Location of Password Hashes on a Windows Local Machine?
- System memory
The SAM file is mounted in the registry as
HKLM/SAM. Windows locks this file, and will not release the lock unless it's shut down (restart, BSOD, etc). However, if you look at the SAM entry in the aforementioned registry section, you will not find the hash.
Therefore, it seems more than likely that the hash, or password, will also be stored in memory. In fact, there are quite a few password crackers that take your password directly from memory.
Thank you for the answer! I did a bit more digging and I learned that in memory, lsass holds on to a plaintext copy of the password for whoever is logged in.