Windows Password Recovery - SAM explorer
SAM Explorer allows you to view, analyze and edit the properties and statistics of Windows user accounts. SAM, which is short for Security Account Manager, is an RPC server, which manages Windows accounts database and stores passwords and private user data, groups logical structure of accounts, configures security policy (e.g., password or account lockout policy), gathers statistics (last logon time, logon count, failed logon attempt count, etc.) and controls access to the database. The SAM database is stored in the registry (in the key HKEY_LOCAL_MACHINE\SAM\SAM), which is inaccessible to anyone, except the system (even to administrators). On the physical level, the SAM database is a binary registry file with the respective name, located in %WINDIR%\System32\Config, where %WINDIR% is the Windows installation folder.
In the beginning, the Wizard prompts you to select the type of the SAM database: local or external.
Please note: if you select a local database, for safety reasons, the editor will not be available, and the database will open in the read-only mode.
If you select the SAM database on an external computer, on the second step of the Wizard, specify the path to the SAM and SYSTEM registries. By default, both the files are located in C:\Windows\System32\Config. Keep in mind that Windows can providently store copies of the registry files in the backup folders, such as C:\Windows\Repair or C:\Windows\ Config\RegBack.
On the third step, move on to selecting the account you need to get the attributes for. Select the user and then click Next.
That gives you the list of attributes for the selected account. Selecting a certain attribute on the list shows the data common to that attribute at the bottom of the editor. To open it for editing, double-click on the data field; upon completion, select the save changes item on the context menu.
Description of SAM account attributes.
32-bit unsigned interger that stores version of the data structure. It is divided into 2 WORDs: version major and version minor.
A 64-bit value, equivalent to a FILETIME, indicating the time at which the account last logged on.
A 64-bit value, equivalent to a FILETIME, indicating the time at which the account last logged off.
A 64-bit value, equivalent to a FILETIME, indicating the time at which a password was last updated.
A 64-bit value, equivalent to a FILETIME, indicating the time at which an account is no longer permitted to log on.
A 64-bit value, equivalent to a FILETIME, indicating the time at which an account last tried to logged on unsuccessfully.
A 32-bit unsigned integer representing the RID of the account.
A 32-bit unsigned integer indicating the primary group ID of the acount.
A 32-bit flag specifying characteristics of the account. The following values are attributes of a user account and can be combined by using a bitwise OR operation:
||The account is not enabled for authentication (disabled).
||The HomeDirectory attribute is required.
||The password-length policy does not apply to this user, i.e. the password is not required.
||This flag indicates that the user account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain.
||Specifies that the user is not a computer object, i.e. a default account type that represents a typical user.
||MNS account type.
||Specifies that the object represents a trust object. This is a permit to trust account for a Windows NT domain that trusts other domains.
||Specifies that the object is a computer account for a Windows NT Workstation/Windows 2000 Professional or Windows NT Server/Windows 2000 Server that is a member of this domain.
||Specifies that the object is a Domain Controller.
||Specifies that the maximum-password-age policy does not apply to this user, i.e. the password should never expire on the account.
||The account has been locked out.
||Specifies that the cleartext password is to be persisted.
||The user can authenticate only with a smart card.
|| This bit is used by the Kerberos protocol. It indicates that the "OK as Delegate" ticket flag MUST be set.
||This bit is used by the Kerberos protocol. It indicates that the ticket-granting tickets (TGTs) of this account and the service tickets obtained by this account are not marked as forwardable or proxiable when the forwardable or proxiable ticket flags are requested.
||This bit is used by the Kerberos protocol. It indicates that only des-cbc-md5 or des-cbc-crc keys are used in the Kerberos protocols for this account
||This bit is used by the Kerberos protocol. It indicates that the account is not required to present valid pre-authentication data.
||Specifies that the password age on the user has exceeded the maximum password age policy, i.e. the password has ben expired.
||This bit is used by the Kerberos protocol and indicates that the account (when running as a service) obtains an S4U2self service ticket with the forwardable flag set.
||This bit is used by the Kerberos protocol and indicates that when the KDC is issuing a service ticket for this account, the privilege attribute certificate must not be included.
||Specifies that the object is a read-only domain controller (RODC).
||Use AES encryption, this bit is ignored and used internally.
A 16-bit unsigned integer indicating a country preference specific to this user. The space of values is the international country calling code. For example, the country code of the United Kingdom, in decimal notation, is 44.
A 16-bit unsigned integer indicating a code page preference specific to this user object. The space of values is the Microsoft code page designation.
A 16-bit unsigned integer indicating the number of bad password attempts.
A 16-bit unsigned integer indicating the number of times that the user account has been authenticated.
A 16-bit unsigned integer indicating that the account is a member of one of the administrative groups (directly or transitively).
A 16-bit unsigned integer indicating that the account is a member of the Operators group.
Unicode string that specifies the name of the user account.
Unicode string that contains the full name of the user.
Administrator comment associated with the user account.
Second user comment associated with the user account.
Extended user parameters. Microsoft products use this member to store user configuration information.
Unicode string specifying the path of the home directory for the user account.
Specifies the drive letter to assign to the user's home directory for logon purposes.
Unicode string specifying the path for the user's logon script file. The script file can be a .CMD file, an .EXE file, or a .BAT file.
Unicode string that specifies a path to the user's profile.
Unicode string that contains the names (separated by commas) of workstations from which the user can log on. Up to eight workstations can be specified. The account flag UF_ACCOUNTDISABLE allows to disable logons from all workstations to this account.
21-byte bit string that specifies the times during which the user can log on. Each bit represents a unique hour in the week, in Greenwich Mean Time. The first bit is Sunday, 0:00 to 0:59; the second bit is Sunday, 1:00 to 1:59; and so on. Note that bit 0 in word 0 represents Sunday from 0:00 to 0:59 only if you are in the GMT time zone. In all other cases you must adjust the bits according to your time zone offset (for example, GMT minus 8 hours for Pacific Standard Time).
List of groups to which the user account belongs or does not belong.
LM password hash associated with the user account.
NTLM password hash associated with the user account.
LM password history hashed of the user account.
NTLM password history hashed of the user account.
User hint (displayed during unsuccessful logon).
Logon picture associated with the account.