You can find an encrypted (with CryptProtectData function) version of PEAP credentials stored in the binary data value named "MSMUserData" in the registry locations already specified in the NON answer:
Location of PEAP passwords
User
HKCU\Software\Microsoft\Wlansvc\UserData\Profiles[GUID]
Machine
HKLM\Software\Microsoft\Wlansvc\UserData\Profiles[GUID]
The data begins with hex values 01 00 00 00 d0 8c 9d df 01.
Exporting the "MSMUserData" value from registry you will obtain a text file containing something like:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Wlansvc\UserData\Profiles\{GUID}]
"MSMUserData"=hex:01,00,00,00,d0,8c,9d,df,01,...
You must convert the hex values list (right after the ""MSMUserData"=hex:" string) in a binary file.
Once you obtain the binary file (e.g. called file.dat), you can decrypt it using crypt.exe http://www.outerhost.com/www/upload/8t4l1q2g7549/Crypt.zip in addition with PsExec tool https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
running the following command in a elevated command prompt
PsExec.exe -s -i cmd /k crypt.exe file.dat
you will obtain something like:
Decrypted: AAAAAAAAAAAAAAAAAAAAAJAEAAAYAAAAAgAAAJAEAAAAAAAAaQQAACAAAAAAAAAAkAQAA
AAAAAABAAAAGQAAAAAAAAAAAAAAAAAAAAEAAABJBAAAIAAAABkAAAAAAAAAAAAAAAAAAAA1BAAAAgAAA
[...]
A== <<<>>>
Crypt.exe output (after the "Decrypted: " and before the " <<<>>>" strings) is base64 encoded, so you'll need to decode it.
The decoded output will contain the PEAP username and, at the end, beginning with hex values 01 00 00 00 d0 8c 9d df 01, the encrypted (again with CryptProtectData function) version of the password.
Use again crypt.exe to decrypt this new ciphertext and then decode the output from base64 encoding and you will obtain the PEAP password.
did you solve it? I have the same question although I only need to find usernames. I found this relevant page for Windows XP: https://support.microsoft.com/en-us/kb/823731 Surely there must be some similar registry key in Win7!!
– Kidburla – 2015-09-23T16:31:34.450@Kidburla no, I didn't solved it. – MrMoog – 2015-09-23T17:24:09.530
same problem here! – Shady Sherif – 2017-09-13T06:15:36.407