Microsoft Windows operating systems store hashed user passwords in the Security Accounts Manager (SAM). To stop offline cracking MS uses SYSKEY to partially encrypt the SAM file.

Windows NT-based operating systems, up through and including Windows 2003, store two different password hashes: LAN Manager (LM)66, based on DES, and NT LAN Manager (NTLM)67, based on MD4 hashing. LM is known to be very weak for multiple reasons. Vista to now uses NTLM. however these are stored in SAM file unsalted. The SAM database cannot be copied while the operating system is running, as the Windows kernel keeps an exclusive file system lock on the file. However, in-memory attacks to dump the SAM hashes can be mounted using various techniques. The LSASS process has the necessary privileges to extract password hashes as well as many useful API that can be used by the hash dumping tools.

Usage is simple: C:>fgdump.exe C:>type 127.0.0.1.pwdump