The Security Accounts Manager is the gatekeeper of local identity on every Windows system. Every local user account, every NTLM password hash, every logon timestamp, and every group membership lives in this single registry hive — encrypted behind the system boot key but fully recoverable with the right tools and the SYSTEM hive.
What Is the SAM Hive?
The Security Accounts Manager (SAM) is a registry hive that stores the local user account database on every Windows installation from NT 3.1 (1993) through Windows 11. It contains one entry per local account under SAM\Domains\Account\Users, each identified by a Relative Identifier (RID). The default Administrator account always receives RID 500, Guest receives 501, and user-created accounts begin at 1000. Each account entry stores the username, NTLM password hash (in the V value), account creation date, last logon time, logon count, failed logon count, password last set timestamp, and account flags such as disabled, locked, or password-never-expires.
The SAM hive is loaded into the HKLM\SAM registry subtree at boot time. It is locked by the operating system while Windows is running — direct file access is denied to all processes including those running as SYSTEM. The password hashes stored within are double-encrypted: first with a per-account key derived from the user RID (the DES layer), then with the system boot key extracted from the SYSTEM hive. Without both the SAM and SYSTEM hives, hash extraction is not possible.
Domain-joined machines still maintain a local SAM. Domain accounts are authenticated against the domain controller (stored in ntds.dit), but any local accounts — including the built-in Administrator, service accounts, and break-glass accounts — remain in the SAM. Lateral movement investigations frequently reveal that attackers extracted the SAM to harvest local administrator credentials that were reused across the fleet.
The SAM hive records account creation timestamps, last logon times, and logon counts that survive password resets and user profile deletion. Even if an attacker deletes a user account, Volume Shadow Copies and forensic images preserve the SAM state at earlier points in time, allowing investigators to prove the account existed.
Location & Format
File Paths
| File | Path | Notes |
|---|---|---|
| SAM (live) | C:\Windows\System32\config\SAM | Locked by OS while running; requires raw copy or VSS |
| SAM (RegBack) | C:\Windows\System32\config\RegBack\SAM | Automatic backup (disabled by default on Win 10 1803+) |
| SYSTEM (required) | C:\Windows\System32\config\SYSTEM | Contains the boot key needed to decrypt SAM hashes |
| SAM (repair) | C:\Windows\repair\SAM | Legacy backup from original install; may contain initial hashes |
| Volume Shadow Copies | \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy{N}\ | Point-in-time snapshots; invaluable for deleted account recovery |
Internal Structure
The SAM hive is a standard Windows registry hive file (regf format). Its internal structure follows a fixed hierarchy rooted at SAM\Domains\Account. Two key subtrees contain the forensic data: Users (per-account entries keyed by RID in hexadecimal) and Names (username-to-RID mappings). Each user entry contains two critical binary values: F (fixed-length metadata including timestamps and flags) and V (variable-length data including the username string and encrypted password hashes).
F value (binary, 0x50 bytes): Contains last logon time (offset 0x08, FILETIME), account creation time (offset 0x18), password last set time (offset 0x28), last failed logon (offset 0x38), logon count (offset 0x42, WORD), and failed logon count (offset 0x44, WORD).
V value (binary, variable): Contains the username string, full name, comment, NT hash (encrypted), and LM hash (encrypted, usually empty on modern systems). Hash offsets are calculated from the V value header.
What It Reveals
| Data Point | Location in SAM | Forensic Value |
|---|---|---|
| NTLM password hash | V value (encrypted) | Enables pass-the-hash detection; compare against known-compromised hash databases |
| Account creation time | F value offset 0x18 | Proves when an account was created; detects backdoor accounts created during intrusions |
| Last logon time | F value offset 0x08 | Establishes most recent interactive logon; correlate with event logs |
| Logon count | F value offset 0x42 | Low count on old account suggests dormant/unused; high count on new account suggests active abuse |
| Failed logon count | F value offset 0x44 | Brute-force evidence; count resets on successful logon |
| Password last set | F value offset 0x28 | Detects password changes during incident; proves credential rotation (or lack thereof) |
| Account flags | F value offset 0x40 (UserAccountControl) | Disabled, locked, password-never-expires, no-password-required flags |
| Group memberships | SAM\Domains\Builtin\Aliases | RID-based membership lists for Administrators (0x220), Remote Desktop Users, etc. |
| Account names | SAM\Domains\Account\Names | Username-to-RID mapping; detects renamed Administrator accounts |
The UserAccountControl field is a bitmask. Key flags: 0x0001 = Account Disabled, 0x0004 = Password Not Required, 0x0010 = Account Locked Out, 0x0200 = Normal Account. An account with 0x0004 set is a significant finding — it means blank-password logon is permitted.
