Protecting the Automatic Logon Password

[simple_user]

Hi there,
I was trying to change the way of automatic logon.
I wrote simple executable using LSA to set password by LsaStorePrivateData
(). Then I deleted reg.key value ‘DefaultPassword’
I restarted PC (WindowsXP installed) but it didn’t get through – it show
log-on dialog and I have to enter password manually.
I thought that Winlogon should be able to retrieve ‘secret’ password and not
to look for ‘DefaultPassword’ value.
Do I missing something here? Any additional steps needs?

Regards,

 

[S. Pidgorny]

I think automatic logon is designed to require the DefaultPassword value.
Therefore LSA private data won't help, as there is no setting that allow
system to use it for automatic logon (AFAIK).

What are you trying to achieve with this?

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"simple_user" <simpleuser@discussions.microsoft.com> wrote in message
news:0503FFFA-B921-41A0-BCE0-5B8D3607BFA3@microsoft.com...
> Hi there,
> I was trying to change the way of automatic logon.
> I wrote simple executable using LSA to set password by LsaStorePrivateData
> (). Then I deleted reg.key value 'DefaultPassword'
> I restarted PC (WindowsXP installed) but it didn't get through - it show
> log-on dialog and I have to enter password manually.
> I thought that Winlogon should be able to retrieve 'secret' password and
> not
> to look for 'DefaultPassword' value.
> Do I missing something here? Any additional steps needs?
>
> Regards,
>

 

[simple_user]

"S. Pidgorny <MVP>" wrote:

> I think automatic logon is designed to require the DefaultPassword value.
> Therefore LSA private data won't help, as there is no setting that allow
> system to use it for automatic logon (AFAIK).
>
> What are you trying to achieve with this?
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
> "simple_user" <simpleuser@discussions.microsoft.com> wrote in message
> news:0503FFFA-B921-41A0-BCE0-5B8D3607BFA3@microsoft.com...
> > Hi there,
> > I was trying to change the way of automatic logon.
> > I wrote simple executable using LSA to set password by LsaStorePrivateData
> > (). Then I deleted reg.key value 'DefaultPassword'
> > I restarted PC (WindowsXP installed) but it didn't get through - it show
> > log-on dialog and I have to enter password manually.
> > I thought that Winlogon should be able to retrieve 'secret' password and
> > not
> > to look for 'DefaultPassword' value.
> > Do I missing something here? Any additional steps needs?
> >
> > Regards,
> >
>
>
> Hi,
Idea is to protect automatic logon password. There is the article
(http://msdn2.microsoft.com/en-us/library/aa378826.aspx), which talks about
it. What I was trying to achieve is to remove plain text (DefaultPassword)
from the registry that it can’t be seen.
But at this point I’m not sure what exactly my steps should be in order to
do that ( trying to find more articles, so far not so good).
I might be wrong but it could be that I have to write custom dll in order to
perform auto logon. Any ideas or pointing to some direction are welcome ïŠ

 

[Ian]

The LSA password is used if you set autologon by running the "control
userpasswords2" applet. It is not used if you set autologon manually in the
winlogon registry key.

Was looking-into this for the next release of MyLogon, as I'd like to
integrate the setup into one applet instead of referring the user to the
Microsoft tool, as is presently done.

Having said that, the LSA is no longer secure, it has been cracked. Thus it
is questionable whether it's worth the effort of setting an LSA password.
Perhaps better just to make sure the autologon password is a throwaway one -
one which is not also used for secure services.

Basically, no password stored in the registry is safe, even if encrypted,
since it must be possible for the same computer to decrypt it by some means
or other, and if the system can decrypt it, then in principle an
Administrative user can too. The only safe stored password is a hashed one
(which is not suitable for autologon purposes)

Password revealers: http://nirsoft.net/