As I was enjoying a fine dinner of Lipton Italian Sides one night, I came across Adi’s post on how to copy an open file with shadow copies. Not bad, I thought, and stored that little nugget of knowledge away for when I might need to do just that.
A few minutes later I remembered an old email about pwdump horking a domain controller (yes, horking is a technical term…) and wondered if I could simply copy the SAM hive (%SystemRoot%\system32\config) using shadow copies. A few hours later, using Adi’s post as a reference, I came up with the code below.
There was one small hitch when I realized that since Windows 2000, the SAM is encrypted using the syskey. Fortunately, I came across InsidePro, which includes a couple utilities to help out:
<li><em>GetSyskey </em>will extract the SYSKEY key from the SYSTEM hive.</li> <li><em>GetHashes </em>extracts hashes in pwdump format using the previously extracted SYSKEY.</li>
Adding the decryption of the SAM into the script was pretty simple and by specifying this command, you will get yourself a nice list of hashes: VPass.bat hashes.txt