Ahinson - Yeah, thanks for point of clarification on the encoding and why it's different. The blog post articulates the process I followed to get strings from the UTF16 content in my crude testing, which can be improved upon. JayJay - Nice, like I said, "can be improved upon". Thanks! Wanderer - Yeah, I had only done this testing on XP and Win8 before and had rarely set a hint for the user I was testing with. So the that key in the SAM was new to me as I noted above. Also, I had not seen that tool for erasing the hint before, I'll check that out. Thanks! Terry - The focus here was grab this information automatically as a remote attacker in the post-exploitation phase. To me (to use your own words) it would seem like "watching someone walk all the way around the block just to go to their next door neighbors house" if they spent the time to copy and paste this out of the registry user by user then mapped that back to the user in the Names hive. But anyways, thanks for your comments.

Janmoesen - I don't necessarily think this information needs to be encrypted. You are correct in that anyone who has physical access can guess a username and obtain the associated hint on a one by one basis. The focus of my additions were to obtain this information remotely as part of a post-exploitation process and steal all the hints on the system. Woody - Thanks for the link, I'll check that out. Franklinheath - Thanks, a couple others have brought that up too on the pull request after it was merged. I'll probably submit another pull request to tighten that code up in Metasploit when I get a chance. Unixtippse - Nice find, perhaps someone could extend the Mac OSX hashdump modules to grab those hints too.