As an assignment for a friend of mine in an information security class, he was told to get all of the info that he could out of the SAM on a Windows 2000/XP Box.

As i showed him links to pwdump2/walksam and other like...i started to wonder.

Is there anything i'm missing? As far as i know, for the assignment he is allowed to have phyiscal access to the machine. But what if he didn't? I know that RPC can be used in conjucntion with regedit to view remote computers regiestry but i'd be curouis to know a bit more on the underlying properties that allow that technique to work.

I'm sure these questions seem simple, but i'm have about a years experence in Compueter Security so dont be afraid to post a hex dump or shell code.


PS Is this in the right forum?