Best tools for probing LSA Secrets area of Windows Registry

Two new utilities are the best available for probing the Local Security Authority (LSA) Secrets area of the Windows Registry.

Local Security Authority (LSA) is a subsystem in Windows 2000 and later that enforces security policies on the domain controller it's running on.

LSA provides security tokens to processes and threads, and it stores the user passwords it deals with in the LSA Secrets area of the Registry. That area is nominally referred to by the keyname HKEY_LOCAL_MACHINE\Security\Policy\Secrets, but it's not conventionally visible through a tool like Regedit.

There have been a few other tools (some provided by Microsoft) for probing the LSA Secrets area, but the best of the bunch are two tools from Nir Sofer. Readers of my tips know him as the creator of a seemingly endless series of terrific utilities. New to his kit are LSASecretsView and LSASecretsDump, two tools for examining and exporting the contents of the LSA Secrets area. (This can be useful for recovering passwords for system accounts.)

Like the majority of Sofer's tools, both programs are self-contained and can run from any directory without installation. Launch LSASecretsView, and you'll be given a list of all the entries in the LSA Secrets area, their length in bytes and their contents (in both a hex and ASCII dump). Among the entries you might see are DefaultPassword (typically the password for the admin account), and passwords for subsystems such as the ASP.NET framework. The results can be exported to an HTML report.

Note: Passwords stored in the LSA Secrets area are stored as UTF-16 strings. If you type in a conventional password and it's stored in the LSA Secrets area, its ASCII dump will look like p.a.s.s.w.o.r.d. (not password). The dots indicate the upper byte for each pair of bytes in a UTF-16 string. This is normal. The companion application, LSASecretsDump, is a console executable, not a GUI program, which dumps out the contents of the LSA Secrets area to the command line. If you want to dump the contents to a file, simply use a redirect, i.e., LSASecretsDump.exe>output.txt.

About the author: Serdar Yegulalp is editor of the  Windows Power Users Newsletter, which is devoted to hints, tips, tricks, news and goodies for Windows NT, Windows 2000 and Windows XP users and administrators. He has more than 10 years of Windows experience under his belt, and contributes regularly to SearchWinComputing.com and SearchSQLServer.com.

This was first published in December 2006

Dig deeper on Windows Server and Network Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close