HKLM\SAM
HKLM\SAM holds local and domain account information, such as user
passwords, group definitions, and domain associations. By default, this
important key is unreadable by even the system administrator account. "SAM"
stands for the Security Access Manager and is essentially a database of
security information and user permissions and passwords. It is sometimes
referred to as the Windows local security database.
For the average
home user there is no need to know any more than this about the HKLM\SAM.
However if you support Windows PCs for a living then the following
information about the HKLM\SAM, may be useful.
1) The HKLM\SAM Hive
path file is:
%SystemRoot%\System32\Config\Sam (e.g.
C:\System32\Config\Sam )
2) It is an "alias" or "link" to the key
HKLM\Security\SAM.
3) By default, Windows XP stores its logon
passwords in the HKLM\SAM using a “cryptographic hash” called LM Hash,
rather than in clear-text. Unfortunately this is not good news due to the
inherent security weaknesses of LM Hash, discovered over the many years it
has been in use. (There is actually a security setting in Windows XP that
can turn off using LM Hash for passwords, but for backwards compatibility it
is NOT turned on by default!)
However there is a way to stop Windows
XP from storing an LM hash of your password - use a password that is at
least 15 characters long.
In Windows Vista and Windows 7, password
security is much stronger as these more modern operating systems do not use
LM Hashes to store your logon passwords. Instead they take your logon
password and apply some clever mathematics to it called a "hashing function"
and this creates a 128 bit number. It is this number that is actually stored
locally on the PC in the SAM, or in Active Directory if you are connecting
to a network via a domain controller. This is far more secure than storing
your password as an LM Hash, which can be "cracked" by an experienced
security professional – good or bad!
HKLM\SECURITY
The Windows kernel will want to access the HKLM\SECURITY to read and
enforce the security policy applicable to the current user at logon.
It contains a "SAM" subkey which is dynamically linked to the SAM database
of the domain onto which the current user is logged on (a local system
domain or the network domain controller via Active Directory.)
As
with HKLM\SAM it will look empty, even to system administrators, unless
ownership is granted via the key’s ACL (Access Control List), not something
I recommend you playing around with!
Viewing The HKLM\SECURITY and
HKLM\SAM Hives
By default the Registry editor will not allow you to
navigate your way through the HKLM\SAM and HKLM\SECURITY hives, they will
appear empty if you try. These important Registry hives are protected by the
System Account and a currently logged on user, or even a member of
Administrators Group, do not have permissions to view them.
BUT what
if you need too? For instance, if you are a network administrator there are
valid times when you may need to check a particular key exists.
The
way I recommend is to use a 3rd party utility, from Mark Russinovich and
Windows SysInternals, to force the Registry to open under the System
Account.
This way you do not have to make any changes to the ACL
(Access Control List) yourself, so limiting the potential for any mistakes.
And as the utility only works per session that you initiate – there are no
permanent access changes made to the Registry.
First you will need to
download the PSTools utility pack from Windows SysInternals
available here:
http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx
The actual utility you will be using is:
Psexec.exe
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
Step 1) Unzip the downloaded files and place into a new
folder called "PSTools" in the existing "Program Files" folder.
Step 2) In Windows XP go to Run on the Start menu and type
in cmd then hit the OK button. The Command line window will now open.
In
Windows Vista/Windows 7 you will have to launch the Command line with
administrator privileges. Go to the Start menu and type in cmd When the cmd
icon appears in the search list "right-click" and select Run as
administrator from the context menu.
Step 3) In the
command prompt window (see Fig 1.0) you will need to change the directory to
the folder where you placed the utilities – PSTools. Type the following:
cd %programfiles%\PSTools
…now hit the enter
key.
Now you will need to type the following to have the utility
Psexec.exe open the Registry editor under the local system account:
psexec.exe –s –i regedit.exe
…now hit the enter
key.
The Registry editor will now open and you can now navigate your
way through the HKLM\SAM and HKLM\SECURITY hives – see Fig 1.1 When you have
finished just close the Registry editor window and the temporary elevation
to system account authority will cease.
The Command Prompt Window
The Registry Editor Displaying the HKLM\SAM and HKLM\SECURITY hives
In the second part of this article we will briefly explore some
more Windows Registry security related topics.
