Home > Products > Windows Passwords > Windows Password Recovery > Screenshots > Forensic tools > SAM explorer
SAM editor and explorer
01.03.2024
New blog post
Dumping the history of users' IP addresses in Windows
20.02.2024
Reset Windows Password v14.1
IP addresses history viewer, fast disk search, local security editor and some more
02.01.2024
Wireless Password Recovery v6.9.0
A revision of the GPU health monitor along with some minor updates
23.12.2023
HAPPY NEW YEAR!
Happy New Year greetings and holidays discount

Articles and video

You may find it helpful to read our articles on Windows security and password recovery examples. Video section contains a number of movies about our programs in action

Windows Password Recovery - SAM explorer


SAM Explorer allows you to view, analyze and edit the properties and statistics of Windows user accounts. SAM, which is short for Security Account Manager, is an RPC server, which manages Windows accounts database and stores passwords and private user data, groups logical structure of accounts, configures security policy (e.g., password or account lockout policy), gathers statistics (last logon time, logon count, failed logon attempt count, etc.) and controls access to the database. The SAM database is stored in the registry (in the key HKEY_LOCAL_MACHINE\SAM\SAM), which is inaccessible to anyone, except the system (even to administrators). On the physical level, the SAM database is a binary registry file with the respective name, located in %WINDIR%\System32\Config, where %WINDIR% is the Windows installation folder.

In the beginning, the Wizard prompts you to select the type of the SAM database: local or external.

Please note: if you select a local database, for safety reasons, the editor will not be available, and the database will open in the read-only mode.

SAM database selection



If you select the SAM database on an external computer, on the second step of the Wizard, specify the path to the SAM and SYSTEM registries. By default, both the files are located in C:\Windows\System32\Config. Keep in mind that Windows can providently store copies of the registry files in the backup folders, such as C:\Windows\Repair or C:\Windows\ Config\RegBack.
Loading SAM database


On the third step, move on to selecting the account you need to get the attributes for. Select the user and then click Next.
Selecting user account in SAM database


That gives you the list of attributes for the selected account. Selecting a certain attribute on the list shows the data common to that attribute at the bottom of the editor. To open it for editing, double-click on the data field; upon completion, select the save changes item on the context menu.
SAM explorer


Description of SAM account attributes.

