Windows Security — SAM (Security Account Manager)

SAM (Security Account Manager) is the DB in Windows that stores the user names/passwords of the local user defined on the system. By configuring SAM we allow users to authenticate to the local system (as opposed to login with a domain user — that I am going to elaborate in a future writeup). (https://www.calcomsoftware.com/what-is-windows-security-accounts-manager/)

Moreover, the SAM file is located at “%windir%\System32\config\SAM” which is mounted in the registry in the following “HKEY_LOCAL_MACHINE\SAM” (https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/credential-access/credential-dumping/security-account-manager-sam). In order to view its content we need to run as SYSTEM and Local Administrator is not enough — as shown in the screenshot below.

Thus, different hashes can be stored in SAM like LM hash and NTLM hash (more on those and others in future writeups). We can think about SAM as the equivalent of “/etc/passwd”, “/etc/shadow” and “/etc/group” files under Linux.

Because Microsoft wanted to increase the security around the hashes stored in SAM they have created SYSKEY. It uses a system key for encrypting to protect the account password information stored in the SAM. The system key can be saved locally, on a floppy disk or stored locally but protected by an admin password (https://learn.microsoft.com/en-us/windows-server/security/kerberos/system-key-utility-technical-overview).

Lastly, SYSKEY support was removed from Windows 10 version 1709 (https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/syskey-exe-utility-is-no-longer-supported). See you next time ;-) You can also follow me on twitter — @boutnaru (https://twitter.com/boutnaru).