Tools

SAM & SYSTEM Hive NT Hash Extractor

Extract Windows NTLM and LM password hashes from offline SAM and SYSTEM registry hive files. Analyze local account credentials securely in your browser with no server processing, and complete privacy.

Upload SAM hiveHKLM\SAM

Upload SYSTEM hiveHKLM\SYSTEM

or select both files at once

How to obtain the hives

From an elevated prompt: reg save HKLM\SAM sam and reg save HKLM\SYSTEM system
Or copy C:\Windows\System32\config\SAM and …\SYSTEM from an offline disk / image (locked while Windows runs).
Supports both legacy RC4 and Windows 10 1607+ AES-encrypted hives.
A blank NT hash shows as 31d6…089c0 (no password set).

Loading SAM Hash Extractor...

Extract local Windows account NT/LM password hashes from offline SAM and SYSTEM registry hives - entirely in your browser. A client-side samdump2 / secretsdump.

What is SAM-DUMP?

Windows stores local account password hashes in the SAM registry hive, encrypted with a key (the "boot key" or syskey) that lives in the SYSTEM hive. With both hives you can recover the NT hashes offline - the classic technique behind samdump2, creddump, and impacket's secretsdump. This tool does exactly that, but 100% in your browser: upload the SAM and SYSTEM hives and it derives the boot key, decrypts the hashed boot key, and recovers each user's NT/LM hash. Nothing is uploaded anywhere. It is intended for digital forensics, password recovery on your own machines, and authorized penetration testing / CTFs.

Example

Input:

SAM + SYSTEM registry hives

Output:

Administrator:500:aad3b435…:1f5e4e24…:::

FAQ

Are my hive files uploaded anywhere?
No. Parsing and all decryption happen locally in your browser using JavaScript. The SAM and SYSTEM files never leave your device.
How do I get the SAM and SYSTEM hives?
From an elevated command prompt run `reg save HKLM\SAM sam and reg save HKLM\SYSTEM system. Alternatively copy C:\Windows\System32\config\SAM and SYSTEM from an offline disk or forensic image (they are locked while Windows is running).
Why do I need the SYSTEM hive too?
The SAM hashes are encrypted with the boot key (syskey), which is stored in the SYSTEM hive. Without SYSTEM the boot key can't be derived and the hashes can't be decrypted.
Does it support modern Windows 10 / 11?
Yes. It handles both the legacy RC4 scheme and the AES-128-CBC scheme introduced in Windows 10 1607, detecting which to use from the hive itself.
What does a hash of 31d6cfe0d16ae931b73c59d7e0c089c0 mean?
That is the NT hash of an empty password - the account has no password set (commonly the Guest account). Likewise aad3b435b51404eeaad3b435b51404ee is the 'blank' LM hash, shown when no LM hash is stored.
Is using this legal?
Only on systems you own or are explicitly authorized to test. Extracting password hashes from machines without permission is illegal in most jurisdictions. This tool is for forensics, recovery, and authorized security work.