1st question: we know about that. and all tools on the kali suite as far as im concerned (last time i checked..) dumps the wrong hash.. maybe this will be the time ill write to offensive-security to add our new (and working) version...
2nd question: it's due to backward compatibility: it's true that LM hashes are disabled by default, but you can still force win to enable that. and because of that, the registry keys holding those hashes keeps "a place" also for the LM hashes to guarantee backward compatibility. because we deal with a raw registry binary key, and the program works in terms of simple offsets, (where those hashes are stored) we dump anyway the hash.
there are 3 possibilities:
- LM is disabled: the space holding the hash is filled with 0s (so we dump what is called "the empty LM hash")
- LM is enabled but password not set: again, filled with 0s and again we dump the empty hash
- LM is enabled and a password is set: we dump the corresponding hash
So, if the doubt is: do we tell between 1st and the 2nd case? the answer is, actually, no. I don't remeber if that information is inside those same reg keys we use for the actual dump, or anywhere else... i could fix it up for sure on a "live" dump (on a live system), for offline dump it depends on it, i wont add more keys to be exported, to maintain the same behavior of the others pwdump versions... I will check!
i hope now everything its clear... for further question write to us @ email@example.com! I hope you (and me) soon will find pwdump8 in the kali repo!