Understanding Windows Password Storage

Starting with Windows NT, Windows systems began storing their account user and hashed password data in one of two places: the Security Account Manager (SAM) file or Active Directory. Information about local accounts is stored in the local computer’s SAM file, which is located in the %SystemRoot%\System32\Config folder. This file exists as a registry hive file, which will be explained in more detail in Chapter 8, “The Registry Structure,” and is named simply SAM. An additional copy of this file may be found in the %SystemRoot%\Repair folder for use by system-recovery utilities in the event the working copy becomes corrupted. Note, however, that this copy is created during the initial installation of the operating ...

Get Mastering Windows Network Forensics and Investigation, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.