What sam.bak can tell you about Users of a system - gHacks Tech News

What sam.bak can tell you about Users of a system

SAM? What's that again? SAM is the Security Account Manager and part of the Windows Registry. Unfortunately though it is not possible to access that part of the Registry directly even if you are logged in as an administrator.

It is however possible to analyze the file sam.bak which can be found in the directory system32/config/ of your Windows installation.

Please note that you may need sufficient privileges to access the folder.

You do need a special viewer to open sam.bak. One program that is capable of opening the file is Registry Viewer. It's a commercial program that can be downloaded as a demo version, sufficient for our task. After installing the software start it and load the file sam.bak.

Now navigate to the folder \SAM\Domains\Account\Users which should open several subfolders. Each folder represents a user account on your system. If you select for instance the folder 000001F4 you will see that this is the default administrator account.

Additional parameters are listed in that file including if this account uses a password to login, when and if the password was changed, the expiration time of the password, a country code and invalid logons.

sam.bak

This could be relevant in many occasions. Hackers could gain valuable information about a computer system just by analyzing this one file. They could find out if there are unprotected accounts and see if and when a user changed the password for the last time and the last time a user was logged on to the system.

It also reveals when a user logged in to the account the last time, and whether an account is disabled.

Update: You can use RegistryViewer for the same purpose as well. It supports all Registry files including SAM and can display the contents of it in its interface. Note that the file that you need to open may have a different name depending on which operating system you are using. There are sam.rhk files for instance that you can open when you run Windows 7.

The main advantage that this method has is that you only need this file and not access to the target machine to find out information about all user accounts known on the machine.

Summary
What sam.bak can tell you about Users of a system
Article Name
What sam.bak can tell you about Users of a system
Description
Find out how to display information about all user accounts on a Windows system using the sam.bak file.
Author

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Comments

  1. z0iid said on January 11, 2008 at 12:04 am
    Reply

    I understand what you mean by saying “Unfortunately though it is not possible to access that part of the Registry directly even if you are logged in as an administrator.” – but technically, it is.

    regedit

    hklm\sam\

    right click on sam (beneath the first level sam), select permissions. give administrator full/read access.

    close regedit. reopen. now when you expand out sam, you have:

    hklm\sam\sam\ and a folder structure similar to users and groups.

    BUT – (validating your case here Martin) the information is basically gibberish. But you can delete, or change permissions on a sub key/folder – to effectively lockout a user if you so desired.

    [I have run across a few spyware/virus/malware instances that modified the attributes or security settings of a registry key, rendering them “invisible” or “un-deletable”. This is the way to view those entries.]

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.