whatisgithub

What is ntfsdump?

nzyuko/ntfsdump — explained in plain English

Analysis updated 2026-06-24

21RustAudience · ops devopsComplexity · 3/5Setup · moderate

In one sentence

A Windows command-line tool written in Rust that copies locked system files like registry hives by reading directly from the raw NTFS disk volume, bypassing normal OS file-access restrictions.

Mindmap

mindmap
  root((ntfsdump))
    What it does
      Reads raw NTFS volume
      Copies locked system files
      Parses registry hives
    Commands
      dump SAM and SYSTEM hives
      copy any file by path
      read file to Base64 or bytes
      sam list local user accounts
    Use cases
      Forensic acquisition
      Incident response
      Security lab exercises
    Tech
      Rust cross-compiled
      MinGW toolchain
      Windows only
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Extract SAM and SYSTEM registry hives from a live Windows system for forensic analysis without triggering OS file locks.

USE CASE 2

Copy any locked Windows file by its absolute path using raw NTFS access during an incident response investigation.

USE CASE 3

List local Windows user accounts with password hash fields during a security lab or credential audit exercise.

What is it built with?

RustMinGW

How does it compare?

nzyuko/ntfsdumpdanilaa1/auditkitgnitoahc/remote-ssh.nvim
Stars212121
LanguageRustRustRust
Setup difficultymoderatemoderatemoderate
Complexity3/53/53/5
Audienceops devopsops devopsdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Must be built from source with Rust and MinGW, must run as Administrator on Windows, no pre-built binary is provided.

So what is it?

ntfsdump is a command-line tool written in Rust for Windows that copies protected system files by reading directly from the raw disk volume instead of going through the normal Windows file system. Windows locks certain files, such as registry hives, while the operating system is running, so they cannot be copied with ordinary file commands. This tool bypasses that restriction by opening the raw NTFS volume, parsing the file system metadata to locate a target file, and reading its bytes straight from disk. Administrator privileges are required. The tool has four commands. The default dump command extracts the SAM and SYSTEM registry hives, which store local user account data and system configuration. An optional flag also pulls the SECURITY hive. The copy command lets you specify any absolute path on the file system to extract. The read command retrieves one file and either prints it as Base64 text or writes the raw bytes to an output path. The sam command parses a previously copied SAM hive and lists local user accounts with their password hash fields shown in a redacted form. This is primarily a forensic acquisition tool. Security professionals working on Windows endpoint investigations or lab exercises use raw hive acquisition when they need to analyze credential or configuration data from a live system without triggering file locks. The README links to a lab write-up with screenshots showing the tool in use. The project is built with Rust and cross-compiled for Windows using the MinGW toolchain. The README gives the single build command and several PowerShell usage examples. No pre-built binary is included, you compile it from source.

Copy-paste prompts

Prompt 1
I built ntfsdump with the MinGW toolchain. How do I run the dump command as Administrator to extract the SAM and SYSTEM hives to a specific output folder?
Prompt 2
Using ntfsdump's copy command, how do I extract a specific locked file like C:\Windows\System32\config\SECURITY from a live Windows system?
Prompt 3
I used ntfsdump to pull the SAM hive. How do I take that output file and analyze the password hashes with a tool like Impacket or Hashcat in a lab environment?

Frequently asked questions

What is ntfsdump?

A Windows command-line tool written in Rust that copies locked system files like registry hives by reading directly from the raw NTFS disk volume, bypassing normal OS file-access restrictions.

What language is ntfsdump written in?

Mainly Rust. The stack also includes Rust, MinGW.

How hard is ntfsdump to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is ntfsdump for?

Mainly ops devops.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.