me.mello Posted June 15, 2011 Report Posted June 15, 2011 IntroductionWindows provides Security Management functions for managing various Windows secrets. One such function is LsaRetrievePrivateData which retrieves various secret data from system policy that has been previously stored using the function LsaStorePrivateData. One of the secret data stored by this function is the 'DefaultPassword'. All this secret information is stored in the encrypted format at system location in the registry. Normally these registry keys are not visible even if you run regedit as administrator. You need to use any of the techniques as described in this article http://rstcenter.com/forum/36405-discovering-hidden-registry-keys-windows.rst#post246503 to view these secret keys. Here is the screenshot of Regedit.exe running under system account showing the 'DefaultPassword' secret key.There are lot of other Lsa secret strings which are present at below registry locationHKEY_LOCAL_MACHINE\Security\Policy\SecretsUsing LsaRetrievePrivateData to get 'DefaultPassword'We don't have to manually decrypt this 'DefaultPassword' value from the registry to get the clear text password. The LsaRetrievePrivateData function does it in style without much work. Here is the code snippet which illustrates how to use LsaRetrievePrivateData to retrieve the default logon password.Before we begin, we need to open a handle to LSA policy.//Open the handle to LSA Policyif( LsaOpenPolicy(NULL, &ObjAttributes, POLICY_ALL_ACCESS, &hLsaPolicy) != STATUS_SUCCESS ){ printf("\n LsaOpenPolicy failed"); return;}Once the handle is opened, proceed to retrieve the default password by directly invoking function LsaRetrievePrivateDataPLSA_UNICODE_STRING privateData = NULL;WCHAR wstrKeyName[]=L"DefaultPassword";LSA_UNICODE_STRING keyName;keyName.Buffer = wstrKeyName;keyName.Length = wcslen(wstrKeyName) * sizeof(WCHAR);keyName.MaximumLength = (wcslen(wstrKeyName) + 1) * sizeof(WCHAR);if( LsaRetrievePrivateData(hLsaPolicy, &keyName, &privateData) != STATUS_SUCCESS){ printf("LsaRetrievePrivateData failed"); return;}On successful execution, display the retrieved default password and close the handleprintf("\n Success : default password is %S (%d)", privateData->Buffer, privateData->Length);LsaClose(hLsaPolicy);This is straightforward code to get the 'defaultpassword'. Also note that you need to have administrator privileges for this code to execute successfully.ConclusionThough this method is deprecated since XP onwards it still works even on Windows 7. However it is not necessarily have to be current logon user password as there is only one 'DefaultPassword' setting for entire system. Also its not clear under what conditions this password get saved and what password gets stored. Though its not reliable method for applications to get the logon password, it may get you the right password sometimes.Referinte:Security Management functions :Security Management Functions (Windows)MSDN - LsaRetrievePrivateData API Function: LsaRetrievePrivateData Function (Windows) Quote