Comments on: What sam.bak can tell you about Users of a system http://www.ghacks.net/2008/01/10/what-sambak-can-tell-you-about-users-of-a-system/ A technology blog covering software, mobile phones, gadgets, security, the Internet and other relevant areas. Tue, 24 Nov 2009 23:47:09 -0600 http://wordpress.org/?v=2.8.6 hourly 1 By: z0iid http://www.ghacks.net/2008/01/10/what-sambak-can-tell-you-about-users-of-a-system/#comment-235365 z0iid Thu, 10 Jan 2008 22:04:02 +0000 http://www.ghacks.net/2008/01/10/what-sambak-can-tell-you-about-users-of-a-system/#comment-235365 I understand what you mean by saying "Unfortunately though it is not possible to access that part of the Registry directly even if you are logged in as an administrator." - but technically, it is. regedit hklm\sam\ right click on sam (beneath the first level sam), select permissions. give administrator full/read access. close regedit. reopen. now when you expand out sam, you have: hklm\sam\sam\ and a folder structure similar to users and groups. BUT - (validating your case here Martin) the information is basically gibberish. But you can delete, or change permissions on a sub key/folder - to effectively lockout a user if you so desired. [I have run across a few spyware/virus/malware instances that modified the attributes or security settings of a registry key, rendering them "invisible" or "un-deletable". This is the way to view those entries.] I understand what you mean by saying “Unfortunately though it is not possible to access that part of the Registry directly even if you are logged in as an administrator.” – but technically, it is.

regedit

hklm\sam\

right click on sam (beneath the first level sam), select permissions. give administrator full/read access.

close regedit. reopen. now when you expand out sam, you have:

hklm\sam\sam\ and a folder structure similar to users and groups.

BUT – (validating your case here Martin) the information is basically gibberish. But you can delete, or change permissions on a sub key/folder – to effectively lockout a user if you so desired.

[I have run across a few spyware/virus/malware instances that modified the attributes or security settings of a registry key, rendering them "invisible" or "un-deletable". This is the way to view those entries.]

]]>