Replacing a SAM file

Posted on 2006-07-21
Last Modified: 2008-02-01
Hey guys, first off sorry I don't have many points to give, but I guess when you think about this question you either know it or you don't, so its pretty simple.

Anyway, a family computer of mine (not mine, my family's [thank god]) crashed.  It happened randomly overnight, we have no idea how it happened since no one was even home, the comptuer was on though, but it has tons of firewalls and stuff like that.

Now all I am getting when I turn it on is an error code, a "Windows Stop error code" I guess you could call it.

The thing says:

STOP: c000021a {Fatal System Error}

Then a little irrelevant information.  I have looked up the code and basically it means that I'm fucked (sorry for profanity).  My dad insisted I call Dell since we have a dell, I said it was useless, he didn't listen, so I called.  They said exactly what I suspected and had already read on the internet and that the harddrive and installation of windows was basically shot.  They advised reinstalling Windows, or getting a new harddrive.

I do not want to have to reinstall windows if there is a way around it because I lose everything, and thats what my dad and I exactly don't want to happen, thats why I called dell, maybe they had a way around it, they don't without like mailing them my harddrive.

Now, through my research I have also narrowed down that the file that is corrupt, since its a logon error, is the SAM file.  I got onto the harddrive and accessed it using Knoppix (which I have used a lot in the past in similar situations, and if you don't know what it is, take a minute and look it up, very useful) and go figure the last moment the SAM file was editted was July 15th, 2006 at 3:07am.  Interesting how thats the exact moment I would bet that the computer crashed >_<.

So, instead of reinstalling windows, I first want to try to take my extra SAM file which is in:


and paste it on top of the


SAM file and see if that will work, and then do everything else if it doesn't.

The question is, if I replace a SAM file, how much information will I lose, what will happen to the system.  See I know with an reinstallation of windows its possible to keep your Program Files and a few other things, but since you are making all new users, everything in your Documents and Settings folder is basically deleted, which in this case, sucks.  So I am trying to save that as best I can.

Do any of you know what would happen or have a better plan?

Thanks for the help in advance.

Question by:simpsons17371
LVL 32

Expert Comment

Comment Utility
Easiest way, let windows recreate the sam file. Tell you the history;

When windows boots and it doesn't find a sam file, it recreates one with one user 'Administrator' and a blank password.

In your case what I would do is;

1. Use Knoppix and boot, go there and delete the sam from the location (which you know). Then reboot. Then you'll be able to login as administrator with no password. Once you are on the PC, you can then copy stuff from other's profile under document and setting then recreate the users. You can copy down the stuff you want and you're done.


Expert Comment

Comment Utility
The SAM file contains all the user accounts on your machine. As rsivanandan noticed, if it is removed, Windows will create a new one with only an Administrator account.
You can try to copy the one in C:\WINDOWS\repair but it is not updated very often. This means that any user account you've created after the repair file will be lost and you will have to re-create it. If you do re-create it, it will actually be a considered a new account, so any special privileges the old account had will not be kept.
So my first recommendation is that you backup your current SAM before you do anything so just in case it is not the cause of the problem, you can undo what you've done.
If the SAM is indeed the problem, there is a way to make the new account use the old account's profile:
1) Re-Create the user account (don't log-in yet)
2) Go to "C:\Documents and Settings". You'll notice that a new folder has been created by the user (suppost the old one was "C:\Documents and Settings\username", the new one will probably be "C:\Documents and Settings\username.computername"). The old folder still exists though.
3) Delete the new folder.
4) Give the new user full control permissions for the old folder.
5) Open the registry editor.
6) Go to: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
7) Inside that there is a subkey for any user on your machine. Search for the one whose ProfileImagePath value is the name of the folder you've just deleted.
8) Modify that value to the old folder.
9) Close the registry editor.

Author Comment

Comment Utility
Hey, thanks for the tip you guys but I seem to have a problem.

I went into the system with Knoppix but I can't delete the SAM file, it just won't let me.  I don't know the command console command either so I can't try it there, but I guess the SAM file is a read only file.

Do you guys have any idea how I can delete it?


What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

LVL 14

Accepted Solution

FriarTuk earned 75 total points
Comment Utility
have you tried getting the files from the most current system restore backup

windows cannot start the file c:\windows\system32\config\system is missing or is damaged.

*** Below is revised by me (not using old files from the Repair folder) ***
*** if you can't see the "sys vol info" folder then under folder options, select "show hidden/system files" & unchk "hide protected o/s files" *** if you can't access that folder see this>  ***

boot from an XP cd, & press R to enter the Recovery Console
from c:\windows
md tmp

copy c:\windows\system32\config\system c:\windows\tmp\system.bak
copy c:\windows\system32\config\software c:\windows\tmp\software.bak
copy c:\windows\system32\config\sam c:\windows\tmp\sam.bak
copy c:\windows\system32\config\security c:\windows\tmp\security.bak
copy c:\windows\system32\config\default c:\windows\tmp\default.bak

delete c:\windows\system32\config\system
delete c:\windows\system32\config\software
delete c:\windows\system32\config\sam
delete c:\windows\system32\config\security
delete c:\windows\system32\config\default

cd c:\"system volume information"\_restore*\
dir /od  (find a folder "RPxxx" with a date prior to when this occurred)
cd rpXXX\snapshot

From the Snapshot folder, do the below command to copy the files:
 (space after copy & before c:\windows)

copy _registry_user_.default c:\Windows\System32\Config\default
copy _registry_machine_sam c:\Windows\System32\Config\sam
copy _registry_machine_security c:\Windows\System32\Config\security
copy _registry_machine_software c:\Windows\System32\Config\software
copy _registry_machine_system c:\Windows\System32\Config\system

reboot & run system restore to create new restore point

Assisted Solution

Chatable earned 75 total points
Comment Utility
You can't delete the SAM file from Knoppix because the Linux NTFS driver is read only.
To do that you need to use either the Windows Recovery Console (to start it, insert your Windows CD and when setup starts press R for repair then C for console) or (recommended) the 3rd party utility ERD commander.
LVL 14

Expert Comment

Comment Utility
LVL 14

Expert Comment

Comment Utility
hey simpsons, plz provide feedback for further assistance.

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Ok I have been working on this for some time having learned and gained certification in XenDesktop 4 along came version 5 which was released last month. Since then I have been working to deploy XenDesktop 5 in a small environment with only 2 virt…
We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now