What steps are required to extract local user password hashes from a remote system via the registry?

First, enable the Remote Registry service and grant 'Everyone' full control over both `HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg` and the `HKLM\SAM\SAM` registry hive (including its subkeys). Then use a script like harmj0y's `RemoteHashRetrieval.ps1` to read the SAM and SYSTEM keys, decrypt the syskey, and recover all local user hashes. This technique is covered in Penetration Techniques - Remote Registry in Windows.