Printable View
I was wondering if anyone knows how applications like ERD Commander and LostPassword's WinKey reset the passwords of NT user accounts of syskey enabled machines(syskey passes stored on machine). I know they mount the SAM, but shouldn't it be encrypted?
The system needs to keep the password hashes in some form it can read. Otherwise it wouldn't be able to let you log in. Therefore, it needs to keep the key somewhere.
AFAIK, the syskey is stored somewhere else in the SAM, so utilities can use it.
As far as resetting the passwords is concerned, according to this doc
http://home.eunet.no/~pnordahl/ntpasswd/syskey.txt
If you insert old-style (i.e. unencrypted) entries into the SAM, Win2k automatically converts them on bootup into "proper" encrypted ones, which means you can then log in as those users.
It is futile to think you can protect a system from an attacker with physical access.