Didier Stevens

Friday 26 September 2008

Quickpost: Stored User Names and Passwords

Filed under: Encryption,Quickpost — Didier Stevens @ 19:05

“Where does Windows store this password?” “Is it safe there?”

I regularly get asked these questions, and they frequently appear on forums.

Microsoft has developed several technologies to store and protect credentials, and to add to the confusion, Microsoft has renamed some of these technologies over the years…

A list: LSA, Protected Storage, Windows Data Protection (DPAPI), Stored User Names and Passwords, …

Last question I read was: where does runas /savecred store the password? It gets stored in Stored User Names and Passwords. Before storing the password:

And after:

Nirsoft has a tool (CredView) to dump passwords stored in Stored User Names and Passwords:

The CredRead function (used by CredView) will not retrieve Windows passwords (domain and local) unless it is called from the LSA process. That’s why CredView doesn’t display the testrunas password (data).

If you convert CredView to a DLL and inject it in the LSA process, you’ll be able to retrieve the passwords. This is exactly what Cain & Abel does, and why you need admin rights (SeDebugPrivilege to be precise).

Quickpost info

Blog at WordPress.com.