Authentication, at its core, is the validation of your identity by presenting a combination of three main factors to a validation mechanism. They are;

  1. Something you know (a password, passcode, pin, etc.).

  2. Something you have (an ID Card, security key, or other MFA tools).

  3. Something you are (your physical self, username, email address, or other identifiers.)


Windows Authentication Process Diagram


Local Security Authority Subsystem Service (LSASS) is a collection of many modules and has access to all authentication processes that can be found in %SystemRoot%\System32\Lsass.exe

SAM Database

The Security Account Manager (SAM) is a database file in Windows operating systems that stores users' passwords. It can be used to authenticate local and remote users.

This file is located in %SystemRoot%/system32/config/SAM and is mounted on HKLM/SAM. SYSTEM level permissions are required to view it.

the Domain Controller (DC) must validate the credentials from the Active Directory database (ntds.dit), which is stored in %SystemRoot%\ntds.dit.

Credential Manager

PS C:\Users\[Username]\AppData\Local\Microsoft\[Vault/Credentials]\


  • User accounts (username & password hash)

  • Group accounts

  • Computer accounts

  • Group policy objects

Last updated