Parsing Windows Registry : SAM File

I’m currently doing a simple research on Windows XP registry.

I took several registry files from a new Windows XP SP2 system. They are :

  • default
  • sam
  • security
  • software
  • system
  • userdiff and
  • ntuser.dat

To copy those files, I need to take the machine offline. My gentle reader, if you have a better way to do that, please let me know.

For the first experiment, I try to process the sam file. This file is very interesting because of its content.

I just load that sam file in RegRipper, and wait for one or two minutes until the process is done :

And here is the report file. I’ve omitted several information for brevity :

User Information
-------------------------
Username        : Administrator [500]
Full Name       :
User Comment    : Built-in account for administering the computer/domain
Last Login Date : Sat Aug  2 05:15:00 2008 Z
Pwd Reset Date  : Tue Feb 26 18:13:25 2008 Z
Pwd Fail Date   : Mon Aug  4 01:30:56 2008 Z
Login Count     : 11
  --> Password does not expire
  --> Normal user account
Username        : SUPPORT_388945a0 [1002]
Full Name       : CN=Microsoft Corporation,L=Redmond,S=Washington,C=US
User Comment    : This is a vendor's account for the Help and Support Service
Last Login Date : Thu Jan  1 00:00:00 1970 Z
Pwd Reset Date  : Sun Apr 30 07:12:37 2006 Z
Pwd Fail Date   : Mon Jun 16 05:57:37 2008 Z
Login Count     : 0
  --> Password does not expire
  --> Account Disabled
  --> Normal user account
Username        : ASPNET [1003]
Full Name       : ASP.NET Machine Account
User Comment    : Account used for running the ASP.NET worker process (aspnet_wp.exe)
Last Login Date : Thu Jan  1 00:00:00 1970 Z
Pwd Reset Date  : Sun Apr 30 07:30:41 2006 Z
Pwd Fail Date   : Mon Jun 16 05:57:36 2008 Z
Login Count     : 0
  --> Password does not expire
  --> Password not required
  --> Normal user account
Username        : HelpAssistant [1004]
Full Name       : Remote Desktop Help Assistant Account
User Comment    : Account for Providing Remote Assistance
Last Login Date : Thu Jan  1 00:00:00 1970 Z
Pwd Reset Date  : Tue Feb 26 18:13:19 2008 Z
Pwd Fail Date   : Mon Jun 16 05:57:37 2008 Z
Login Count     : 0
  --> Password does not expire
  --> Account Disabled
  --> Normal user account
-------------------------
Group Membership Information
-------------------------
Group Name    : Power Users [0]
LastWrite     : Sun Apr 30 00:03:39 2006 Z
Group Comment : Power Users possess most administrative powers with some restrictions.  Thus, Power Users can run legacy applications in addition to certified applications
Users         : None
Group Name    : Remote Desktop Users [0]
LastWrite     : Sun Apr 30 00:03:40 2006 Z
Group Comment : Members in this group are granted the right to logon remotely
Users         : None
Group Name    : Backup Operators [0]
LastWrite     : Sun Apr 30 00:03:39 2006 Z
Group Comment : Backup Operators can override security restrictions for the sole purpose of backing up or restoring files
Users         : None
Group Name    : Administrators [5]
LastWrite     : Thu Jun 19 01:57:35 2008 Z
Group Comment : Administrators have complete and unrestricted access to the computer/domain
Users :
  S-1-5-21-1114226921-1517632708-2302219701-500
  S-1-5-21-1114226921-1517632708-2302219701-1005
  S-1-5-21-448539723-162531612-725345543-3248
  S-1-5-21-448539723-162531612-725345543-512
  S-1-5-21-448539723-162531612-725345543-2429

Wow…a lot of information can be gained from one sam file.

Thanks to keydet89 for developing RegRipper and release it as opensource.

About these ads

2 thoughts on “Parsing Windows Registry : SAM File

  1. *nice research mas :)
    i think KPK “www.kpk.go.id” need you to take more information from gov corrupt laptop :)

    may i call mr.antasari ashar to follow-up ?… he³

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s