Best tools for probing LSA Secrets area of Windows Registry

LSA provides security tokens to processes and threads, and it stores the user passwords it deals with in the LSA Secrets area of the Registry. That area is nominally referred to by the keyname HKEY_LOCAL_MACHINE\Security\Policy\Secrets, but it's not conventionally visible through a tool like Regedit.

There have been a few other tools (some provided by Microsoft) for probing the LSA Secrets area, but the best of the bunch are two tools from Nir Sofer. Readers of my tips know him as the creator of a seemingly endless series of terrific utilities. New to his kit are LSASecretsView and LSASecretsDump, two tools for examining and exporting the contents of the LSA Secrets area. (This can be useful for recovering passwords for system accounts.)

Like the majority of Sofer's tools, both programs are self-contained and can run from any directory without installation. Launch LSASecretsView, and you'll be given a list of all the entries in the LSA Secrets area, their length in bytes and their contents (in both a hex and ASCII dump). Among the entries you might see are DefaultPassword (typically the password for the admin account), and passwords for subsystems such as the ASP.NET framework. The results can be exported to an HTML report.

Note: Passwords stored in the LSA Secrets area are stored as UTF-16 strings. If you type in a conventional password and it's stored in the LSA Secrets area, its ASCII dump will look like p.a.s.s.w.o.r.d. (not password). The dots indicate the upper byte for each pair of bytes in a UTF-16 string. This is normal. The companion application, LSASecretsDump, is a console executable, not a GUI program, which dumps out the contents of the LSA Secrets area to the command line. If you want to dump the contents to a file, simply use a redirect, i.e., LSASecretsDump.exe>output.txt.

About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter, which is devoted to hints, tips, tricks, news and goodies for Windows NT, Windows 2000 and Windows XP users and administrators. He has more than 10 years of Windows experience under his belt, and contributes regularly to SearchWinComputing.com and SearchSQLServer.com.

More information on this topic:

• Tip: How Utility deletes 'undeletable' Registry keys
  
• Topics: Admin tools
  
• RSS: Sign up for our RSS feed to receive expert advice every day.
  
  

  Rate this Tip To rate tips, you must be a member of SearchWindowsServer.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Microsoft Windows 2000 Server Administration Unable to view webpage inside LAN Update the entire user property sheet in Active Directory Optimize Windows virtual memory in Windows 2000 Server DNS on workgroup servers vs DNS on domain servers Mocbot update targets MS06-040 flaw Utility helps you view ActiveX component information Unregistered Microsoft Search .DLLs can cause problems Domain controller management Locking down SMTP in Win2K and Server 2003 Terminal Services: Multiple time zones and only one terminal server Microsoft Windows 2000 Server Administration Research Windows Systems and Network Management Tools and Techniques A first look at Internet Information Services 7.0 Windows registry hack improves offline file access for mobile users Reducing the size of network backups in Windows Monitor network bandwidth with CyberGauge How to format NTFS: More tricks to improve file system performance Key enhancements to SCCM give admins more control over assets, licensing Archiving information with New-Item in Windows PowerShell Debugging Userenv issues using Windows new event viewer The new Microsoft System Center: What happened to SMS and MOM? New Russinovich tool scans for open file references from command line Windows Server Monitoring and Management A quick guide to Server Manager for Windows Server 2008 How does Microsoft Hyper-V rate? Network Access Protection in Windows Server 2008: Should you care? Just what does Microsoft Hyper-V have to offer? Considerations in building GeoClusters for Windows Server 2008 Can Microsoft really make an impact with Hyper-V? Easing security concerns with Server Core for Windows 2008 Understanding quorum in Windows Server 2008 clustering What's there to hate about Windows Server 2008? Windows PowerShell: A backdoor to malware? RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.