How to dump the Windows SAM file while the system is running?

Solution 1:

There is a simpler solution which doesn't need to manage shadow volumes or use external tools. You can simply copy SAM and SYSTEM with the reg command provided by microsoft (tested on Windows 7 and Windows Server 2008):

reg save hklm\sam c:\sam
reg save hklm\system c:\system

(the last parameter is the location where you want to copy the file)


You can then extract the hashes on a Linux system with package samdump2 (available on Debian: apt-get install samdump2):

$ samdump2 system sam
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c0e2874fb130015aec4070975e2c6071:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:d0c0896b73e0d1316aeccf93159d7ec0:::

Solution 2:

It's not a permission issue – Windows keeps an exclusive lock on the SAM file (which, as far as I know, is standard behavior for loaded registry hives), so it is impossible for any other process to open it.

However, recent Windows versions have a feature called "Volume Shadow Copy", which is designed to create read-only snapshots of the entire volume, mostly for backups. The file locks are there to ensure data consistency, so they are unnecessary if a snapshot of the entire filesystem is made. This means that it is possible to create a snapshot of C:, mount it, copy your SAM file, then discard the snapshot.

How exactly to do this depends on your Windows version: XP needs an external program, Vista and 7 have vssadmin create shadow, and Server 2008 has the diskshadow command. The page Safely Dumping Hashes from Live Domain Controllers has more details on this process, as well as instructions and scripts.

Alternatively, there are tools such as samdump which abuse the LSASS process from various directions in order to extract all password hashes directly from memory. They might be much faster than VSS snapshots, but have a higher risk of crashing the system.

Finally, Google brings out this snippet, whose usefulness I cannot rate having never used metasploit myself:

meterpreter> use priv
meterpreter> hashdump