What is the Security Accounts Manager?

The Security Accounts Manager is the part of the Windows® operating system that verifies account passwords. The passwords stored by this system are encoded using a hashing algorithm. Since the hash only encodes in one direction, the passwords are relatively safe if an unauthorized user finds them. The Security Accounts Manager is built into the system’s registry and it's files are directly monitored by the kernel, making it difficult to tamper with or change the associated information. While this system is safe from most basic attacks, it has received several criticisms due to a select group of security failures.

The main function of the Security Accounts Manager is holding onto the passwords used to log into Windows® accounts. This system only holds those passwords; other system passwords are held in unrelated areas. The manager is used by the operating system to verify that the entered passwords are the correct ones.

When a user creates an account password, the system sends it through a hash algorithm. This process converts the password into numbers and then runs those numbers through an equation. The output of the equation is a string of numbers that bears no resemblance to the original password. Windows will then completely remove any traces of the original password, leaving only the numbers behind.

When a user enters his password, the process repeats itself. The Security Accounts Manager contains the final string of numbers, which are compared to the converted password. If the numbers match, the user can log in; if they don’t, the system returns an invalid password error.

The security for the Security Accounts Manager is about as tight as it can be. The processes that govern the system are built directly into the operating system’s registry. This is common for most inherent systems, but it does make tampering with them more difficult. The real security comes from the system’s kernel. As soon as it activates, the kernel takes possession of the Security Accounts Manager files and holds them for as long as it runs. This makes it extremely difficult to move or copy the files.

The system isn’t foolproof and there are a number of ways to fool the kernel into giving up the files. The most common methods involve mounting the Windows® installation onto a virtual system. The kernel is more easily controlled during the emulation and it is possible to copy the files. It is also possible to cause a computer error, commonly called a blue screen, that dumps the active memory to a file. This dump contains the information from the Security Accounts Manager.