The SAM file is encrypted using a "boot key" (also known as the SYSKEY). This key is stored within the SYSTEM registry hive. APC extracts the boot key from the SYSTEM hive and uses it to decrypt the SAM database, rendering the user account data readable.
Yes, when used legitimately (e.g., you locked yourself out of your own PC). However: active password changer full