Alerting deletion of SAM

[Dmitry Korolyov]

We all know about deleting SAM database to reset local admin account. After reboot SAM gets rebuilt and local admin password is blank.
So, is there a way to set the system to raise an alert (into event log, for example) when SAM database gets reset?

 

[Steven Umbach [MVP]]

I do not believe that it will be recorded in Event Viewer - it can not be deleted/renamed while the operating system is running. It would become vary obvious when no one can access the computer since resetting the same deletes all non default accounts and groups. If any service relied on a created account to start, then it would fail and be recorded in the Event Viewer. --- Steve
We all know about deleting SAM database to reset local admin account. After reboot SAM gets rebuilt and local admin password is blank.
So, is there a way to set the system to raise an alert (into event log, for example) when SAM database gets reset?

 

[Dmitry Korolyov]

Thanks for reply, Steve.

We are talking about a situation where sam deletion happens on a regular workstation (no services dependent on local accounts) while it is offline, using CIA commander disk or something like this. When system boots up and finds SAM missing, sure it could record this event somewhere, so I was wondering if there's a way to catch it and throw to centran management console (using MOM for example).

--
Dmitry Korolyov
(e-mail address removed)
To e-mail me, remove "nospamformorons"
from the address.


I do not believe that it will be recorded in Event Viewer - it can not be deleted/renamed while the operating system is running. It would become vary obvious when no one can access the computer since resetting the same deletes all non default accounts and groups. If any service relied on a created account to start, then it would fail and be recorded in the Event Viewer. --- Steve
We all know about deleting SAM database to reset local admin account. After reboot SAM gets rebuilt and local admin password is blank.
So, is there a way to set the system to raise an alert (into event log, for example) when SAM database gets reset?

 

[Eric Fitzgerald [MSFT]]

Auditing will not work, since the OS to which the SAM applies, won't be
running if you can delete the SAM.

The best way to know this right now is to use a non-blank admin password.
If it's blank one day, and there's no "password set" event in your security
log, then you know that somebody deleted it.

Eric

--
Eric Fitzgerald
Program Manager, Windows Auditing
Microsoft Corporation

The above message is provided "AS-IS" with no warranties, and confers no
rights.

Will do. Don't think that auditing will work, though - since deletion will
happen when no auditing is in effect, and newly created SAM will have no
auditing set in SACL...

--
Dmitry Korolyov
(e-mail address removed)
To e-mail me, remove "nospamformorons"
from the address.


Possibly if sam file has auditing enabled on it something will show
up - not sure, or some other method to detect that creation date has changed
.. I will have to play around with that one. Let us know if you figure out a
good way. --- Steve
Thanks for reply, Steve.

We are talking about a situation where sam deletion happens on a regular
workstation (no services dependent on local accounts) while it is offline,
using CIA commander disk or something like this. When system boots up and
finds SAM missing, sure it could record this event somewhere, so I was
wondering if there's a way to catch it and throw to centran management
console (using MOM for example).

--
Dmitry Korolyov
(e-mail address removed)
To e-mail me, remove "nospamformorons"
from the address.


I do not believe that it will be recorded in Event Viewer - it
can not be deleted/renamed while the operating system is running. It would
become vary obvious when no one can access the computer since resetting the
same deletes all non default accounts and groups. If any service relied on a
created account to start, then it would fail and be recorded in the Event
Viewer. --- Steve
We all know about deleting SAM database to reset local admin
account. After reboot SAM gets rebuilt and local admin password is blank.
So, is there a way to set the system to raise an alert (into event
log, for example) when SAM database gets reset?

 

[Dmitry Korolyov]

Eric, I did check event log after deleting SAM. Found no events specific to
that issue.
Do I need to have certain auditing to be set? And which log to look in,
Security? Maybe I've just missed it, after all.

--
Dmitry Korolyov
(e-mail address removed)
To e-mail me, remove "nospamformorons"
from the address.

 

[Mantise]

Work Around

If you wanted to work around the issue of having your SAM file deleted you can always backup your current SAM file to the C:\Windows\Repair directory since this is where Windows recovers the SAM file from on boot if the current one has been deleted. Basically this means what ever your current admin password is, will be the same if SAM is deleted because it will be replaced with the same one.

If you were to delete C:\Windows\Config\SAM and C:\Windows\Repair\SAM Windows will not start.