Hidden Sam File on XP/2000 FileSystem
  
Tested on XP, but should apply to 2000
  
Note sure if this has been talked about before, but here it goes...
  
On the system partition, their is a directory called System Volume
Information. Normally you cannot access this, but if you launch a
cmd.exe via at scheduled AT job, then the shell since it is launched
as NT AUTHORITY\SYSTEM can access this directory.
  
From this shell if you cd to System Volume Information and do a dir
/a (/a to see the hidden files) you should see something like:
  
E:\System Volume Information>dir /a
Volume in drive E is System
Volume Serial Number is F052-44PK
  
Directory of E:\System Volume Information
  
02/15/2002 22:13 <DIR> .
02/15/2002 22:13 <DIR> ..
02/07/2002 16:18 20,480 tracking.log
03/06/2002 11:56 <DIR>
_restore{DD482C7B-8876-4FAD-9DDE-607V6F1041F6}
                1 File(s) 20,480 bytes
                3 Dir(s) 1,644,077,056 bytes free
 
If you cd to the _restore* directory, then you should see a number of
RP* directories. Within some of these RP* directories there will be
another directory called snapshot within which you find a complete
registry dumping including a file called _REGISTRY_MACHINE_SAM which
is the SAM file for the machine. You can feed this to a password
cracker to get the passwords.
  
This technique can be useful when the backup SAM file in REPAIR is
outdated or inaccessible or when the current SAM file cannot be
dumped. All you need to do is run a process as NT AUTHORITY\SYSTEM.
  
Thanks
  
  
Susan Chan Lee
Security Associates – Singapore
e-mail: susan.leesecurityassoc.com
  web: http://www.securityassoc.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]