# credhist

`dpapi::credhist` describes a Credhist file. [Passcape](https://www.passcape.com/windows_password_recovery_dpapi_credhist) mentions that `CREDHIST` is a password history file, made out as a chain, where each link represents the user's older password hashes (NT and SHA1). Each time user changes the password, the old password hash is appended to the file and encrypted with a new password. It has the following command line arguments:

* `/in`: the path of the CREDHIST. According to this [guide](https://www.coresecurity.com/core-labs/articles/reading-dpapi-encrypted-keys-mimikatz), it can be found at `C:\users<UserName>\appdata\Roaming\Microsoft\Protect\CREDHIST`
* `/sid`: the Security Identifier of the target user
* `/sha1`: the SHA1 hash of the target user password. It can be obtained through [`sekurlsa::logonpasswords`](https://tools.thehacker.recipes/mimikatz/modules/sekurlsa/logonpasswords).
* `/password`: the password of the target user

```
mimikatz# dpapi::credhist in:"C:\users<UserName>\appdata\Roaming\Microsoft\Protect\CREDHIST"
```

{% hint style="warning" %}
During our test on a Windows 10 20H2 box, we could not find the `CREDHIST` file.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.