RECOMMENDED: Click here to fix Windows errors and optimize system performance
In a previous article, we saw how to bypass the login screen in Windows 7 and earlier versions using Microsoft’s AutoLogon tool. It was also mentioned that the main advantage of using the AutoLogon tool is that your password is not stored in plain text, as is the case with manual addition of registry entries. It is first encrypted and then backed up so that the PC administrator does not have access to it either. Today’s article will discuss how to decrypt the DefaultPassword value stored in the registry editor using the -AutoLogon(16)-AutoLogon(16)-Tool tool.
You must first have administrator rights to decrypt the default password value. The reason for this obvious limitation is that this encrypted system and user data are subject to a special security policy known as the Local Security Authority (LSA), which grants access only to the system administrator. Before decrypting passwords, let’s take a look at this security policy and its common know-how.
LSA is used by Windows to manage local system security policies and perform the audit and authentication process for users who log into the system while their private data is stored in a specific location. This location is called LSA Secrets, where important data used by the LSA policy is stored and protected. This data is stored encrypted in the registry editor in key HKEY_LOCAL_MACHINE/ Security/ Policy/ Secrets, which is not visible to general user accounts due to restriction Access Control Lists (ACL). If you have local administrator rights and are familiar with LSA secrets, you can access RAS/VPN passwords, Autologon passwords and other system passwords/keys. Below is a list, just to name a few.
- $MACHINE. ACC : In connection with domain authentication
- DefaultPassword : Encrypted password value when AutoLogon is enabled
- NL$KM : Secret key for encrypting cached domain passwords
- L$RTMTIMEBOMBL$RTMTIMEBOMB : To save the last date value for Windows activation
To create or modify secrets, there is a special set of APIs for software developers. Each application can access the LSA Secrets location, but only in the context of the current user account.
How to decrypt the AutoLogon password
To decrypt and uproot the value DefaultPassword stored in LSA Secrets, you can simply make a call to the Win32 API. There is a simple executable to get the decrypted DefaultPassword value. To do this, follow these steps:
- Download the executable from here – it is only 2 KB.
- Unzip the contents of the file DeAutoLogon.zip.
- Right-click on the DeAutoLogon.exe file and run it as administrator.
- If you have enabled the AutoLogon function, the DefaultPassword value should be directly in front of you.
If you try to run the program without administrator rights, you will encounter an error. Therefore, be sure to acquire local administrator rights before running the tool. I hope it helps you!
Call the comments field below if you have any questions.