What is – EfmSoft

Status / error code:		Category:

Constant name:
Source:		Operating System:
Description: Security Accounts Manager initialization failed because of the following error: %hs Error Status: 0x%x. Please shutdown this system and reboot into Directory Services Restore Mode, check the event log for more detailed information.

Previous	Next
STATUS_TRANSPORT_FULL	STATUS_ONLY_IF_CONNECTED

STATUS_DS_SAM_INIT_FAILURE

The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1 and 10 that stores users’ passwords. It can be used to authenticate local and remote users. Beginning with Windows 2000 SP4, Active Directory authenticates remote users. SAM uses cryptographic measures to prevent unauthenticated users accessing the system.

The user passwords are stored in a hashed format in a registry hive either as an LM hash or as an NTLM hash. This file can be found in %SystemRoot%/system32/config/SAM and is mounted on HKLM/SAM and SYSTEM privileges are required to view it. Security Account Manager (SAM)

A database that stores user accounts and local users and groups security information. SamSrv.exe. Database that stores user accounts and relevant security information about local users and local groups. Accounts Manager (SAM) is a registry file. Stores users passwords in a hashed format. When a user logs on to a computer using a local account, the SAM process (Samsrv) takes the logon information and performs a lookup against the SAM database, which resides in the windows system32/config directory(Something similar in UNIX, think etc/password). If credential match, then the user can log on to the system, assuming there are no other factors preventing logon, such as logon time restrictions or privilege issues. Note that SAM does not perform the logon; that is the job of the LSA. The SAM file is binary rather than text and passwords are stored using the MD4 hash algorithms. On windows vista, the SAM stores password information using a password-based key derivation function (PBKCS). In an attempt to improve the security of the SAM database against offline software cracking, Microsoft introduced the SYSKEY function in Windows NT 4.0. When SYSKEY is enabled, the on-disk copy of the SAM file is partially encrypted, so that the password hash values for all local accounts stored in the SAM are encrypted with a key (usually also referred to as the SYSKEY ). In the case of online attacks, it is not possible to simply copy the SAM file to another location. The SAM file cannot be moved or copied while Windows is running, since the Windows kernel obtains and keeps an exclusive filesystem lock on the SAM file, and will not release that lock until the operating system has shut down or a blue screen exception has been thrown. However, the in-memory copy of the contents of the SAM can be dumped using various techniques, making the password hashes available for offline brute-force attack.

In an attempt to improve the security of the SAM database against offline software cracking, Microsoft introduced the SYSKEY function in Windows NT 4.0. When SYSKEY is enabled, the on-disk copy of the SAM file is partially encrypted, so that the password hash values for all local accounts stored in the Security Account Manager are encrypted with a key (usually also referred to as the “SYSKEY”). It can be enabled by running the syskey program.

In 2012, it was demonstrated that every possible 8-character NTLM password hash permutation can be cracked in under 6 hours. In 2019, this time was reduced to roughly 2.5 hours by using more modern hardware.

In the case of online attacks, it is not possible to simply copy the Security Account Manager SAM file to another location. The SAM file cannot be moved or copied while Windows is running, since the Windows kernel obtains and keeps an exclusive filesystem lock on the SAM file, and will not release that lock until the operating system has shut down or a “Blue Screen of Death” exception has been thrown. However, the in-memory copy of the contents of the SAM can be dumped using various techniques (including pwdump), making the password hashes available for offline brute-force attack.

In the SAM, each user account can be assigned a local area network (LAN) password and a Windows password. Both are encrypted. If someone attempts to log on to the system and the user name and associated passwords match an entry in the Security Account Manager (SAM), a sequence of events takes place ultimately allowing that person access to the system. If the user name or passwords do not properly match any entry in the SAM, an error message is returned requesting that the information be entered again.

In personal computers (PCs) not connected into a LAN and for which there is only one user, Windows asks for only one password when the system is booted up. This function can be disabled if the user does not want to enter authentication data every time the computer is switched on or restarted. The main purpose of the Security Account Manager (SAM) in a PC environment is to make it difficult for a thief to access the data on a stolen machine. It can also provide some measure of security against online hackers.