The reason why the hashes are different if you're getting them from the raw SAM file not through pwdump/cain, etc is because they are syskey encrypted.