explaingit

nzyuko/ntfsdump

21RustAudience · ops devopsComplexity · 3/5Setup · moderate

TLDR

A Windows command-line tool written in Rust that copies locked system files like registry hives by reading directly from the raw NTFS disk volume, bypassing normal OS file-access restrictions.

Mindmap

mindmap
  root((ntfsdump))
    What it does
      Reads raw NTFS volume
      Copies locked system files
      Parses registry hives
    Commands
      dump SAM and SYSTEM hives
      copy any file by path
      read file to Base64 or bytes
      sam list local user accounts
    Use cases
      Forensic acquisition
      Incident response
      Security lab exercises
    Tech
      Rust cross-compiled
      MinGW toolchain
      Windows only
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Extract SAM and SYSTEM registry hives from a live Windows system for forensic analysis without triggering OS file locks.

USE CASE 2

Copy any locked Windows file by its absolute path using raw NTFS access during an incident response investigation.

USE CASE 3

List local Windows user accounts with password hash fields during a security lab or credential audit exercise.

Tech stack

RustMinGW

Getting it running

Difficulty · moderate Time to first run · 30min

Must be built from source with Rust and MinGW, must run as Administrator on Windows, no pre-built binary is provided.

In plain English

ntfsdump is a command-line tool written in Rust for Windows that copies protected system files by reading directly from the raw disk volume instead of going through the normal Windows file system. Windows locks certain files, such as registry hives, while the operating system is running, so they cannot be copied with ordinary file commands. This tool bypasses that restriction by opening the raw NTFS volume, parsing the file system metadata to locate a target file, and reading its bytes straight from disk. Administrator privileges are required. The tool has four commands. The default dump command extracts the SAM and SYSTEM registry hives, which store local user account data and system configuration. An optional flag also pulls the SECURITY hive. The copy command lets you specify any absolute path on the file system to extract. The read command retrieves one file and either prints it as Base64 text or writes the raw bytes to an output path. The sam command parses a previously copied SAM hive and lists local user accounts with their password hash fields shown in a redacted form. This is primarily a forensic acquisition tool. Security professionals working on Windows endpoint investigations or lab exercises use raw hive acquisition when they need to analyze credential or configuration data from a live system without triggering file locks. The README links to a lab write-up with screenshots showing the tool in use. The project is built with Rust and cross-compiled for Windows using the MinGW toolchain. The README gives the single build command and several PowerShell usage examples. No pre-built binary is included, you compile it from source.

Copy-paste prompts

Prompt 1
I built ntfsdump with the MinGW toolchain. How do I run the dump command as Administrator to extract the SAM and SYSTEM hives to a specific output folder?
Prompt 2
Using ntfsdump's copy command, how do I extract a specific locked file like C:\Windows\System32\config\SECURITY from a live Windows system?
Prompt 3
I used ntfsdump to pull the SAM hive. How do I take that output file and analyze the password hashes with a tool like Impacket or Hashcat in a lab environment?
Open on GitHub → Explain another repo

← nzyuko on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.