Tip

Best tools for probing LSA Secrets area of Windows Registry

Local Security Authority (LSA) is a subsystem in Windows 2000 and later that enforces security policies on the domain controller it's running on.

LSA provides security tokens to processes and threads, and it stores the user passwords it deals with in the LSA Secrets area of the Registry. That area is nominally referred to by the keyname HKEY_LOCAL_MACHINE\Security\Policy\Secrets, but it's not conventionally visible through a tool like Regedit.

There have been a few other tools (some provided by Microsoft) for probing the LSA Secrets area, but the best of the bunch are two tools from Nir Sofer. Readers of my tips know him as the creator of a seemingly endless series of terrific utilities. New to his kit are

    Requires Free Membership to View

LSASecretsView and LSASecretsDump, two tools for examining and exporting the contents of the LSA Secrets area. (This can be useful for recovering passwords for system accounts.)

Like the majority of Sofer's tools, both programs are self-contained and can run from any directory without installation. Launch LSASecretsView, and you'll be given a list of all the entries in the LSA Secrets area, their length in bytes and their contents (in both a hex and ASCII dump). Among the entries you might see are DefaultPassword (typically the password for the admin account), and passwords for subsystems such as the ASP.NET framework. The results can be exported to an HTML report.

Note: Passwords stored in the LSA Secrets area are stored as UTF-16 strings. If you type in a conventional password and it's stored in the LSA Secrets area, its ASCII dump will look like p.a.s.s.w.o.r.d. (not password). The dots indicate the upper byte for each pair of bytes in a UTF-16 string. This is normal. The companion application, LSASecretsDump, is a console executable, not a GUI program, which dumps out the contents of the LSA Secrets area to the command line. If you want to dump the contents to a file, simply use a redirect, i.e., LSASecretsDump.exe>output.txt.

About the author: Serdar Yegulalp is editor of the  Windows Power Users Newsletter, which is devoted to hints, tips, tricks, news and goodies for Windows NT, Windows 2000 and Windows XP users and administrators. He has more than 10 years of Windows experience under his belt, and contributes regularly to SearchWinComputing.com and SearchSQLServer.com.

More information on this topic:

This was first published in December 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.