What sam.bak can tell you about Users of a system
SAM? What's that again? SAM is the Security Account Manager and part of the Windows Registry. Unfortunately though it is not possible to access that part of the Registry directly even if you are logged in as an administrator.
It is however possible to analyze the file sam.bak which can be found in the directory system32/config/ of your Windows installation.
Please note that you may need sufficient privileges to access the folder.
You do need a special viewer to open sam.bak. One program that is capable of opening the file is Registry Viewer. It's a commercial program that can be downloaded as a demo version, sufficient for our task. After installing the software start it and load the file sam.bak.
Now navigate to the folder \SAM\Domains\Account\Users which should open several subfolders. Each folder represents a user account on your system. If you select for instance the folder 000001F4 you will see that this is the default administrator account.
Additional parameters are listed in that file including if this account uses a password to login, when and if the password was changed, the expiration time of the password, a country code and invalid logons.
This could be relevant in many occasions. Hackers could gain valuable information about a computer system just by analyzing this one file. They could find out if there are unprotected accounts and see if and when a user changed the password for the last time and the last time a user was logged on to the system.
It also reveals when a user logged in to the account the last time, and whether an account is disabled.
Update: You can use RegistryViewer for the same purpose as well. It supports all Registry files including SAM and can display the contents of it in its interface. Note that the file that you need to open may have a different name depending on which operating system you are using. There are sam.rhk files for instance that you can open when you run Windows 7.
The main advantage that this method has is that you only need this file and not access to the target machine to find out information about all user accounts known on the machine.
I understand what you mean by saying “Unfortunately though it is not possible to access that part of the Registry directly even if you are logged in as an administrator.” – but technically, it is.
regedit
hklm\sam\
right click on sam (beneath the first level sam), select permissions. give administrator full/read access.
close regedit. reopen. now when you expand out sam, you have:
hklm\sam\sam\ and a folder structure similar to users and groups.
BUT – (validating your case here Martin) the information is basically gibberish. But you can delete, or change permissions on a sub key/folder – to effectively lockout a user if you so desired.
[I have run across a few spyware/virus/malware instances that modified the attributes or security settings of a registry key, rendering them “invisible” or “un-deletable”. This is the way to view those entries.]