What is the Security Account Manager (SAM)?
When you log in to your Windows Operating System, you must enter a password to gain access to the system. Have you ever wondered where your passwords are stored when you set up any new user account, create a new password, or update your existing passwords? All the passwords of the Windows operating system are stored in a Security Account Manager (SAM) file in the SAM database.
What is SAM?
Windows stores and manages the local user and group accounts in a database file called Security Account Manager (SAM). It authenticates local user logons. On a Domain Controller, simply stores the administrator account from the time it was a server, which serves as the Directory Services Restore Mode (DSRM) recovery account. The SAM database resides in the Windows registry. It is available on Windows XP, Vista, 7, 8.1, 10, and 11.
What is the purpose of SAM?
The SAM database runs automatically as a background process when the computer starts up. The SAM also works together with other processes and services that run It is known that Windows computers can be configured to be in a workgroup or joined to a domain. In a workgroup, each computer has its own SAM which contains information about all its local users and group accounts. The passwords associated with each of these accounts are hashed and stored in the SAM. The hashing of passwords offers some security measures and minimizes an attack’s risks. The Local Security Authority (LSA) validates a user’s logon attempt by verifying their credentials against the data stored in the SAM. A user’s logon attempt is successful only when the entered password matches the password stored in the local SAM.
In a domain-joined computer, there can be two types of logons: a local logon (that is handled by the SAM as described above) and a domain user logon using the Active Directory (AD) database with the WinLogon service. However, when a user logs on to a computer as a local user, the user will not be able to access the network resources. A Windows server that has been promoted to a DC will use the AD database instead of the SAM to store data. The only instance it will use the SAM would be to boot into DSRM for performing maintenance operations. This is because the DSRM administrator password is stored locally in the SAM and not in AD.
Simply put, be it a domain-joined computer or a standalone computer, local logon can occur only through the SAM.
How does SAM work?
The SAM database runs automatically as a background process when the computer starts up. The SAM also works together with other processes and services that run on the computer, by providing the security information needed. The primary goal of the SAM is to increase system security and protect against data breaches if the system credentials are stolen.
Where to find the Security Account Manager file?
Go to This PC -> C drive.
Inside the C drive, open Windows -> System32 -> config.
The hashed values of all passwords find a place in the HKEY_LOCAL_MACHINE\SAM of the registry. However, there are rules that govern ‘when’ and ‘who’ can access this file.
Even though it is stored locally, any user cannot access the file while it is running. Continue reading to find out why the SAM failure message appears, what happens when you delete a SAM file, and how to restore it.
Causes of SAM initialization failure:
The following can be the reasons for the causes of SAM initialization failure:
- In some cases, a Security Accounts Manager (SAM) file is corrupted or missing. If a file is missing, Windows cannot locate it and terminates its current tasks.
- Windows cannot read a corrupted file correctly. In addition, if a file is missing or corrupt, the boot process is halted. Instead of continuing, the process terminates and an error message is displayed. The error message is as follows:
Security Accounts Manager initialization failed because of the following error: A device attached to the system is not functioning. Error Status: 0xc0000001. Please click OK to shut down this system and reboot into Safe Mode, check the event log for more detailed information.
Key boot-related system files are corrupted due to disc write errors, power outages, or virus attacks.
How to extract a SAM file using Command Prompt (CMD)?
Using CMD is the simplest method to extract a SAM file, because all the other methods require you to download external tools, or use shadow volumes.
- Run Command Prompt as system administrator.
- Run the following to extract a SAM file from a SAM database
reg save hklm\sam c:\sam
(where c:\sam indicates the name and drive of the output file.)
- Run the following to extract the system key
reg save hklm\system c:\system
(where c:\system indicates the name and drive of the output file.)
- After successful execution, you will find a SAM file and system key in the location mentioned in the command.
Note: The output files are encrypted, and you can dump the hashes to get the password.
Is it possible to disable SAM?
Disabling SAM will cause services and programs on your computer to stop working properly. SAM also grants access to services such as the Internet and email, as well as other processes like requiring administrator-level user accounts. Other services and processes will fail to start if SAM is disabled, and they will not be notified when SAM is ready to deliver security information to running services and processes.
What happens after deleting a SAM file?
A SAM file is responsible for storing the local users’ passwords on a workgroup computer. Normally, while Windows is running, it is impossible to delete a SAM file, as it is locked to all users by the Windows Kernel.
If a SAM is somehow deleted in some way while Windows is running, the system loses all user account passwords, resulting in Windows throwing an error exception “Security Accounts Manager initialization failed because of the following error: A device attached to the system is not functioning. Error Status: 0xc0000001. Please click OK to shutdown this system and reboot into Safe Mode, check event log for more detailed information” and shutting down.
If a SAM is deleted while Windows is not running, for example when booting from a live Linux media, Windows is unable to load the user login screen and will crash. A backup copy of a SAM may be found in the folder C:\Windows\System32\config\RegBack, but you have no control or knowledge of when it was backed up.
How to restore the Security Account Manager?
You can restore the database file if SAM is missing from your office computer or if you receive a notification claiming that SAM is corrupt.
- Search for lsass.exe in the i386 directory on your C: drive.
- Copy the file’s name by right-clicking it and selecting Copy.
- Open the System32 directory in the Windows folder on your machine.
- Right-click anywhere in the directory pane and select Paste.
- To finish the database installation, restart your computer.
System administrators must familiarize themselves with SAM and how it works to understand, how Windows processes and stores credentials. This in turn will help administrators devise safer password management and security practices- monitor and resolve issues such as SAM failure or authentication delays, ensuring that the user experience is uncompromised. Despite receiving multiple criticisms for security flaws, SAM can still help defend the system from most attacks when used in combination with recommended practices such as providing limited access and permissions to users and enforcing password and account lockout policies.
User authentication and user authorization process: An explanation
NTLM authentication and Kerberos Authentication Protocols Explained