“Where does Windows store this password?” “Is it safe there?”
I regularly get asked these questions, and they frequently appear on forums.
Microsoft has developed several technologies to store and protect credentials, and to add to the confusion, Microsoft has renamed some of these technologies over the years…
A list: LSA, Protected Storage, Windows Data Protection (DPAPI), Stored User Names and Passwords, …
Last question I read was: where does runas /savecred store the password? It gets stored in Stored User Names and Passwords. Before storing the password:
And after:
Nirsoft has a tool (CredView) to dump passwords stored in Stored User Names and Passwords:
The CredRead function (used by CredView) will not retrieve Windows passwords (domain and local) unless it is called from the LSA process. That’s why CredView doesn’t display the testrunas password (data).
If you convert CredView to a DLL and inject it in the LSA process, you’ll be able to retrieve the passwords. This is exactly what Cain & Abel does, and why you need admin rights (SeDebugPrivilege to be precise).
I tried with regmon/filemon to find where the credentials actually stored, still not sure:
hkcu\Software\Microsoft\Protected Storage System Provider,
\documents and settings\username\Application Data\Microsoft\Credentials or hklm\security? sam
Comment by unary — Friday 26 September 2008 @ 21:44
No, when adding the first credentials, a file (credentials.sys) was create here:
C:\Documents and Settings\%Username%\Application Data\Microsoft\Credentials\%UserSID%\Credentials
And each time I added credentials, the file grew in size (128 bytes).
And decreased (128 bytes) when I removed a credential.
Comment by Didier Stevens — Friday 26 September 2008 @ 21:49
[…] Filed under: Encryption, Quickpost, Reverse Engineering — Didier Stevens @ 16:06 Another stored password question I was asked: where does SQL Server 2005 Management Studio store the passwords, and are they […]
Pingback by Quickpost: SQL Server 2005 Management Studio and Password Management « Didier Stevens — Monday 29 September 2008 @ 16:08
[…] Quickpost: Stored User Names and Passwords Didier gives us some interesting info about where Windows keeps stored passwords. He also points us to some tools to work with them. […]
Pingback by Interesting Information Security Bits for 09/29/2008 « Infosec Ramblings — Monday 29 September 2008 @ 20:41