Re[2]: Hidden Sam (passwords) File on XP/2000 FileSystem

From: Phaedrus (
Date: 03/12/02

Date: Mon, 11 Mar 2002 15:57:22 -0800
From: Phaedrus <>
To: "R Hampson" <>

The "RP" directories in question are the restore points created by the
System Restore tool (either manually or automatically). Since System
Restore is designed to let you roll the machine back to a previous
state, I'm sure the restore-point directories include all sorts of
terribly interesting information; I'm not at all surprised that SAM
information is in there as well.

So this information isn't stored in this way unless the machine in
question is running System Restore (which, unless my memory is
failing, means that Win2K wouldn't store this informaiton, since it
doesn't include System Restore).

If you don't want attackers to access this information in this way,
you should either disable System Restore (and use some other backup
strategy), or set the permissions so that attackers can't have access
to it (which, arguably, the default permissions accomplish reasonably
well--if an attacker can execute code as SYSTEM, it's probably
game-over in any event).

Best regards,

>> Hidden Sam File on XP/2000 FileSystem >> >> Tested on XP, but should apply to 2000 >> >> Note sure if this has been talked about before, but here it goes... >> >> On the system partition, their is a directory called System Volume >> Information. Normally you cannot access this, but if you launch a >> cmd.exe via at scheduled AT job, then the shell since it is launched >> as NT AUTHORITY\SYSTEM can access this directory. >> >> From this shell if you cd to System Volume Information and do a dir >> /a (/a to see the hidden files) you should see something like: >> >> E:\System Volume Information>dir /a >> Volume in drive E is System >> Volume Serial Number is F052-44PK >> >> Directory of E:\System Volume Information >> >> 02/15/2002 22:13 <DIR> . >> 02/15/2002 22:13 <DIR> .. >> 02/07/2002 16:18 20,480 tracking.log >> 03/06/2002 11:56 <DIR> >> _restore{DD482C7B-8876-4FAD-9DDE-607V6F1041F6} >> 1 File(s) 20,480 bytes >> 3 Dir(s) 1,644,077,056 bytes free >> >> If you cd to the _restore* directory, then you should see a number of >> RP* directories. Within some of these RP* directories there will be >> another directory called snapshot within which you find a complete >> registry dumping including a file called _REGISTRY_MACHINE_SAM which >> is the SAM file for the machine. You can feed this to a password >> cracker to get the passwords. >> >> This technique can be useful when the backup SAM file in REPAIR is >> outdated or inaccessible or when the current SAM file cannot be >> dumped. All you need to do is run a process as NT AUTHORITY\SYSTEM. >> >> Thanks >> >> >> Susan Chan Lee >> Security Associates - Singapore >> e-mail: >> web: >> >>

Relevant Pages

  • Re: Computer Freezes or Very Slow - Windows Explorer
    ... Partitioning can speed things up - or slow things down. ... then disable System Restore on D: ... I don't stare at HJT logs all day, so the other guy's advice to post ... The pattern of slowdown you describe suggests possible shell ...
  • Re: MSUpdate says my services arent working (0x8DDD0018)
    ... What will you do if someday a restore from System Restore is called for? ... MVP Windows - Shell / User ... "Maurice N ~ MVP" wrote: ...
  • Re: system restore failure
    ... MVP Windows - Shell / User ... > I used system restore and it just seemed to freeze, ... > System Restore from the accessories, so I cannot restore my system to ...