01-by-bingle.exe at your host, you MUST rename the dll to PWDump4.01-by-bingle.dll


Q3: when use /r:xxx, what will be the file name & service name on the remote target? and how about
I just use /r ?

A3: the execute file name will be 'xxx.exe', and the dll file will be 'xxx.dll', the service will be 
'xxx' on remote. 
If you just use /r, the exe & dll will just copy to target without rename, the service name rename same
with the execute file name main part.
If no /r, the service name is default 'pwservice'.


Q4: what's the output SRV> & LSA> means ?

A4: the program involve 3 parts(if local 2 parts): main interactive with user(pwdump4.exe),
 pwservice(pwdump4.exe) run remotely, thread in lsass.exe in remote target(PwDump4.dll).
SRV> is the output of pwservice(pwdump4.exe) prompt.
LSA> is the thread in lsass.exe prompt. but the result of dump without LSA> for l0pht use.


Q5: when i run pwdump4 on the remote computer like that:
  C:\>\\192.168.0.1\share\pwdump4.exe /l, it will failed, and return -1(SRV>Thread code: 
dump thread return -1.), why it cannot load the PwDump4.dll(it's exist at the remote share), 
even if i copy it to C:\winnt\system32, that's no use ?

A5: pwdump4.exe doesn't use the PwDump4.dll directly, it inject a thread into lsass.exe 
to load PwDump4.dll and run a function to do hash dump. The PwDump4.dll must in the same 
folder with pwdump4.exe, for pwdump4.exe just let the remote thread to load PwDump4.dll 
at same path of pwdump4.exe. When the pwdump4.exe at the share of remote computer, the 
lsass process are also to load the dll in the same share, in your condition it's 
\\192.168.0.1\share\PwDump4.dll, but the lsass.exe(in LOCAL_SYSTEM account) cannot access
 the share \\192.168.0.1\share\, although u can, so -1(load PwDump4.dll failed). And u 
copy PwDump4.dll to your system32 have no use, no one will look for it.
  To do, just copy them two in local.

				bingle  2003/9