AutoLogon via nLite yields Password in the clear.

[johnhc]

In this thread, -X- reported finding the AutoLogon Password in the Registry in plain text. Running TweakUI or Control userpasswords2 hides/encrypts the password and deletes the plain text value (DefaultPassWord). After doing some searching, I found a small free program from Sysinternals that will hide/encrypt the password (but not delete the plain text one). I created a small AutoIt script that would do the necessary actions around AutoLogon.exe to make it unattended and delete the plain text PW.

#cs ----------------------------------------------------------------------------

 AutoIt Version: 3.3.0.0
 Author:		 johnhc (6-28-2009)

 Script Function:
	Encrypt/Hide the AutoLogon Password.

#ce ----------------------------------------------------------------------------

;		Read the AutoLogon Parameters and test them for null or missing, quit if so.

$PassWord =   RegRead("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "DefaultPassword")
If $PassWord = "" Then Exit
$DomainName = RegRead("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "DefaultDomainName")
If $DomainName = "" Then Exit
$UserName =   RegRead("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "DefaultUserName")
If $UserName = "" Then Exit
RegDelete ("HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "DefaultPassword")
$AutoLogonParms = $UserName&" "&$DomainName&" "&$PassWord
Run (@ScriptDir&"\Autologon.exe "&$AutoLogonParms)
WinWaitActive ("A License Agreement","",2)
Send ("!A")
WinWaitActive ("Auto")
ControlClick ("Auto","","[CLASS:Button; INSTANCE:1]")

This is offered with no guarantees. Remember it does read and delete values from the Registry. If you don't like the code, change it to your liking or create you own method, or simply run AutoLogon.exe and accept that it is not unattended and leaves your plain text PW. This source needs to be compiled for your system. I place the compiled AutoIt script and the AutoLogon.exe into the same folder and call the AutoIt script from the nLite RunOnce exit.

Some other information I gathered in my searching and testing:

• If there is there is a plain text PW and a hidden one, the plain text one takes precedence.
  
• The AutoLogon PW needs to be the same as the account PW or AutoLogon will fail and ask for the PW.
  
• If the account PW is changed, AutoLogon will fail unless its PW is also changed explicitly.
  
• The AutoLogon keys are set in nLite.inf (NLITE.IN_).
  
• nLite.inf also uses nhelper to setup user accounts with the net (really net1) command.
  
• Both of the last two items expose the account PW in plain text.
  
• This may well not work on W2000.
  
• The bottom line, at this time, is there is no way to enable AutoLogon and prevent a PW finder from exposing the PW. See replies from -X- and me, below.
  

I have tested this on my XP x64 system under VMware Server. Enjoy, John.

Edited June 30, 2009 by johnhc

[masterpointer]

ji johnhc

I dunno if I'll be game enough to try your script. I'm not that advanced...

However, I did try the Autologon.exe. That works more or less the same as Control usernames2 and TweakUi, in as much that you can do the same thing with all three functions. Setting the autolog-on results in the password being visible to anyone through a password finding program, whereas logging on with a password, hides it. One small twist, though. If you set the auto logon by using Autocontrol Logon, the password stays visible after the 1st reboot after resetting it to log-on with password. Only after the 2nd reboots does it become hidden again.

I guess that I'll stick to the "log-on with password"method. I can use the fingerprint pad, so it is no big deal. The important thing is that the password remains hidden whenever someone gains access.

How secure is the encryption though? Since I'm aware that it is easy for anyone to gain access to the computer without knowing the password, willl hackers and other savvy people still be able to retrieve the password? Do you know?

regards masterpointer

[johnhc]

masterpointer, advanced I am not.

I dunno if I'll be game enough to try your script. I'm not that advanced...

I don't know what "using Autocontrol Logon" is. As far as I know, using AutoLogon.exe, if you delete the DefaultPassword value from the Registry, the PW will be hidden.

How secure is the encryption though?

I don't know the answer, but I suspect the same method is used on the AutoLogon PW as on the account PW. The routine that processes Logon/Logoff (MSgina), reads the PW and I would think the encryption would be the same. Using AutoLogon automatically exposes my machine if I don't have physical protection. What I was concerned about was the possible retrieving of my PW via a 'call home' type of virus/worm. I have edited my first post and added some more 'what I learned' items. Enjoy, John.

[Guest]

I haven't had time to run any tests myself so what have you all concluded? I may not have read everything fully.

If any type of auto logon is used the password can be retrieved if someone gains access? The only solution then is to manually type in your password at logins?

Is that about the jist of it?

Edited June 30, 2009 by -X-

[johnhc]

-X- , you will need to run your own experiments. I certainly have not come to your conclusion, in fact, I think if one uses TweakUI, control userpasswords2, or autologon.exe (and delete the DefaultPassWord from the Registry), you will not be able to find the AutoLogon PW any more than you will be able to find the account PW. I do not have a PW scanner on my system. Please read all that has gone before this and let us know the results of your experiments. Enjoy, John.

[Guest]

I think if one uses TweakUI, control userpasswords2, ................ you will not be able to find the AutoLogon PW.

That I've tested with Nirsofts tool. It will retrieve the password.

[johnhc]

-X-, I stand corrected, I am wrong and you are correct. I DLed NetPass (XP x64) and it found the AutoLogon PW no matter how I set it. Interestingly, only control userpasswords2 would delete it so that NetPass could not find it. Even deleting it with NetPass did not prevent it from being found. You are correct that the only way yet found to enable AutoLogon exposes the PW. Thanks, John.

[johnhc]

I have learned in further searching that AutoLogon.exe uses LsaStorePrivateData (part of MS LSA, Local Security Authority) to set the AutoLogon PW. What I suspect this means is that the PW can be read from the system on which it is set but not from any other systems on a network. Since I do not have a networked PC, I hope someone will run a test on a machine on a network and try to see the PW on another system on which the PW was set by AutoLogon.exe. In my last reply, I used the NetPass program from the Nirsofts site referenced in -X- last reply. Thanks, John.