Comments on: What sam.bak can tell you about Users of a system http://www.ghacks.net/2008/01/10/what-sambak-can-tell-you-about-users-of-a-system/ A technology news blog covering software, mobile phones, gadgets, security, the Internet and other relevant areas. Sun, 12 Feb 2012 06:10:44 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: z0iidhttp://www.ghacks.net/2008/01/10/what-sambak-can-tell-you-about-users-of-a-system/comment-page-1/#comment-235365 z0iid Thu, 10 Jan 2008 22:04:02 +0000 http://www.ghacks.net/2008/01/10/what-sambak-can-tell-you-about-users-of-a-system/#comment-235365 I understand what you mean by saying "Unfortunately though it is not possible to access that part of the Registry directly even if you are logged in as an administrator." - but technically, it is. regedit hklm\sam\ right click on sam (beneath the first level sam), select permissions. give administrator full/read access. close regedit. reopen. now when you expand out sam, you have: hklm\sam\sam\ and a folder structure similar to users and groups. BUT - (validating your case here Martin) the information is basically gibberish. But you can delete, or change permissions on a sub key/folder - to effectively lockout a user if you so desired. [I have run across a few spyware/virus/malware instances that modified the attributes or security settings of a registry key, rendering them "invisible" or "un-deletable". This is the way to view those entries.] I understand what you mean by saying “Unfortunately though it is not possible to access that part of the Registry directly even if you are logged in as an administrator.” – but technically, it is.

regedit

hklm\sam\

right click on sam (beneath the first level sam), select permissions. give administrator full/read access.

close regedit. reopen. now when you expand out sam, you have:

hklm\sam\sam\ and a folder structure similar to users and groups.

BUT – (validating your case here Martin) the information is basically gibberish. But you can delete, or change permissions on a sub key/folder – to effectively lockout a user if you so desired.

[I have run across a few spyware/virus/malware instances that modified the attributes or security settings of a registry key, rendering them "invisible" or "un-deletable". This is the way to view those entries.]

]]>