■ Bytes 40-47 represent the date of the last failed login attempt (because the account name has to be correct for the date to be changed on a specific account, this date can also be referred to as the date of the last incorrect password usage). ■ Bytes 32-39 represent the account expiration date. ■ Bytes 24-31 represent the date that the password was last reset (if the password hasn’t been reset or changed, this date will correlate to the account creation date). ■ Bytes 8-15 represent the last login date for the account. Those values and their locations are as follows: Some important dates are available in the contents of the binary data for the F value-specifically, several time/date stamps represented as 64-bit FILETIME objects.
The F value within the key is a binary data type and must be parsed appropriately (see the sam.h file, part of the source code for Peter’s utility) to extract all the information. Besides providing quite a bit of information about how SIDs are created, Microsoft also provides a list of RIDs ( ) for well-known users and groups as well as well-known aliases (seen in the SAM\SAM\Domains\Builtin\Aliases key). The, or Relative Identifier, is the portion of a Security Identifier (SID) that identifies a user or group in relation to the authority that issued the SID. This user information is maintained in the F value located in the following path: The ProScript will also display the last login time, if it is nonzero. For example, the ProScript parses information about user accounts on the system, including the username, comment, account creation date, number of logins, and user flags (which provide information about the account).
Running the ProScript against a sample case that I have available, we can view excerpts from the results to see the breadth of information returned by the script. (Optionally, you can enter any arguments for a ProScript as well.) Select the ProScript, and once the execution of the script has completed, the information parsed from the SAM hive will be visible in the results window, where it can be selected, copied, and pasted into a file or report. To run the ProScript, click the Run ProScript button on the menu bar and select the location of the ProScript from the Run ProScript dialog box. You can use the ProScript (v.0.31, 20060522 provided in the ch4\code\ ProScripts directory on the media that accompanies this topic) to extract user and group membership information from the Registry Viewer in a ProDiscover project, once the Registry Viewer has been populated. Much of the useful information in the SAM hive is encoded in binary format, and fortunately, Peter Nordahl-Hagen’s sam.h C header file is extremely helpful in deciphering the structures and revealing something understandable. There’s a good reason for this: Although much of the Registry can be "messed with," there are areas of the Registry where minor changes can leave the system potentially unusable. Under normal circumstances, this hive is not accessible, even to administrators, not without taking special steps to manually edit the access permissions on the hive. Information about users is maintained in the Registry, in the SAM hive file.