Security Account Manager
The SAM is the Windows database that stores local account names and password hashes, kept in the registry and backed by a file under System32\config. Attackers with admin or SYSTEM access dump the SAM to extract NTLM hashes for cracking or pass-the-hash attacks against other machines. Unique local admin passwords via LAPS and restricting admin access are the main defenses against SAM credential theft.