 
DataRevision
32-bit unsigned integer that stores version of the data structure. It is divided into 2 WORDs: version major and version minor.
LastLogon
A 64-bit value, equivalent to a FILETIME, indicating the time at which the account last logged on.
LastLogoff
A 64-bit value, equivalent to a FILETIME, indicating the time at which the account last logged off.
PasswordLastSet
A 64-bit value, equivalent to a FILETIME, indicating the time at which a password was last updated.
AccountExpires
A 64-bit value, equivalent to a FILETIME, indicating the time at which an account is no longer permitted to log on.
LastBadPasswordTime
A 64-bit value, equivalent to a FILETIME, indicating the time at which an account last tried to logged on unsuccessfully.
UserID
A 32-bit unsigned integer representing the RID of the account.
PrimaryGroupId
A 32-bit unsigned integer indicating the primary group ID of the account.
UserAccountControl
A 32-bit flag specifying characteristics of the account. The following values are attributes of a user account and can be combined by using a bitwise OR operation:
0x00000001 The account is not enabled for authentication (disabled).
0x00000002 The HomeDirectory attribute is required.
0x00000004 The password-length policy does not apply to this user, i.e. the password is not required.
0x00000008 This flag indicates that the user account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain.
0x00000010 Specifies that the user is not a computer object, i.e. a default account type that represents a typical user.
0x00000020 MNS account type.
0x00000040 Specifies that the object represents a trust object. This is a permit to trust account for a Windows NT domain that trusts other domains.
0x00000080 Specifies that the object is a computer account for a Windows NT Workstation/Windows 2000 Professional or Windows NT Server/Windows 2000 Server that is a member of this domain.
0x00000100 Specifies that the object is a Domain Controller.
0x00000200 Specifies that the maximum-password-age policy does not apply to this user, i.e. the password should never expire on the account.
0x00000400 The account has been locked out.
0x00000800 Specifies that the cleartext password is to be persisted.
0x00001000 The user can authenticate only with a smart card.
0x00002000  This bit is used by the Kerberos protocol. It indicates that the "OK as Delegate" ticket flag MUST be set.
0x00004000 This bit is used by the Kerberos protocol. It indicates that the ticket-granting tickets (TGTs) of this account and the service tickets obtained by this account are not marked as forwardable or proxiable when the forwardable or proxiable ticket flags are requested.
0x00008000 This bit is used by the Kerberos protocol. It indicates that only des-cbc-md5 or des-cbc-crc keys are used in the Kerberos protocols for this account
0x00010000 This bit is used by the Kerberos protocol. It indicates that the account is not required to present valid pre-authentication data.
0x00020000 Specifies that the password age on the user has exceeded the maximum password age policy, i.e. the password has been expired.
0x00040000 This bit is used by the Kerberos protocol and indicates that the account (when running as a service) obtains an S4U2self service ticket with the forwardable flag set.
0x00080000 This bit is used by the Kerberos protocol and indicates that when the KDC is issuing a service ticket for this account, the privilege attribute certificate must not be included.
0x00100000 Specifies that the object is a read-only domain controller (RODC).
0x00200000 Use AES encryption, this bit is ignored and used internally.
CountryCode
A 16-bit unsigned integer indicating a country preference specific to this user. The space of values is the international country calling code. For example, the country code of the United Kingdom, in decimal notation, is 44.
CodePage
A 16-bit unsigned integer indicating a code page preference specific to this user object. The space of values is the Microsoft code page designation.
BadPasswordCount
A 16-bit unsigned integer indicating the number of bad password attempts.
LogonCount
A 16-bit unsigned integer indicating the number of times that the user account has been authenticated.
AdminCount
A 16-bit unsigned integer indicating that the account is a member of one of the administrative groups (directly or transitively).
OperatorCount
A 16-bit unsigned integer indicating that the account is a member of the Operators group.
UserName
Unicode string that specifies the name of the user account.
FullName
Unicode string that contains the full name of the user.
AdminComment
Administrator comment associated with the user account.
UserComment
Second user comment associated with the user account.
Parameters
Extended user parameters. Microsoft products use this member to store user configuration information.
HomeDirectory
Unicode string specifying the path of the home directory for the user account.
HomeDirectoryDrive
Specifies the drive letter to assign to the user's home directory for logon purposes.
ScriptPath
Unicode string specifying the path for the user's logon script file. The script file can be a .CMD file, an .EXE file, or a .BAT file.
ProfilePath
Unicode string that specifies a path to the user's profile.
WorkStations
Unicode string that contains the names (separated by commas) of workstations from which the user can log on. Up to eight workstations can be specified. The account flag UF_ACCOUNTDISABLE allows disabling logons from all workstations to this account.
LogonHours
21-byte bit string that specifies the times during which the user can log on. Each bit represents a unique hour in the week, in Greenwich Mean Time. The first bit is Sunday, 0:00 to 0:59; the second bit is Sunday, 1:00 to 1:59; and so on. Note that bit 0 in word 0 represents Sunday from 0:00 to 0:59 only if you are in the GMT time zone. In all other cases you must adjust the bits according to your time zone offset (for example, GMT minus 8 hours for Pacific Standard Time).
Groups
List of groups to which the user account belongs or does not belong.
LMHash
LM password hash associated with the user account.
NTHash
NTLM password hash associated with the user account.
LMHistoryHashes
LM password history hashed of the user account.
NTHistoryHashes
NTLM password history hashed of the user account.
UserHint
User hint (displayed during unsuccessful logon).
UserPicture
Logon picture associated with the account.