Editing Security Account Manager

{{short description|Windows database that stores users' passwords}}
{{Multiple issues|
{{Technical|date=March 2012}}
{{More citations needed|date=September 2014}}
}}

The '''Security Account Manager''' ('''SAM''') is a database file<ref>{{cite web|title=Security Account Manager (SAM)|url=https://technet.microsoft.com/en-us/library/cc756748%28v=ws.10%29.aspx|work=TechNet|publisher=Microsoft|access-date=11 April 2014}}</ref> in Windows NT, Windows 2000, Windows XP, Windows Vista, Windows 7, 8.1, 10 and 11 that stores users' passwords. It can be used to authenticate local and remote users. Beginning with Windows 2000 SP4, Active Directory authenticates remote users. SAM uses cryptographic measures to prevent unauthenticated users accessing the system.

The user passwords are stored in a hashed format in a [[Windows Registry#Hives|registry hive]] either as an [[LM hash]] or as an [[NTLM hash]]. This file can be found in <code>%SystemRoot%/system32/config/SAM</code> and is mounted on <code>HKLM/SAM</code> and <code>SYSTEM</code> privileges are required to view it.

In an attempt to improve the security of the SAM database against offline software cracking, Microsoft introduced the SYSKEY function in Windows NT 4.0. When SYSKEY is enabled, the on-disk copy of the SAM file is partially encrypted, so that the password hash values for all local accounts stored in the SAM are encrypted with a key (usually also referred to as the "SYSKEY"). It can be enabled by running the [[syskey|<code>syskey</code>]] program.<ref>
{{cite web |title=How to use the SysKey utility to secure the Windows Security Account Manager database |url=http://support.microsoft.com/kb/310105|work=Support|publisher=Microsoft Corporation|access-date=12 April 2014}}
</ref> As of Windows 10 version 1709,  [[syskey|<code>syskey</code>]] was removed due to a combination of insecure security<ref>{{Cite web |last=Deland-Han |title=Syskey.exe utility is no longer supported - Windows Server |url=https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/syskey-exe-utility-is-no-longer-supported |access-date=2023-01-17 |website=learn.microsoft.com |language=en-us}}</ref> and misuse by bad actors to lock users out of systems.

==Cryptanalysis==
In 2012, it was demonstrated that every possible 8-character NTLM password hash permutation can be [[Password cracking|cracked]] in under 6 hours.<ref>{{cite web
| url=https://arstechnica.com/information-technology/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/
| title=25-GPU cluster cracks every standard Windows password in <6 hours
| date=2012-12-10
| first=Dan
| last=Goodin
| publisher=[[Ars Technica]]
| access-date=2020-11-23}}</ref>
In 2019, this time was reduced to roughly 2.5 hours by using more modern hardware.<ref>{{Cite web|url=https://www.theregister.co.uk/2019/02/14/password_length/|title=Use an 8-char Windows NTLM password? Don't. Every single one can be cracked in under 2.5hrs|last= Claburn |first=Thomas|date=February 14, 2019|website=www.theregister.co.uk|language=en|access-date=2020-11-26}}</ref><ref>{{Cite web|url=https://twitter.com/hashcat/status/1095807014079512579|title=hand-tuned hashcat 6.0.0 beta and 2080Ti (stock clocks) breaks NTLM cracking speed mark of 100GH/s on a single compute device|last=hashcat|date=2019-02-13|website=@hashcat|language=en|access-date=2019-02-26}}</ref>

In the case of online attacks, it is not possible to simply copy the SAM file to another location. The SAM file cannot be moved or copied while Windows is running, since the Windows kernel obtains and keeps an exclusive filesystem lock on the SAM file, and will not release that lock until the operating system has shut down or a "[[Blue Screen of Death]]" exception has been thrown. However, the in-memory copy of the contents of the SAM can be dumped using various techniques (including [[pwdump]]), making the password hashes available for offline [[brute-force attack]].

===Removing LM hash===
LM hash is a compromised protocol and has been replaced by NTLM hash. Most versions of Windows can be configured to disable the creation and storage of valid LM hashes when the user changes their password. Windows Vista and later versions of Windows disable LM hash by default. Note: enabling this setting does not immediately clear the LM hash values from the SAM, but rather enables an additional check during password change operations that will instead store a "dummy" value in the location in the SAM database where the LM hash is otherwise stored. (This dummy value has no relationship to the user's password - it is the same value used for all user accounts.)

===Related attacks===
In Windows NT 3.51, NT 4.0 and 2000, an attack was devised to bypass the local authentication system. If the SAM file is deleted from the hard drive (e.g. mounting the Windows OS volume into an alternate operating system), the attacker could log in as any account with no password. This flaw was corrected with Windows XP, which shows an error message and shuts down the computer. However, there exist software utilities,<ref>An example of offline NT password attack utility: http://cdslow.org.ru/en/ntpwedit/index.html</ref> which, by the aforementioned methodology of using either an emulated virtual drive, or boot disk (usually Unix/Linux, or another copy of Windows like [[Windows Preinstallation Environment]]) based environment to mount the local drive housing the active NTFS partition, and using programmed software routines and function calls from within assigned memory stacks to isolate the SAM file from the Windows NT system installation directory structure (default: <code>%SystemRoot%/system32/config/SAM</code>) and, depending on the particular software utility being used, removes the password hashes stored for user accounts in their entirety, or in some cases, modify the user account passwords directly from this environment.

This software has both a highly pragmatic and beneficial use as a password clearing or account recovering utility for individuals who have lost or forgotten their Windows account passwords, as well as a possible use as a malicious software security bypassing utility. Essentially granting a user with enough ability, experience, and familiarity with both the cracking utility software and the security routines of the Windows NT kernel (as well as offline and immediate local access to the target computer) the capability to entirely bypass or remove the Windows account passwords from a potential target computer. Only recently, Microsoft released a utility called LockSmith, which is part of Microsoft [[Desktop Optimization Pack#Restore|Diagnostics and Recovery Toolset]] (DaRT).<ref>{{cite web |title=Overview of the Tools in DaRT 10 - Microsoft Desktop Optimization Pack |url=https://learn.microsoft.com/en-us/microsoft-desktop-optimization-pack/dart-v10/overview-of-the-tools-in-dart-10 |website=learn.microsoft.com |access-date=15 November 2024 |language=en-us |date=20 April 2021 |publisher=[[Microsoft Corporation]]}}</ref> DaRT is not freely available to end-users, however.<ref>{{cite web |title=About DaRT 10 - Microsoft Desktop Optimization Pack |url=https://learn.microsoft.com/en-us/microsoft-desktop-optimization-pack/dart-v10/about-dart-10 |website=learn.microsoft.com |publisher=[[Microsoft Corporation]] |access-date=15 November 2024 |language=en-us |date=20 April 2021}}</ref>

In July 2021, it was revealed there was a vulnerability within Windows 10 and Windows 11 that allowed low privileged users to access sensitive Registry database files including the SAM file.<ref>{{Cite news |last=Abrams |first=Lawrence |date=2021-07-20 |title=New Windows 10 vulnerability allows anyone to get admin privileges |url=https://www.bleepingcomputer.com/news/microsoft/new-windows-10-vulnerability-allows-anyone-to-get-admin-privileges/ |access-date=2024-11-12 |work=[[Bleeping Computer]]}}</ref>

==See also==
*[[chntpw]]
*[[Passwd#Password file|Password file]]

==References==
{{Reflist}}

{{Windows Components}}

[[Category:Microsoft Windows security technology]]
[[Category:Access control software]]