Security Account Manager

The Security Account Manager (SAM) is a database file^[1] in Windows XP, Windows Vista and Windows 7 that stores users' passwords. It can be used to authenticate local and remote users. Beginning with Windows 2000 SP4, Active Directory authenticates remote users. SAM uses cryptographic measures to prevent forbidden users to gain access to the system.

The user passwords are stored in a hashed format in a registry hive either as a LM hash or as a NTLM hash. This file can be found in %SystemRoot%/system32/config/SAM and is mounted on HKLM/SAM.

In an attempt to improve the security of the SAM database against offline software cracking, Microsoft introduced the SYSKEY function in Windows NT 4.0. When SYSKEY is enabled, the on-disk copy of the SAM file is partially encrypted, so that the password hash values for all local accounts stored in the SAM are encrypted with a key (usually also referred to as the "SYSKEY"). It can be enabled by running the syskey program.^[2]

Cryptanalysis

Since a hash function is one-way, this provides some measure of security for the storage of the passwords.

In the case of online attacks, it is not possible to simply copy the SAM file to another location. The SAM file cannot be moved or copied while Windows is running, since the Windows kernel obtains and keeps an exclusive filesystem lock on the SAM file, and will not release that lock until the operating system has shut down or a "Blue Screen of Death" exception has been thrown. However, the in-memory copy of the contents of the SAM can be dumped using various techniques (including pwdump), making the password hashes available for offline brute-force attack.

Removing LM hash

Most versions of Windows can be configured to disable the creation and storage of valid LM hashes when the user changes their password. This is the default setting in Windows Vista, but was disabled by default in previous versions of Windows. Note: enabling this setting does not immediately clear the LM hash values from the SAM, but rather enables an additional check during password change operations that will instead store a "dummy" value in the location in the SAM database where the LM hash is otherwise stored. (This dummy value has no relationship to the user's password - it is the same value used for all user accounts.)

Related attacks

In Windows NT 3.51, NT 4.0 and 2000, an attack was devised to bypass the local authentication system. If the SAM file is deleted from the hard drive (e.g. mounting the Windows OS volume into an alternate operating system), the attacker could log in as any account with no password. This flaw was corrected with Windows XP, which shows an error message and shuts down the computer. However, there exist software utilities, which, by the aforementioned methodology of using either an emulated virtual drive, or boot disk (usually Unix/Linux) based environment to mount the local drive housing the active NTFS partition, and using programmed software routines and function calls from within assigned memory stacks to isolate the SAM file from the Windows NT system installation directory structure (default: %SystemRoot%/system32/config/SAM) and, depending on the particular software utility being used, removes the password hashes stored for user accounts in their entirety, or in some cases, modify the user account passwords directly from this environment.

This software has both a highly pragmatic and beneficial use as a password clearing or account recovering utility for individuals who have lost or forgotten their windows account passwords, as well as a possible use as a malicious software security bypassing utility. Essentially granting a user with enough ability, experience, and familiarity with both the cracking utility software and the security routines of the Windows NT kernel (as well as offline and immediate local access to the target computer) the capability to entirely bypass/remove the windows account passwords from a potential target computer. Only recently, Microsoft released a utility called LockSmith, which is part of MSDart. MSDart is not freely available to end-users, however.

See also

• chntpw
• Password file

References

This article is based on material taken from the Free On-line Dictionary of Computing prior to 1 November 2008 and incorporated under the "relicensing" terms of the GFDL, version 1.3 or later.

Microsoft Windows components
Management tools	CMD.EXE Control Panel Applets Device Manager Disk Cleanup Disk Defragmenter Driver Verifier Event Viewer IExpress Management Console Netsh Recovery Console Resource Monitor Settings app Sysprep System Configuration System File Checker System Information System Policy Editor System Restore Task Manager Windows Error Reporting Windows Ink Windows Installer PowerShell Windows Update Windows Insider WinRE WMI
Apps	Calculator Calendar Character Map Cortana DVD Player Edge Fax and Scan Feedback Hub Groove Magnifier Mail Maps Media Player MSN apps (News, Weather, Sports, Money) Movie Maker Movies & TV Mobility Center Narrator Notepad OneDrive OneNote Paint People Photo Viewer Photos Remote Assistance Snipping Tool Solitaire Collection Sound Recorder Speech Recognition Skype Sticky Notes Store Wallet Windows To Go WordPad Xbox
Shell	Action Center Aero AutoPlay AutoRun ClearType Explorer Search Indexing Service IFilter Saved search Namespace Special folder Start menu Taskbar Task View Windows XP visual styles
Services	Service Control Manager BITS CLFS Multimedia Class Scheduler Shadow Copy Task Scheduler Error Reporting Wireless Zero Configuration
File systems	CDFS DFS exFAT IFS FAT NTFS Hard link Junction point Mount Point Reparse point Symbolic link TxF EFS ReFS UDF WinFS
Server	Domains Active Directory DNS Group Policy Roaming user profiles Folder redirection Distributed Transaction Coordinator MSMQ Windows Media Services Rights Management Services IIS Remote Desktop Services WSUS SharePoint Network Access Protection PWS DFS Replication Remote Differential Compression Print Services for UNIX Remote Installation Services Windows Deployment Services System Resource Manager Hyper-V Server Core
Architecture	Architecture of Windows NT Startup process CSRSS Desktop Window Manager Portable Executable EXE DLL Enhanced Write Filter Graphics Device Interface hal.dll I/O request packet Imaging Format Kernel Transaction Manager Library files Logical Disk Manager LSASS MinWin NTLDR Ntoskrnl.exe Object Manager Open XML Paper Specification Registry Resource Protection Security Account Manager Server Message Block Shadow Copy SMSS System Idle Process USER WHEA Win32 console Winlogon
Security	Security and Maintenance BitLocker Data Execution Prevention Family Safety Kernel Patch Protection Mandatory Integrity Control Protected Media Path User Account Control User Interface Privilege Isolation Windows Defender Windows Firewall
Compatibility	COMMAND.COM Virtual DOS machine Windows on Windows WoW64 Windows Subsystem for Linux
API	Active Scripting WSH VBScript JScript COM ActiveX ActiveX Document COM Structured storage DCOM OLE OLE Automation Transaction Server DirectX .NET Framework Windows Holographic Windows Runtime Universal Windows Platform
Discontinued	Games 3D Pinball Chess Titans FreeCell Hearts Hover! InkBall Hold 'Em Mahjong Titans Minesweeper Purble Place Reversi Solitaire Spider Solitaire Tinker Apps ActiveMovie Anytime Upgrade Address Book Backup and Restore Cardfile CardSpace Contacts Desktop Gadgets Diagnostics DriveSpace DVD Maker Fax File Manager Food & Drink Help and Support Center Health & Fitness HyperTerminal Internet Explorer Journal Internet Mail and News Media Center Meeting Space Messaging Messenger Mobile Device Center NetMeeting NTBackup Outlook Express Travel Photo Gallery Program Manager Windows Easy Transfer WinHelp Write Others ScanDisk File Protection Media Control Interface Next-Generation Secure Computing Base POSIX subsystem Interix Video for Windows Windows SideShow Windows Services for UNIX Windows System Assessment Tool