Forensic Use Cases
Backdoor Account Detection
After gaining initial access, adversaries frequently create local accounts for persistence. The SAM records the exact account creation timestamp in the F value. By comparing account creation times against the known timeline of the intrusion, investigators can identify accounts created by the attacker. A local account created at 03:17 AM on the date of initial compromise, with the password-never-expires flag set and membership in the local Administrators group, is a high-confidence indicator of persistence.
Credential Theft Investigation
When an attacker extracts the SAM hive (via reg save, Volume Shadow Copy access, or tools like mimikatz), they obtain NTLM hashes that enable pass-the-hash attacks across the network. The SAM itself does not record that it was copied, but correlating evidence includes: Event ID 4688 showing reg.exe save HKLM\SAM, Prefetch entries for mimikatz.exe or secretsdump.py, and file system artifacts ($MFT, $UsnJrnl) showing SAM copies in staging directories.
Password Reuse Analysis
Extracting NTLM hashes from multiple systems and comparing them reveals password reuse. If the local Administrator account on 47 workstations shares the same NTLM hash, a single compromised credential gives the attacker lateral movement across the entire fleet. This analysis is performed by extracting hashes from each SAM/SYSTEM pair and grouping by hash value.
Insider Threat — Account Manipulation
Insiders with local admin rights may enable the disabled Guest account, remove password requirements, or add accounts to privileged groups. The SAM records the current state of all flags, and Volume Shadow Copies preserve historical states. Comparing the SAM across VSS snapshots reveals exactly when an account was enabled, when its flags changed, and when group memberships were modified.
Acquisition Methods
Live System — Volume Shadow Copy
:: Create a shadow copy to bypass OS file lock vssadmin create shadow /for=C: :: Copy SAM and SYSTEM from the shadow copy copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM C:\Evidence\ copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Evidence\ :: Alternative: reg save (requires SYSTEM privileges) reg save HKLM\SAM C:\Evidence\SAM reg save HKLM\SYSTEM C:\Evidence\SYSTEM
Live System — KAPE Collection
:: KAPE target collects SAM, SYSTEM, SECURITY, SOFTWARE, DEFAULT kape.exe --tsource C: --tdest C:\Evidence\KAPE_Output --target RegistryHives :: Or use RawCopy to bypass NTFS locks directly RawCopy.exe /FileNamePath:C:\Windows\System32\config\SAM /OutputPath:C:\Evidence\ RawCopy.exe /FileNamePath:C:\Windows\System32\config\SYSTEM /OutputPath:C:\Evidence\
Forensic Image — Direct Extraction
# Mount the forensic image (read-only) mount -o ro,noexec,nodev /dev/sdb1 /mnt/evidence # Copy SAM and SYSTEM hives cp /mnt/evidence/Windows/System32/config/SAM /analysis/sam/ cp /mnt/evidence/Windows/System32/config/SYSTEM /analysis/sam/ # Also grab RegBack copies if they exist cp /mnt/evidence/Windows/System32/config/RegBack/SAM /analysis/sam/SAM.regback 2>/dev/null cp /mnt/evidence/Windows/System32/config/RegBack/SYSTEM /analysis/sam/SYSTEM.regback 2>/dev/null
Parsing Tools & Analysis
| Tool | Author | License | Output | Notes |
|---|---|---|---|---|
| RegRipper (samparse) | Harlan Carvey | Open source (Perl) | Text | samparse plugin extracts all user account metadata from SAM |
| secretsdump.py | Impacket | Open source (Python) | Text | Extracts NTLM hashes; supports local SAM/SYSTEM pair or remote DCE/RPC |
| mimikatz | Benjamin Delpy | Open source | Text | lsadump::sam module; works on live system or offline hives |
| Registry Explorer | Eric Zimmerman | Free | GUI | Visual registry browser; auto-decodes F/V binary values |
| samdump2 | Objectif Securite | Open source | Text | Linux-native SAM hash extractor; requires SYSTEM hive |
| chntpw | Petter Nordahl-Hagen | Open source | Interactive | Can list accounts, reset passwords, and edit SAM offline |
Hash Extraction with secretsdump.py
# Extract NTLM hashes from offline SAM + SYSTEM hives secretsdump.py -sam /analysis/sam/SAM -system /analysis/sam/SYSTEM LOCAL # Output format: username:RID:LMhash:NThash::: # Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: # Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: # svc_backup:1001:aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42:::
Account Metadata with RegRipper
# Run the samparse plugin against the SAM hive rip.pl -r /analysis/sam/SAM -p samparse # Output includes per-account: # Username, Full Name, Account Created, Last Login # Password Last Set, Login Count, Failed Login Count # Account Flags (Disabled, Locked, PW Never Expires, etc.) # Group Memberships (Administrators, Remote Desktop Users, etc.)
