Sam Shock: Discover the shocking truth behind the story!

Okay, folks, let me tell you about this “SAM Shock” thing I messed around with today. It wasn’t pretty, but I got it working (sort of).

First, I gotta say, I’m no expert. I just like tinkering with stuff, and this “SAM” business seemed interesting. The whole idea is to grab the Security Account Manager (SAM) database from a Windows machine, which stores password hashes. Sounds cool, right? Potentially dangerous, too, so be careful if you try this at home!

Getting Started: My Sloppy Setup

So, I’ve got this old Windows 10 laptop I use for testing. I booted it up, and with bcdedit command to modify the Boot Configuration Data (BCD) on a real Windows and created some restore point and snapshots.

The target Windows system has to be running because we use bcdedit.

The Dirty Work: Making a copy

I start the computer and wait a moment for the next boot to take the changed system settings. The machine will restart now.

Grabbing the Goods

After the boot up,I try the command to copy the shadow copy files. The command is simple and looks like this.

copy ?GLOBALROOTDeviceHarddiskVolumeShadowCopy1WindowsSystem32configSAM .
copy ?GLOBALROOTDeviceHarddiskVolumeShadowCopy1WindowsSystem32configSYSTEM .
copy ?GLOBALROOTDeviceHarddiskVolumeShadowCopy1WindowsSystem32configSECURITY .

All files should be copied into the current location.

Setting Things Back to Normal

Since I am doing testing, I do not need to revert the configuration to boot into normal windows, but the command is here.

bcdedit /delete {bootmgr} bootsequence
bcdedit /delete {bootmgr} default

bcdedit /delete {bootmgr} displaybootmenu

Final Thoughts (and Warnings!)

I don’t know. It works, but I don’t plan on using it again for a while. So be careful, for educational purposes only and keep things ethical, okay?