4 Years
Discussion Span
Last Post by RainbowMatrix

The SAM file is the local Security Accounts Manager File in Windows. There isn't an editor as far as I know, as you can imagine this would be a breach in the sEcurity accounts db. There are tools that can against this file to crack user passwords.


Three locations of the SAMHashes are:

  • %systemroot%system32config

  • %systemroot%
    epair (but only if rdisk has been run)

  • In the registry under HKEY_LOCAL_MACHINESAM

You can get your hands on this by:

1) Probably the easiest way to do this is to boot your target machine to an
alternate OS like NTFSDOS or Linux and just copy the SAM from the
%systemroot%system32config folder. It's quick, it's easy, and it's effective.
You can get a copy of NTFSDOS from Sysinternals(http://www.sysinternals.com)
The regular version of NTFSDOS is freeware, which is always nice, but only allows
for Read-Only access. This should be fine for what you want to do, however, if
you're the kind of person that just has to have total control and has some money to
burn. NTFSDOS Pro, which is also by Sysinternals has read/write access but it'll
cost you $299.

2) Once again, you may be able to obtain the SAM from %systemroot%
epair if rdisk
has been run and you are lucky enough to have a sloppy admin.

3) You can also get password hashes by using pwdump2. pwdump uses .DLL injection in
order to use the system account to view the password hashes stored in the registry.
It then pulls the hashes from the registry and stores them in a handy little text
file that you can then import into a password cracking utility like l0phtcrack.

4) The final way to obtain password hashes is to listen directly to the network
traffic as it floats by your computer and grab hashes using the above mentioned

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.