SecurityXploded.com
Discovering Windows Default Password Using LsaRetrievePrivateData - www.SecurityXploded.com
 
 
Discovering Windows Default Password Using LsaRetrievePrivateData
 
 
See Also
 
 
Introduction
Windows provides Security Management functions [Reference 1] for managing various Windows secrets. One such function is LsaRetrievePrivateData [Reference 2] which retrieves various secret data from system policy that has been previously stored using the function LsaStorePrivateData. One of the secret data stored by this function is the 'DefaultPassword'.

All this secret information is stored in the encrypted format at system location in the registry. Normally these registry keys are not visible even if you run regedit as administrator. You need to use any of the techniques as described in this article [Reference 3] to view these secret keys.

Here is the screenshot of Regedit.exe running under system account showing the 'DefaultPassword' secret key.

regedit showing defaultpassword

There are lot of other Lsa secret strings which are present at below registry location
HKEY_LOCAL_MACHINE\Security\Policy\Secrets
 
 
Using LsaRetrievePrivateData to get 'DefaultPassword'
We don't have to manually decrypt this 'DefaultPassword' value from the registry to get the clear text password. The LsaRetrievePrivateData function does it in style without much work.

Here is the code snippet which illustrates how to use LsaRetrievePrivateData to retrieve the default logon password.
 
Before we begin, we need to open a handle to LSA policy.
//Open the handle to LSA Policy
if( LsaOpenPolicy(NULL, &ObjAttributes, POLICY_ALL_ACCESS, &hLsaPolicy) != STATUS_SUCCESS )
{
   printf("\n LsaOpenPolicy failed");
   return;
}
 
Once the handle is opened, proceed to retrieve the default password by directly invoking function LsaRetrievePrivateData
PLSA_UNICODE_STRING privateData = NULL;
WCHAR wstrKeyName[]=L"DefaultPassword";
LSA_UNICODE_STRING keyName;
keyName.Buffer = wstrKeyName;
keyName.Length = wcslen(wstrKeyName) * sizeof(WCHAR);
keyName.MaximumLength = (wcslen(wstrKeyName) + 1) * sizeof(WCHAR);

if( LsaRetrievePrivateData(hLsaPolicy, &keyName, &privateData) != STATUS_SUCCESS)
{
   printf("LsaRetrievePrivateData failed");
   return;
}
 
On successful execution, display the retrieved default password and close the handle

printf("\n Success : default password is %S (%d)", privateData->Buffer, privateData->Length);

LsaClose(hLsaPolicy);
 
This is straightforward code to get the 'defaultpassword'. Also note that you need to have administrator privileges for this code to execute successfully.
 
 
Conclusion
Though this method is deprecated since XP onwards it still works even on Windows 7. However it is not necessarily have to be current logon user password as there is only one 'DefaultPassword' setting for entire system. Also its not clear under what conditions this password get saved and what password gets stored.

Though its not reliable method for applications to get the logon password, it may get you the right password sometimes.
 
 
References
    1. Windows Security Management Functions
    2. MSDN - LsaRetrievePrivateData API Function
    3. Discovering hidden registry keys in Windows
 
 
See Also