Impacket secretsdump

Attributions are based on open-source threat reports. A family appearing here means at least one syscall record cites it; absence does not imply non-use.

3 syscalls cited

NtOpenKey
Opens an existing registry key — the kernel entry behind RegOpenKeyEx, used to reach SAM, SECURITY and persistence hives.
NtOpenKeyEx
Extended variant of NtOpenKey accepting OpenOptions — required for symlink-following and backup-semantics opens.
NtUnloadKey
Detaches a previously-loaded registry hive from the configuration manager.