Local Security Authority (LSA) is a subsystem in Windows 2000 and later that enforces security policies on the domain controller it's running on.
LSA provides security tokens to processes and threads, and it stores the user passwords it deals with in the LSA Secrets area of the Registry. That area is nominally referred to by the keyname HKEY_LOCAL_MACHINE\Security\Policy\Secrets, but it's not conventionally visible through a tool like Regedit.
There have been a few other tools (some provided by Microsoft) for probing the LSA Secrets area, but the best of the bunch are two tools from Nir Sofer. Readers of my tips know him as the creator of a seemingly endless series of terrific utilities. New to his kit are
Like the majority of Sofer's tools, both programs are self-contained and can run from any directory without installation. Launch LSASecretsView, and you'll be given a list of all the entries in the LSA Secrets area, their length in bytes and their contents (in both a hex and ASCII dump). Among the entries you might see are DefaultPassword (typically the password for the admin account), and passwords for subsystems such as the ASP.NET framework. The results can be exported to an HTML report.
Note: Passwords stored in the LSA Secrets area are stored as UTF-16 strings. If you type in a conventional password and it's stored in the LSA Secrets area, its ASCII dump will look like p.a.s.s.w.o.r.d. (not password). The dots indicate the upper byte for each pair of bytes in a UTF-16 string. This is normal. The companion application, LSASecretsDump, is a console executable, not a GUI program, which dumps out the contents of the LSA Secrets area to the command line. If you want to dump the contents to a file, simply use a redirect, i.e., LSASecretsDump.exe>output.txt.
About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter, which is devoted to hints, tips, tricks, news and goodies for Windows NT, Windows 2000 and Windows XP users and administrators. He has more than 10 years of Windows experience under his belt, and contributes regularly to SearchWinComputing.com and SearchSQLServer.com.
More information on this topic:
- Tip: How Utility
deletes 'undeletable' Registry keys
- Topics: Admin
- RSS: Sign
up for our RSS feed to receive expert advice every day.
This was first published in December 2006