So, I'm running the latest Windows 10 Technical Preview on my ASUS T100 Transformer book. I noticed something Interesting the other day while rooting around through the Registry in regedit. I noticed that there are 2 entries in 2 different Reg. Keys for the Security Account Manager (SAM).
I can only assume that one of them is a new one and that the old one is there to help support the migration to the newer way of doing SAM. However it does raise some interesting questions after considering what was talked about at the last Windows 10 Enterprise Conference in relation to Security. I don't have the exact Key locations of the 2 SAMs on hand at the moment as I am writing this from another location without my tablet, but I'll get those to you all ASAP.
This is my first post in the forums, longtime watcher of the show, but just now getting into the community, wanted to see what others thought about the future of windows security (Authentication changes with file extensions etc, announced at the enterprise conference), and maybe someone else can add to the speculation of the two SAM entries in the Registry.
-Thanks for listening, I hope maybe some discussion happens.
SAM, the long and short of it, has to do with everything to do with your Passwords tied to User accounts. And, yes, there is a low grade keylogger like feature in the preview, if people read the ELUA they wouldn't be surprised, it's mentioned. It will not be in the final release, no Enterprise would buy it if it still had it in there come release day.
At work ATM. I'll post those as soon as I'm home this evening. We can dig deeper into it. I found it curious and now I actually want to find out what's going on.
I believe if my memory serves me correctly, that the Local machine entry has been the only SAM entry to exist in Windows in the past. Both Key types are 'REG_SZ'. Micorsoft, Policy and RXACT are also in the security folder in that Key. Interesting, I believe they may be migrating Password Authentication to another area, and one may go away (or stay for Legacy), or one has to do with file Authentication with the new security features that are being added as of the Win10 Consumer release.
If you guys get the chance to look at it yourself or find anything out or have more ideas, let me know. Thanks for all the good interaction thus far!
There are also two SAM keys on both my Windows 8 and Windows XP systems.
If you create a subkey or make any changes with this key:
HKEY_LOCAL_MACHINE > Security > SAM
Press F5 to refresh the Registry Editor, you can also see the changes in HKEY_LOCAL_MACHINE > SAM > SAM. So I think both of these two SAM keys are read from the same file: c:\windows\system32\config\sam, but I can't understand why the SAM key is displayed twice at the Registry Editor.
It would be cool to see what a Windows Dev would say about it. I wonder intentional or not. If it wasn't, and its linked up with the same configuration files, that leaves you with more than one key that could be possibly manipulated or exploited. The more doors the more ways in they say, locked doors or not.
I'll tweet this thread to MS @Windows and maybe post it to some of the Windows forums out there and see if there is anyone who can shed some light on this. Not that this is a big deal at all, I just gotta know why.