Results 1 to 10 of 10

Thread: SAM file in %systemroot%\repair....

  1. #1
    Senior Member br_fusion's Avatar
    Join Date
    Apr 2002

    SAM file in %systemroot%\repair....

    Hey I have a general question. Ive noticed on Win2000 and WinXP their is a file called sam in the repair directory. I may be wrong, but couldn't somebody copy this file out of this directory with ease and later crack it.

    I know you can obtain SAM with NTFSDOS before boot up. But obtaining SAM right out of the folder while windoz is running, seems very insecure.

    thanks again


  2. #2
    Senior Member
    Join Date
    Jan 2003
    Since I'm seeing my account info listed in the File, you're probably right. I'm taking Win NT/2k security right now, and if no one has an answer for ya i'll be happy to ask my prof tomorrow morning in class.

    I'm sure their are precautions tho, first of all only Admin and the system have access to the file. As well if you're running a large network the file would be stored them on your PDC and BDC's in which case the user would need physical access to the system assuming it's completely locked down, as secondary servers are probably used for Services, and I doubt any admin would share those folders.

  3. #3
    Senior Member br_fusion's Avatar
    Join Date
    Apr 2002
    yeah good point and thanks

  4. #4
    Senior Member
    Join Date
    Nov 2001
    its the same sam file and thats exactly what happens with it br_fusion. you put it on a computer you have admin rights to and run LC
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  5. #5
    Senior Member br_fusion's Avatar
    Join Date
    Apr 2002
    Well "SAM" in system32 is 256kb and "sam" in repair is 20kb. they can't be the same file...well I wouldn't think so.

  6. #6
    Antionline Herpetologist
    Join Date
    Aug 2001
    That's the proverbial weak link in Win2K/XP. Though the file is only accessible by Administrators, if you have physical access to the system, it's fairly easy to copy it to a floppy and then run L0pht Crack on it.
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

  7. #7
    Join Date
    Dec 2002
    your right I remember reading a post once before that spoke of cracking Sam files. Surely there has to be a way to prevent it or restrict user rights to it. :grins: :-* It's windows, there's always something insecure.

  8. #8
    Senior Member
    Join Date
    Feb 2002
    It appears that this copy of the sam file only gets updated when you update the ERD, so if you don't update it, the sam file will be the same as when the machine was first built (accounting for the smaller file size)


    Saw mention on this list a while back (10/5/01) that it's a good
    practice to delete the 'repair' directory after making an Emergency Repair
    Disk, because some directory traversal exploits will try to extract the SAM
    from the %systemroot%\winnt\repair folder. That seems to be good advice
    for NT systems. However, I blindly carried that practice over to the
    Windows 2000 servers. That was a decidedly BAD idea. Once the repair
    folder is gone on a W2K system, any subsequent attempt to make an ERD will
    result in a "diskette is unusable" error message. There is, of course, no
    apparent connection between the error message and the problem ...

    The recovery process is fairly simple, but not particularly
    intuitive. If you create an empty %systemroot%\winnt\repair folder, the
    ERD process with the box checked to "Also back up the Registry" will create
    a RegBack subfolder under %systemroot%\winnt\repair but will still fail to
    create a recovery diskette. The solution that worked for me was to copy
    the three files (autoexec.nt, config.nt, and setup.log) from the previous
    ERD to the repair folder. At that point the "unusable" diskette
    experienced a full recovery.

    Going forward, one option might be to manually copy SAM to the ERD and
    delete it from it's new location of %systemroot%\winnt\repair\RegBack. Any
    thoughts from those more knowledgeable about this?


    Dave Owens
    link here

    hope this helps

  9. #9
    Senior Member br_fusion's Avatar
    Join Date
    Apr 2002
    Would the SAM file in the repair directory be SYSKEY encrypted?

  10. #10
    Junior Member
    Join Date
    Jun 2002
    To be "kinda" secure one of the first things you need to do is remove the "everyone" group.
    Also disbale Lan Manager compatibility and null sessions.

    Not many people do this cause it's too much hassle. but the fact remains, if you don't have access to the repair folder there's not much you can do about it. no matter how many SAM crackers you have.

    If physical access to the machine is avilable reboot, boot with a stiffy and inject your own SID.

    happy days.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts