1. On Microsoft Windows 2000 (and Windows NT), all the user account information is stored within the SAM. It exists as a single file on the disk. The SAM is the primary target when hackers break into a system because it can be run through a password cracker. Key point: The SAM file is located in the path %systemroot%/system32/config/SAM However, a backup is also stored in the location %systemroot%/repair/sam._ as well as on any repair disk generated. (Note: if new repair disks haven't been created, then you'll likely only be able to see the Administrator's password there). Hackers usually go after the "repair" versions because they are not locked by the operating system. Tools: pwdump/pwdump2 Dumps the current password information using Windows registry calls. Must have administrative access for this to work. The data is written in a format for crack programs. samdump Reads the password information from the SAM file in a format suitable for inputting into crack programs. l0phtcrack The most popular utility for cracking Windows passwords. All these tools are available at http://www.l0pht.com/. History: The original version of WinNT allowed the password hashes to be easily retrieved, making cracking easy. In SP3, an optional utility called SYSKEY was added that encrypts the hashes. In order to decrypt them, the administrator needs to either type in the passphrase at boot time, store the passphrase on a floppy, or put the passphrase in the registry (dramatically reducing security, of course). Whatever way is used to boot the system, the keys are then stored in unencrypted format in memory, so administrative access can still read them (using the pwdump2 utility). SYSKEY is optional on WinNT, but is always running on Win2k. Key point: The PASSPROP and PASSFILT utilities can be used to enforce the choice of better passwords. From Hacking-Lexicon