Thats not my point. A person who has plain physical access to the box can take the SAM and crack it. Even if the cracking takes weeks or even months, he could come back later and access the system as root !. So..even if the administrator did find about this, his changing the
password would not stop the attacker. By the way you don't need to be root to access the SAM and replace it!!. Try it !