SAM ? What’s that again ? SAM is the Security Account Manager and part of the Windows Registry. Unfortunately though it is not possible to access that part of the Registry directly even if you are logged in as an administrator. It is however possible to analyze the file sam.bak which can be found in the directory system32/config/ of your Windows installation.
You do need a special viewer to open sam.bak. One program that is capable of opening the file is Registry Viewer. It’s a commercial program that can be downloaded as a demo version, sufficient for our task. After installing the software start it and load the file sam.bak.
Now navigate to the folder \SAM\Domains\Account\Users which should open several subfolders. Each folder represents a user account on your system. If you select for instance the folder 000001F4 you will see that this is the default administrator account. Additional parameters are listed in that file including if this account uses a password to login, when and if the password was changed, the expiration time of the password, a country code and invalid logons.
This could be relevant in many occasions. Hackers could gain valuable information about a computer system just by analyzing this one file. They could find out if there are unprotected accounts and see if and when a user changed the password for the last time and the last time he was logged onto the system.
Read Related Posts
-
Windows Tip: Edit User Registry of other users
-
Howto log into windows xp if you lost your password
-
Check the amount of user accounts on your system
-
Allow users to format removable hard disks in Windows XP
-
Reset Windows Passwords if you cannot login anymore
-
Vista: Disable UAC for selected applications
-
Automatically login during Vista startup
-
Create a Password Reset Disk on USB in Windows XP
I understand what you mean by saying “Unfortunately though it is not possible to access that part of the Registry directly even if you are logged in as an administrator.” – but technically, it is.
regedit
hklm\sam\
right click on sam (beneath the first level sam), select permissions. give administrator full/read access.
close regedit. reopen. now when you expand out sam, you have:
hklm\sam\sam\ and a folder structure similar to users and groups.
BUT – (validating your case here Martin) the information is basically gibberish. But you can delete, or change permissions on a sub key/folder – to effectively lockout a user if you so desired.
[I have run across a few spyware/virus/malware instances that modified the attributes or security settings of a registry key, rendering them "invisible" or "un-deletable". This is the way to view those entries.]