The NTDS.dit location is the primary target for any hacker looking to take total control of your organisation. This file is the central database for Active Directory. It contains every user account, group membership, and the encrypted password hashes for your entire domain. While the default file path (C:\Windows\NTDS\ntds.dit) is well-known, modern threat actors use advanced Living off the Land techniques to steal it without triggering standard alarms.
The Identity Vault: Mastering the NTDS.dit Location and Extraction Defence
In any Active Directory environment, the NTDS.dit location represents the literal heart of the network. This file is the central database where Windows stores all directory data, including user objects, group memberships, and organisational structures.
However, its most sensitive content is the data used for authentication: the encrypted password hashes for every account in the domain.
For infrastructure architects and security teams, understanding the physical and cryptographic nature of this file is fundamental. Because the database holds the crown jewels, it’s the primary target for attackers during the post-compromise phase of an intrusion.
If a hacker successfully extracts and decrypts this file, they can achieve permanent persistence, bypass security controls, and impersonate any identity within the organisation.
Protecting the NTDS.dit is more than some administrative task; it’s the most critical step in defending the integrity of your entire business identity.
What We'll Cover
- The exact physical and cryptographic dependencies of the NTDS.dit location.
- Structural enhancements in Windows Server 2025 (ESE 32k scaling).
- How attackers use WMI and diskshadow to bypass VSS monitoring.
- The 2026 EDR Killer epidemic and hypervisor-level disk extraction.
- Strategic steps for ACL hardening and protecting LSA memory.
Finding the Crown Jewels: The NTDS.dit Location
The NTDS.dit file serves as the centralised repository for all Active Directory objects. It stores your user accounts, computer objects, and the sensitive krbtgt account hash, the key needed to forge Golden Tickets.
By default, the active database is stored in this directory on every domain controller: C:\Windows\NTDS\ntds.dit
Technically, this file is built on the Extensible Storage Engine (ESE). But businesses moving to Windows Server 2025 can unlock a massive architectural shift. By raising the Forest Functional Level and executing an offline database conversion, you can enable a 32k database page size. This allows attributes to hold over 3,200 values.
While it’s great for performance, it means the database files attackers target are becoming much denser and more valuable.
Cryptographic Locks: PEK and the BootKey
Simply knowing the NTDS.dit location isn't enough for an attacker to cause havoc. The file is protected by high-level encryption.
The password hashes inside are encrypted at rest by a Password Encryption Key (PEK). This PEK is, in turn, encrypted by a BootKey (stored in the SYSTEM hive).
To read the database offline, an attacker must steal two things:
- The NTDS.dit file.
- The SYSTEM registry hive, which contains the BootKey.
Once they have both, they use offline parsing tools to extract the keys and dump the raw NT hashes for every account in your domain.
| Required Artifact | Default Storage Path | Why Attackers Target It |
| NTDS.dit | C:\Windows\NTDS\ntds.dit | Contains all domain password hashes. |
| SYSTEM Hive | C:\Windows\System32\config\SYSTEM | Contains the BootKey needed for decryption. |
| SECURITY Hive | C:\Windows\System32\config\SECURITY | Not needed for NTDS, but stolen to harvest LSA secrets. |
How Attackers Bypass File Locks
Because this database is always in use, Windows locks it. You can't just copy and paste the file. To get around this, attackers use the Volume Shadow Copy Service (VSS).
While legacy attacks used simple vssadmin commands, modern EDRs monitor that utility closely. Instead, advanced hackers now use:
- WMI (Win32_ShadowCopy). Attackers interact directly with WMI classes to silently trigger snapshots without spawning monitored processes.
- Diskshadow.exe Scripts. This is a Microsoft-signed binary. Attackers use it to execute shadow copy commands via external text scripts (e.g.,
diskshadow /s script.txt), which often bypass basic command-line monitoring.
2026 Threats Blinding Your Security Tools
Many sophisticated ransomware syndicates now use EDR Killer tools. They apply a method called Bring Your Own Vulnerable Driver (BYOVD).
- The attacker installs a legitimate, signed hardware driver that has a known vulnerability.
- Then, they exploit the flaw to get into the Windows kernel.
- From there, they can surgically blind your security software.
- Once the security agent is disabled, they steal the NTDS.dit file with absolute impunity.
They don't even have to wait for the server to be off; they simply extract live VM disk snapshots (like delta .vmdk or .avhdx files) directly from your hypervisor datastore.
