The Windows passwords are stored and crypted in the SAM file (c:windowssystem32config). In the same folder you can find the key to decrypt it: the file SYSTEM. This two files are locked by the kernel when the operating system is up, so to backup it and decrypt you have to use some bootable linux distro, to mount the disk when the system is down or to use some program like fgdump, pwdump or meterpreter hashdump. Someone told me even that is possible to copy this files causing a Blue Sceen of Death an then remotely dump files, but I never try it.
An alternative, when the operating system is working, is to take the two twins files present in folder c:windowsrepair that the system create as a backup. This work up to Windows XP (think also Vista), but I can’t be able to find these files on Windows7. If you know something more, write me.
The tools that work on Windows 10 can also work on Windows 7 but not vice-versa. The tools mentioned above work only on Windows 7. Even if they run on Windows 10 and give the hash, that hash will not be accurate and will not work and/or crack. Windows 10 Mimikatz. There is a good enough method to dump the hashes of SAM file using mimikatz. Hacker tools were available to recover a FEK from the SAM. If an administrator took ownership of an encrypted file, with a little effort, they could retrieve the FEK from the SAM and recover the encrypted file. When EFS is used to encrypt a file in Windows 7, the FEK is stored within the encrypting user’s Digital Certificate.
Once you have the files you use bkhive to extract the bootkey:
Then put together the bootkey and the SAM file:
And then try to crack the hash:
This is just an exemple of use of this tools. To crack hash you can algo use google that is always the bigest resource.