Sample Output — Backdoor Account Detection
Username : svc_backup Full Name : Account Created : 2026-02-14 03:17:42 UTC Last Login : 2026-02-14 03:18:01 UTC Pwd Last Set : 2026-02-14 03:17:42 UTC Login Count : 1 Failed Logins : 0 Flags : Password does not expire | Normal account Groups : Administrators, Remote Desktop Users
This account was created at 03:17 UTC — outside business hours. It was added to both Administrators and Remote Desktop Users immediately. The password-never-expires flag was set at creation time. Login count of 1 with the last login 19 seconds after creation suggests the attacker verified access once, then relied on other channels. The empty Full Name field is atypical for legitimate service accounts, which are usually documented. Cross-reference the creation timestamp with Security.evtx Event ID 4720 (account created) and 4732 (member added to local group).
Retention & Persistence
| Property | Detail |
|---|---|
| Retention period | Permanent — entries exist for the lifetime of the OS installation |
| Survives reboot | Yes — registry hive is persisted to disk |
| Survives password reset | Yes — account metadata (creation date, logon count) persists; only the hash changes |
| Survives user profile deletion | Yes — SAM is system-level, independent of user profiles |
| Survives account deletion | No — the account entry is removed from the active SAM; recoverable from VSS or forensic carving |
| RegBack copies | Automatic backup to RegBack\ (disabled by default on Windows 10 1803+ unless re-enabled via registry) |
| Update trigger | Modified on any account change: logon, password change, flag change, group membership change |
Starting with Windows 10 version 1803, Microsoft disabled automatic registry backups to the RegBack directory. The folder still exists but the files are 0 bytes. To re-enable, set HKLM\System\CurrentControlSet\Control\Session Manager\Configuration Manager\EnablePeriodicBackup to 1 (DWORD). On older systems, RegBack copies can provide historical SAM states that predate the current hive.
Boot Key & Encryption
SAM password hashes are not stored in cleartext. The encryption scheme uses a two-layer approach that requires the SYSTEM hive to decrypt:
- Layer 1 — Boot Key (SysKey): The 128-bit boot key is derived from four registry values in the SYSTEM hive:
JD,Skew1,GBG, andDataunderSYSTEM\CurrentControlSet\Control\Lsa. The key is obfuscated by distributing its bytes across the class names of these keys in a scrambled order. - Layer 2 — Per-Account Key: Each account’s hash is further encrypted using the account’s RID as a DES key derivation input. This means identical passwords on accounts with different RIDs produce different encrypted values in the SAM.
- Windows 10 1607+ (AES): Modern systems use AES-128-CBC instead of the legacy RC4/DES scheme. The encryption algorithm is indicated by a revision field in the SAM structure. Tools like secretsdump.py automatically detect and handle both schemes.
Without the SYSTEM hive, the boot key cannot be derived, and the SAM hashes cannot be decrypted. Always collect both SAM and SYSTEM from the same machine at the same time. If collecting from Volume Shadow Copies, ensure both files come from the same snapshot to maintain key consistency.