Hardening Your Identity Perimeter
Securing the NTDS.dit location requires a strategy that moves beyond just watching for file copies. To effectively protect your network’s crown jewels, you must combine native platform hardening with independent technical validation.
1. Fix Your ACLs
A common way attackers steal hashes without touching the file is a DCSync attack. This mimics how domain controllers share data.
You can prevent this by auditing your Active Directory Access Control Lists (ACLs). Ensure that only legitimate Domain Controller accounts have both the Replicating Directory Changes and Replicating Directory Changes All permissions at the domain root.
2. Tier 0 Administrative Tiering
While stealing the file is a primary goal, attackers also try to dump the database keys directly from memory.
To protect your domain controllers, you must enforce strict administrative tiering. This means restricting interactive logons to your DCs to only Secure Admin Workstations (SAWs).
Also enable LSA Protection (RunAsPPL) on your DCs. This ensures that the Local Security Authority (LSA) process runs as a protected process and prevents non-trusted processes from reading its memory or injecting code. It effectively isolates the LSA memory space from credential dumping tools, even if an attacker gains administrative rights.
3. Hypervisor Security
Most domain controllers are now virtual machines. An attacker who compromises your hypervisor can download the virtual disk files (like delta .vmdk or .avhdx files) directly from your datastore.
You must use hypervisor-level encryption to ensure that even if the virtual disk is stolen or cloned while running, it remains unreadable to the adversary.
4. Independent Penetration Testing
Internal teams are often too close to their own infrastructure to see the subtle, multi-stage paths an attacker might take to reach the NTDS.dit location. Relying solely on internal reviews can lead to institutional blindness, where known workarounds are ignored until they are exploited.
This is why a manual internal penetration test from a reputable external vendor like 7ASecurity is vital.
External specialists bring a fresh, adversarial perspective that internal tools can’t replicate. At 7ASecurity, we don't just check for patches; we simulate high-tier threat actors with clinical precision.
We find the misconfigured shadow copy permissions and the weak administrative habits that scanners miss. Our reports are designed to be actionable, giving your team the know-how needed to close the gaps.
Our team comprises highly qualified and experienced experts. We provide the human element necessary to find the complex logic flaws in your Tier 0 defences.
Our researchers are ready to identify the gaps in your identity vault. Are you?
Secure Your Infrastructure Today
Frequently Asked Questions About the NTDS.dit Location
Does the NTDS.dit file stay the same size as my network grows?
No. The file size grows as you add more users, groups, and devices. In fact, if you delete objects, the file doesn't actually shrink; it just creates white space inside the database for new data.
In Windows Server 2025, the new 32k page size makes the database more efficient at handling thousands of attributes, but it also means the file can grow much larger and more quickly than in older versions of Windows.
What happens if the NTDS.dit file is deleted or corrupted?
If the file is lost and you don't have a backup, your Active Directory will stop working. Users won't be able to log in, and you’ll lose all account data. This is why Windows locks the file while it is running.
To fix a corrupted file, you usually have to boot into Directory Services Restore Mode (DSRM) and use a tool like ntdsutil to repair the database or restore it from a recent snapshot.
Can I move the NTDS.dit location to a different drive for safety?
Yes. Many architects move the database to a dedicated, encrypted drive (like the D: or E: drive) to keep it separate from the main Windows OS files.
This can help with performance and makes it easier to apply specific security rules to just that drive. However, moving the file doesn't stop VSS-based Shadow Copy attacks; a hacker can still snap the new drive just as easily as they snap the C: drive.
Does BitLocker protect the NTDS.dit file from being stolen?
BitLocker protects the file at rest, meaning if someone physically steals the hard drive from your server, they can't read the data.
However, BitLocker doesn’t protect the file while the server is turned on. If an attacker gains admin access while the server is running, BitLocker is already unlocked for the system, and they can steal the file using the Volume Shadow Copy tricks we discussed.
How do hackers steal the NTDS.dit file?
Attackers use the Volume Shadow Copy Service (VSS) via tools like diskshadow.exe or WMI to create a snapshot. This creates a backup copy of the file that isn't locked, allowing them to steal it without stopping your network services.
Can my antivirus stop someone from stealing this file?
Standard antivirus software often misses these attacks because hackers use Living off the Land techniques. Many attackers also use kernel drivers to blind your security tools before the theft begins.
How does 7ASecurity protect my directory?
We use manual, researcher-led penetration testing to find the logic flaws that allow attackers to escalate their privileges. We identify the specific gaps in your defences, like misconfigured ACLs or weak hypervisor settings, before real-world threat actors can exploit them.
