I beleave that if you syskeyed your system, prog's like pwdump & l0pht will dump the sam and the hashs , even from a remote machine but they will not be able to crack it, (the new version of l0pht, i think can but im not at work to play with it) so if you used syskey as you should you might not be able to recover. and yes you do need root priv. on a box to dump the sam remotely.