SAM ? What’s that again ? SAM is the Security Account Manager and part of the Windows Registry. Unfortunately though it is not possible to access that part of the Registry directly even if you are logged in as an administrator. It is however possible to analyze the file sam.bak which can be found in the directory system32/config/ of your Windows installation.
You do need a special viewer to open sam.bak. One program that is capable of opening the file is Registry Viewer. It’s a commercial program that can be downloaded as a demo version, sufficient for our task. After installing the software start it and load the file sam.bak.
Now navigate to the folder \SAM\Domains\Account\Users which should open several subfolders. Each folder represents a user account on your system. If you select for instance the folder 000001F4 you will see that this is the default administrator account. Additional parameters are listed in that file including if this account uses a password to login, when and if the password was changed, the expiration time of the password, a country code and invalid logons.
This could be relevant in many occasions. Hackers could gain valuable information about a computer system just by analyzing this one file. They could find out if there are unprotected accounts and see if and when a user changed the password for the last time and the last time he was logged onto the system.
Enjoyed the article?: Then sign-up for our free newsletter or RSS feed to kick off your day with the latest technology news and tips, or share the article with your friends and contacts on Facebook or Twitter.Related Articles:
Windows Tip: Edit User Registry of other usersWinMend Folder Hidden, Hide Folders From Other Windows Users
Check the amount of user accounts on your system
Zappos Hacked, Security Email Asks Users To Change Passwords
Last Pass Sesame, 2-Factor Authentication For Last Pass Premium Users
I understand what you mean by saying “Unfortunately though it is not possible to access that part of the Registry directly even if you are logged in as an administrator.” – but technically, it is.
regedit
hklm\sam\
right click on sam (beneath the first level sam), select permissions. give administrator full/read access.
close regedit. reopen. now when you expand out sam, you have:
hklm\sam\sam\ and a folder structure similar to users and groups.
BUT – (validating your case here Martin) the information is basically gibberish. But you can delete, or change permissions on a sub key/folder – to effectively lockout a user if you so desired.
[I have run across a few spyware/virus/malware instances that modified the attributes or security settings of a registry key, rendering them "invisible" or "un-deletable". This is the way to view those entries.]