Offline SAM Editing

The crucial role of the SAM database makes it an obvious target for manipulations, especially offline ones. It's why different reversing approaches happened since '90s, not always following changes in the database format. Starting from Windows 10, the situation changed a bit, as each system is fitted with special DLLs allowing any application to call dedicated methods focused on SAM editions.

The difference between old and new approaches is significant: no more reversing, no more bits and bytes guessing, just politely asking the DLL to do the magic on its own. Loading DLLs from the system where SAM exists makes them perfectly match the database format. The way how these DLLs are working is very interesting on its own: instead of file-level manipulations, both DLLs load the SAM database under a temporary registry key (OFFLINESAM for SAM and OFFLINELSA for SECURITY keys), each of which contains additionally the path and GUID to make them unique.

On the other hand, it also means that you cannot load the same SAM database twice at the same time and that is not unloaded automatically even if the editing process terminates. Of course, manual closing works as expected, but sometimes it may be easy to miss it.

Offline keys loaded to registry

After loading keys, Windows accesses them exactly the same way real (online) SAM/LSA databases are accessed. It's yet another reason why it just works.The disadvantage of relying on DLLs is that you are contained into methods exported. If something (such as allowed logon hours management, SID change, or a group rename) is not implemented, it will not work, even if theoretically should be possible when the SAM is manipulated manually. Even the "limited" approach seems to be interesting enough, as it allows to:

  • add and remove groups and accounts,
  • change comments, descriptions, full names and names,
  • set users passwords,
  • change all UAC bits,
  • change privileges of groups and accounts,
  • change group membership.

And what is even more exciting, that I've just released a new Offline SAM Editing Tool.

OSET (Offline SAM Editing Tool) screenshot

It is a versatile tool designed for accessing and editing Security Account Manager (SAM) databases directly from offline operating system disks. Ideal for IT professionals, security enthusiasts, and researchers, this tool may facilitate user credential management and serves as an educational resource to deepen understanding of system security and database management.

The tool is provided with its full source code for your personal review and education. You can learn more about Offline SAM Editing Tool and get your access here.