As I was enjoying a fine dinner of Lipton Italian Sides one night, I came across Adi’s post on how to copy an open file with shadow copies. Not bad, I thought, and stored that little nugget of knowledge away for when I might need to do just that.
A few minutes later I remembered an old email about pwdump horking a domain controller (yes, horking is a technical term…) and wondered if I could simply copy the SAM hive (%SystemRoot%\system32\config) using shadow copies. A few hours later, using Adi’s post as a reference, I came up with the code below.
There was one small hitch when I realized that since Windows 2000, the SAM is encrypted using the syskey. Fortunately, I came across InsidePro, which includes a couple utilities to help out:
- GetSyskey will extract the SYSKEY key from the SYSTEM hive.
- GetHashes extracts hashes in pwdump format using the previously extracted SYSKEY.
Adding the decryption of the SAM into the script was pretty simple and by specifying this command, you will get yourself a nice list of hashes: VPass.bat hashes.txt
Enjoy…
Here is a zip file containing the batch script, vshadow (for both 2k3 and XP from the Volume Shadow Copy SDK), and the two utilities mentioned above in one happy automated script: VPass.zip