Gathering information: logged as user (not admin), use find, look in directories, look for SAM, and enumeration tools. Basic countermeasure: Do not save the LAN Manager. BIOS password!!
Add to administrator group: getadmin and XP sechole - apply service packs and restrict FTP to server script directories. Also rogue DLLs.
Cracking passwords: dictionary (create hashes from a most probable password list), and brute force (create hashes from all possible values in the key space, e.g. 267 posssible uppercase <=7 digits in a password). John the Ripper is one of the best tools (link is for graphical interface).
Obtaining SYSTEM account privileges: at 10:00 /INTERACTIVE cmd.exe (replace 10:00 with 2 minutes after you type this) -- disabled in Win 7
Registry: very few items accessible by everyone. Probably the lowest threat, and you can use the Policy Editor to hide/deny access,
Kerberos : only 2K, XP, 7 machines have it, downgrades to NTLM and LAN Manager authentication if Win 9x/NT are involved.
EFS attack: deleting the SAM blanks the Administrator password. This allows to login as Administrator (the recovery agent) and decrypt the content of the files. Set BIOS password and C: drive boot only.