Anti-Forensics Resilience
The SAM hive is a system-critical file protected by the operating system. It is locked while Windows is running and resides in a privileged directory. Standard cleanup tools do not target it.
| Tool | Clears SAM? | Explanation |
|---|---|---|
| CCleaner | No | No module targets registry hive files in System32\config\ |
| Eraser | No | Cannot access locked system files |
| SDelete | No | Wipes specified files; SAM is locked and not a standard target |
| BleachBit | No | No SAM cleaning module exists |
| net user /delete | Partial | Removes the account entry from the active SAM, but VSS snapshots and disk-level carving can recover it |
| wevtutil cl Security | No | Clears the Security event log, not the SAM hive; but destroys corroborating 4720/4722/4732 events |
| Offline password reset (chntpw) | Partial | Modifies the hash in the SAM but does not alter timestamps or logon counts |
Sophisticated attackers do not modify the SAM — they copy it. Using reg save HKLM\SAM, Volume Shadow Copy access, or tools like mimikatz (lsadump::sam), they extract hashes for offline cracking or pass-the-hash attacks. The SAM itself shows no evidence of being copied. Detection relies on correlating Event ID 4688 (process creation for reg.exe), Sysmon Event ID 1, Prefetch entries, and file system artifacts showing SAM copies in unexpected locations.
MITRE ATT&CK Detection Mapping
The SAM hive provides evidentiary support for detecting the following MITRE ATT&CK techniques:
| Technique | Name | SAM Evidence |
|---|---|---|
T1003.002 T1003.002 | OS Credential Dumping: SAM | Direct target; extracted hashes enable pass-the-hash lateral movement |
T1087 T1087 | Account Discovery | SAM enumeration reveals all local accounts, RIDs, and group memberships |
T1136 T1136 | Create Account | Account creation timestamps in SAM F value prove when backdoor accounts were created |
T1078 T1078 | Valid Accounts | Logon count and last logon time reveal which accounts were actively used during the intrusion window |
T1098 T1098 | Account Manipulation | Flag changes (enabling disabled accounts, setting password-never-expires) are recorded in the SAM state |
T1110 T1110 | Brute Force | Failed logon count in SAM tracks unsuccessful authentication attempts against local accounts |
Related Artifacts & Cross-References
Corroborating Artifacts
| Artifact | Relationship to SAM | Cross-Correlation Value |
|---|---|---|
| Security.evtx | Event IDs 4720 (account created), 4722 (enabled), 4724 (password reset), 4732 (added to group) | Provides the “who did it” context that SAM lacks — SAM records the state, Security.evtx records the actor |
| SYSTEM hive | Contains the boot key required to decrypt SAM hashes | Essential companion artifact; must be collected alongside SAM |
| NTUSER.DAT | Per-user registry hive; contains MRU lists, typed paths, recent documents | Associates account activity in SAM with specific user actions on the system |
| Prefetch | Execution evidence for credential dumping tools | Prefetch entries for mimikatz.exe, secretsdump, reg.exe corroborate SAM extraction |
| $MFT / $UsnJrnl | File system timestamps for SAM copies | Reveals when and where SAM copies were created (e.g., C:\Temp\SAM) |
| SRUM.db | Network usage per application | Can show network activity from credential dumping tools that exfiltrated SAM hashes |
References
- Impacket Project, “secretsdump.py” — https://github.com/fortra/impacket
- Harlan Carvey, “RegRipper — samparse plugin” — https://github.com/keydet89/RegRipper3.0
- Benjamin Delpy, “mimikatz — lsadump::sam” — https://github.com/gentilkiwi/mimikatz
- Eric Zimmerman, “Registry Explorer” — https://ericzimmerman.github.io/
- Microsoft, “Security Accounts Manager” — https://learn.microsoft.com
- SANS Institute, “Windows Forensic Analysis — SAM Hive” — https://www.sans.org/posters/windows-forensic-analysis/
- 13Cubed, “SAM, SYSTEM, and SECURITY Hive Analysis” — https://www.13cubed.com
- MITRE ATT&CK, “T1003.002: OS Credential Dumping: SAM” — https://attack.mitre.org/techniques/T1003/002/
Mjolnir Security — Digital Forensics & Incident Response
Mjolnir Security provides 24/7 incident response, digital forensics, and expert witness testimony. Our DFIR team specializes in credential theft investigations, SAM hive analysis, and pass-the-hash attack reconstruction across enterprise environments.
mjolnirsecurity.com — 24/7: +1 833 403 5875