Just a small post today: a small commandline utility that reads the “DefaultPassword” LSA secret.

This secret is stored in the registry under the SECURITY Hive:

HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\DefaultPassword

It’s data is encrypted but can be read using the LsaRetrievePrivateData API.

It’s meaning is not documented but the value is often the Windows account password but not always 😀

EDIT: as Andrew Morgan commented the DefaultPassword key is of course the encrypted version of the Autologon password as set by for example the SysInternals Autologon tool. I really should have known that…

DefaultPassword from LSA Secrets

DefaultPassword.zip (2738 downloads )