SAM Registry Hive

windowsAuthentication & AccessDisk Image

Location

C:\Windows\System32\config\SAM

Description

Security Accounts Manager hive containing local user accounts, group memberships, password policy settings, and NTLM password hashes.

Forensic Value

Enumerating local accounts reveals rogue admin accounts created for persistence. Comparing last password change timestamps against known compromise windows identifies accounts likely tampered with by adversaries. Extracted NTLM hashes (with SYSTEM hive as decryption key) confirm whether pass-the-hash was feasible.

Tools Required

KAPERegRipperImpacket secretsdumpRegistry Explorer (Eric Zimmerman)