Remko Weijnen's Blog (Remko's Blog)
About Virtualization, VDI, SBC, Application Compatibility and anything else I feel like
Just a small post today: a small commandline utility that reads the “DefaultPassword” LSA secret.
This secret is stored in the registry under the SECURITY Hive:
It’s data is encrypted but can be read using the LsaRetrievePrivateData API.
It’s meaning is not documented but the value is often the Windows account password but not always 😀
EDIT: as Andrew Morgan commented the DefaultPassword key is of course the encrypted version of the Autologon password as set by for example the SysInternals Autologon tool. I really should have known that…
Please consider donating something (even a small amount is ok) to support this site and my work:
Filed under: Windows Internals
Profile
Top Posts
- How rdp passwords are encrypted
- Enable Developer mode on VW Discover Pro with VCDS
- Switch SATA Operation Mode
- ClickOnce Applications in Enterprise Environments
- Running multiple instances of Lync (howto)
- SasLibEx 2.0 Release Announcement
- Wordpress and the Cookie Monster
- VW RNS 510 Navigation Startup Pictures
- RNS 315 Enable Developer Mode
- Patch Windows 2003 Terminal Server to allow more than 2 concurrent sessions
Recent Comments
Featured Downloads
- AClientFix (6788 downloads)
- AddPrinter2.zip (6343 downloads)
- AdProps (6175 downloads)
- AdSample1 (5627 downloads)
- AMD Radeon Crimson ReLive (6599 downloads)
- Atheros Driver (28027 downloads)
- AutoLogonXP 1.0 (5569 downloads)
- CDZA (4441 downloads)
- ChDrvLetter.zip (6081 downloads)
- ChDrvLetter.zip (7371 downloads)
Blogroll
- Andrew Morgan
- Arnout’s blog
- Assa’s Blog
- Barry Schiffer
- Delphi Praxis
- Ingmar Verheij
- Jedi Api Blog
- Jedi API Library
- Jeroen Tielen
- Kees Baggerman
Categories
- .NET (4)
- Active Directory (28)
- Altiris (36)
- App-V (1)
- Apple (5)
- Application Compatibility (11)
- Automotive (5)
- AWS (1)
- BootCamp (1)
- C# (6)
- C++ (2)
- Citrix (87)
- Delphi (61)
- Embedded (4)
- Exchange (16)
- General (71)
- iPhone (5)
- Java (8)
- Linux (1)
- Lync (2)
- NetScaler (1)
- Oracle (4)
- Other (1)
- Packaging (19)
- PowerShell (56)
- Programming (79)
- Quest (1)
- RES (7)
- script (22)
- ShareFile (1)
- SQL Server (10)
- Strange Error (3)
- Terminal Server (68)
- ThinApp (3)
- ThinKiosk (1)
- Ubuntu (1)
- Unattended Installation (19)
- Uncategorized (51)
- UWP (2)
- Vista (37)
- Visual Studio (1)
- VMWare (26)
- Windows 10 (2)
- Windows 2003 (30)
- Windows 2008 (37)
- Windows 2008 R2 (16)
- Windows 2012 (2)
- Windows 7 (30)
- Windows 8 (4)
- Windows Internals (12)
- Windows XP (16)
Archives
- February 2023 (1)
- October 2022 (3)
- July 2022 (1)
- June 2022 (2)
- October 2019 (1)
- March 2018 (1)
- January 2018 (4)
- December 2017 (3)
- April 2017 (1)
- March 2017 (5)
- February 2017 (4)
- May 2016 (3)
- March 2016 (1)
- October 2015 (2)
- September 2015 (1)
- January 2015 (1)
- August 2014 (1)
- July 2014 (8)
- May 2014 (1)
- November 2013 (1)
- October 2013 (2)
- September 2013 (3)
- August 2013 (4)
- June 2013 (2)
- May 2013 (3)
- April 2013 (5)
- March 2013 (5)
- February 2013 (1)
- January 2013 (5)
- December 2012 (9)
- November 2012 (3)
- October 2012 (3)
- August 2012 (4)
- July 2012 (2)
- June 2012 (1)
- May 2012 (6)
- March 2012 (13)
- February 2012 (12)
- January 2012 (9)
- December 2011 (9)
- November 2011 (4)
- October 2011 (5)
- September 2011 (10)
- August 2011 (10)
- July 2011 (2)
- June 2011 (8)
- May 2011 (12)
- April 2011 (4)
- March 2011 (14)
- February 2011 (8)
- January 2011 (32)
- December 2010 (23)
- November 2010 (19)
- October 2010 (10)
- September 2010 (6)
- August 2010 (1)
- July 2010 (1)
- June 2010 (6)
- March 2010 (7)
- February 2010 (3)
- December 2009 (3)
- November 2009 (11)
- September 2009 (2)
- July 2009 (1)
- June 2009 (5)
- May 2009 (1)
- April 2009 (2)
- March 2009 (3)
- February 2009 (6)
- January 2009 (3)
- December 2008 (8)
- November 2008 (5)
- October 2008 (3)
- September 2008 (3)
- August 2008 (3)
- June 2008 (6)
- May 2008 (2)
- April 2008 (3)
- March 2008 (5)
- January 2008 (3)
- December 2007 (3)
- November 2007 (13)
- October 2007 (10)
7 Responses for "DefaultPassword Dumper"
Interesting one Remko,
the key you describe here is used by autologon (from sys internals) when you configure an autologon account.
this must correspond with the autologon options in HKLM\software\Microsoft\WindowsNT\currentversion\WinLogon
When the application is executed unprivileged it returns “OpenPolicy failed with 0xC0000022 (Access denied)”. Mayb you can force it to run privileged?
It didn’t show anything on my machine. That’s probably because I don’t use autologon from sysinternals as Andrew described.
Ingmar, it was just pure fluke I stumbled across it while I was testing on a ThinKiosk box. Another case of me and Remko working on the same thing at the same time!
I’m not sure you can force a UAC prompt on a console app either.
As @KeesBaggerman guessed this is an old project, I didn’t know at that time what the value meant but I should have known (now) that this was the Autologon Password!
I will try to add a manifest that requires admin privileges…
This is getting scary Andrew 😀
For some reason my last comment didn’t appear. You can use the tool LogonExpert to use autologon and store the password in a secure AES encrypted location.
Leave a reply