HKLM\SAM holds local and domain account information, such as user
passwords, group definitions, and domain associations. By default, this
important key is unreadable by even the system administrator account. "SAM"
stands for the Security Access Manager and is essentially a database of
security information and user permissions and passwords. It is sometimes
referred to as the Windows local security database.
For the average home user there is no need to know any more than this about the HKLM\SAM.
However if you support Windows PCs for a living then the following information about the HKLM\SAM, may be useful.
1) The HKLM\SAM Hive path file is:
%SystemRoot%\System32\Config\Sam (e.g. C:\System32\Config\Sam )
2) It is an "alias" or "link" to the key HKLM\Security\SAM.
3) By default, Windows XP stores its logon passwords in the HKLM\SAM using a “cryptographic hash” called LM Hash, rather than in clear-text. Unfortunately this is not good news due to the inherent security weaknesses of LM Hash, discovered over the many years it has been in use. (There is actually a security setting in Windows XP that can turn off using LM Hash for passwords, but for backwards compatibility it is NOT turned on by default!)
However there is a way to stop Windows XP from storing an LM hash of your password - use a password that is at least 15 characters long.
In Windows Vista and Windows 7, password security is much stronger as these more modern operating systems do not use LM Hashes to store your logon passwords. Instead they take your logon password and apply some clever mathematics to it called a "hashing function" and this creates a 128 bit number. It is this number that is actually stored locally on the PC in the SAM, or in Active Directory if you are connecting to a network via a domain controller. This is far more secure than storing your password as an LM Hash, which can be "cracked" by an experienced security professional – good or bad!
The Windows kernel will want to access the HKLM\SECURITY to read and
enforce the security policy applicable to the current user at logon.
It contains a "SAM" subkey which is dynamically linked to the SAM database of the domain onto which the current user is logged on (a local system domain or the network domain controller via Active Directory.)
As with HKLM\SAM it will look empty, even to system administrators, unless ownership is granted via the key’s ACL (Access Control List), not something I recommend you playing around with!
Viewing The HKLM\SECURITY and HKLM\SAM Hives
By default the Registry editor will not allow you to navigate your way through the HKLM\SAM and HKLM\SECURITY hives, they will appear empty if you try. These important Registry hives are protected by the System Account and a currently logged on user, or even a member of Administrators Group, do not have permissions to view them.
BUT what if you need too? For instance, if you are a network administrator there are valid times when you may need to check a particular key exists.
The way I recommend is to use a 3rd party utility, from Mark Russinovich and Windows SysInternals, to force the Registry to open under the System Account.
This way you do not have to make any changes to the ACL (Access Control List) yourself, so limiting the potential for any mistakes. And as the utility only works per session that you initiate – there are no permanent access changes made to the Registry.
First you will need to download the PSTools utility pack from Windows SysInternals available here:
The actual utility you will be using is:
Step 1) Unzip the downloaded files and place into a new folder called "PSTools" in the existing "Program Files" folder.
Step 2) In Windows XP go to Run on the Start menu and type in cmd then hit the OK button. The Command line window will now open.
In Windows Vista/Windows 7 you will have to launch the Command line with administrator privileges. Go to the Start menu and type in cmd When the cmd icon appears in the search list "right-click" and select Run as administrator from the context menu.
Step 3) In the command prompt window (see Fig 1.0) you will need to change the directory to the folder where you placed the utilities – PSTools. Type the following:
…now hit the enter key.
Now you will need to type the following to have the utility Psexec.exe open the Registry editor under the local system account:
psexec.exe –s –i regedit.exe
…now hit the enter key.
The Registry editor will now open and you can now navigate your way through the HKLM\SAM and HKLM\SECURITY hives – see Fig 1.1 When you have finished just close the Registry editor window and the temporary elevation to system account authority will cease.
The Command Prompt Window
The Registry Editor Displaying the HKLM\SAM and HKLM\SECURITY hives
Speed Up Your PC:
Optimize Your Computer's Performance in 3 Mins!
In the second part of this article we will briefly explore some more Windows Registry security related topics.