Guard of NT System-SAM

Author: Xiaojin from: chip

Friends who have used the NT kernel Windows operating system know that the management mechanism of the system password of the NT kernel is much stronger than that of the Windows operating system of the Win32 kernel, thanks in part to the guard of the NT System-SAM.

 

Many users have no special idea about Windows startup. Most people think about it like this: press the power supply and wait a moment, the "silly" Windows login interface appears in front of us. But after reading this article, you may have different ideas.

Microsoft has made two different system frameworks: one is Win32, And the Win9x/Me system we use is attached to it; the other is NT (New Technology ), that is, the skeleton of WinNT/2000/XP/2003. However, unfortunately, Microsoft is a little "eccentric", and the Win32 skeleton is obviously a little too small, so it becomes thin, While NT is a typical American hero. Unfortunately, the PWL guard provided by Microsoft to Win32 is a vase. Not only can they not even access a house, but they cannot keep their mouths confidential. What about NT, SAM's guard did his best and his mouth was hard to crack. The password security of the NT kernel Windows operating system is much higher than that of the Win32 kernel Windows operating system, which is irrelevant to SAM. In this article, let's take a look at SAM, the reading god of the NT kernel Windows operating system.

Loyal SAM guard

SAM first came to the world with the first generation of NT. Its agent code at the Microsoft headquarters is called "Security Account Manager" and has gone through several generations of system improvements, the guard is getting stronger and stronger. SAM usually lives in WINNTSystem32Config. Of course, it is not just a SAM file, it also has a followers: Security (1 ). SAM started to get busy when the NT kernel Windows system was started. First, it asked you to show your ID card at the entrance -- no? Therefore, you cannot enter Windows, and you have no questions. Even if you pass the door check, things are far from over. SAM is always staring at you, as long as someone comes in, it quickly asked people for "creden "...... SAM records a lot of data, including all groups, account information, password HASH, account SID, etc. It should be said that it is a well-considered guard.

 

As mentioned above, SAM is not just as simple as a file. It not only has file data, but also has a database in the registry, which is located under HKEY_LOCAL_MACHINESAM. This is a complicated structure (2 ). SAM is locked after the system is started. We cannot change the file content without authorization.

Main Structure and user group of SAM

From the branches in the above registry, we can see the following results:

1. In HKEY_LOCAL_MACHINESAMSAM
In Domains, there are two branches, "Account" and "Builtin ".

2. The information of each account is stored in DomainsAccountUsers. Of course, this is encrypted binary data. Each account has two sub-items, F and V. Project V stores the basic information of the Account, including the user name, group, description, password, comment, whether the password can be changed, Account Activation, and password setting time. Project F saves some logon records, such as the last logon time and number of wrong logins. SAM uses these complete memos to store various information related to user accounts.

3. domainsBuiltin stores information about different user groups. SAM divides the six inherent working groups in NT Based on this. They are Administrators and Backup Operators) guests, high-privilege Users, Replicator, and common Users ).

Behind-the-scenes commander

In Windows, SAM tries his best, but it does not listen to your command like MODEL 101 in Terminator 3 (Terminator 3. It only listens to the Local Security Authority program LSASS. EXE, and the review is also indicated by LSASS. If you kill LSASS, you will be waiting to get out.-Of course, for common users, if you try to kill "LSASS. if it is an EXE process, it will only get "this process is a key system process, and the task manager cannot end the process." Local Security Authority is mainly responsible for the following tasks in Windows: 1. reset the SID and user permissions of the Local Group. 2. create an access token for the user; 3. manage the service account used by locally installed services; 4. store and map user permissions; 5. manage audit policies and settings; 6. manage trust relationships.

"Sam is also a man"

As the saying goes, "nobody is perfect ". Even though SAM is so conscientious, here we still have to use that sentence-"SAM is also a man" to describe it. Due to some design mistakes, in WinNT/2000, if you forget the password, what you do is not shout, you only need to remove SAM from the hard disk in a non-NT environment. However, in Windows operating systems after XP, this situation can be improved. If you kick Uncle Sam, NT will not survive or die.

Of course, this does not mean that Windows operating system passwords after XP cannot be cracked. You must know that the classic LC4 and NtPassword are dedicated to using SAM (3 ).