Why do both the SYSTEM and SAM registry hives need to be obtained to decrypt user hashes?

The SAM hive stores encrypted user hashes, while the SYSTEM hive contains the boot key (syskey) needed for decryption. The syskey is derived from registry values under `HKLM\SYSTEM\CurrentControlSet\Control\Lsa` (keys JD, Skew1, GBG, Data). Without the SYSTEM hive, the encryption key cannot be reconstructed, making the SAM data useless. This principle is explained in depth in Penetration Techniques - Obtaining Local User Hashes via SAM Database.