12

In HKLM\SYSTEM\CurrentControlSet\Services\MY-SERVICE-NAME there is the Object Name key which contains the name of the user, but I can not find the password.

I am trying to understand how DP API interacts with Windows services management and with the service process itself.

Thanks!

Adi Roiban
  • 793
  • 3
  • 7
  • 12

3 Answers3

16

Passwords for Windows services are stored in the registry under:

HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\_SC_<ServiceName>

When you configure a Windows service to run as a different account, the Service Control Manager uses the LsaStorePrivateData function to store the password, and the corresponding LsaRetrievePrivateData function to retrieve it.

So it is reversible encryption of some kind, but sorry, the exact encryption algorithm and technique are not publically documented. And helping you further reverse engineer it would be fun, but not a good idea for me.

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
  • 3
    Thanks! Just a note: the default registry permission will not allow you to list the content of `HKEY_LOCAL_MACHINE\SECURITY` and it will look empty. For educational purpose you can update the permission and allow full right to the administrators. Based on your information I also found this page http://www.passcape.com/index.php?section=docsys&cmd=details&id=23 – Adi Roiban May 21 '16 at 09:13
  • 2
    I also found this post http://moyix.blogspot.ro/2008/02/decrypting-lsa-secrets.html – Adi Roiban May 21 '16 at 11:27
  • ps. if anyone's still using windows 2000 (we have one legacy system which still does!) and wants to run a process under the system account, the current version of psexec doesn't seem to work. However the windows scheduler (`at` command) can be used: https://verbalprocessor.com/2007/12/05/running-a-cmd-prompt-as-local-system/ – JohnLBevan Jun 14 '16 at 17:41
3

While the actual encryption method may not be clear, accessing the data and requesting that the OS decrypt it on your behalf is a well-defined process - using PowerShell or the NirSoft LSASecretsView tool.

Royce Williams
  • 1,362
  • 8
  • 16
0

Stumbled across this page when looking for the ADSync password for Azure AD Connect service.

For anyone else, to change the NT SERVICE\ADSync password, follow this guide as it's not straightforward:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-change-serviceacct-pass

KERR
  • 365
  • 3
  • 8