passwords: entry required versus automatic entry

[masterpointer]

hi

I joined last night and I THOUGHT that I posted this, but I can't see it, so here goes again.

Can anyone help please? I have used nLite for quite some time without any problems, but one. Whenever I include the "MUST HAVE" password tick and then enter name and a password, the installed system sometimes require you to log on with the password and sometimes it simply logs on with the password already entered for you. It seems to be completely random.

How can you build the system ensuring that you are able to log on without having to enter the password (and still have the password present)? It is no good building the system without a password and then create one afterwards. That definitely means that you will have to log on by typing the password!

[johnhc]

masterpointer, please attach (not paste) your Last Session.ini. Make sure to always start with a fresh copy of your CD files/folders, do all your work in one nLite session and integrate only one SP. Please report when you have a solution, so others can benefit. Enjoy, John.

[Guest]

If you log off it normally asks for a password when you go to log in again. If you reboot or start your computer it doesn't. Is this what you're experiencing?

[masterpointer]

If you log off it normally asks for a password when you go to log in again. If you reboot or start your computer it doesn't. Is this what you're experiencing?

Not really...

When I create a new copy of XP with nLite (with the MUST HAVE password ticked), it seems to be "hit and miss" whether I need to log on by having to enter the password manually or whether it logs on automatically (with the password embedded). Whatever happens the first time I log on, will happen every time I reboot thereafter, e.g. if I have to enter password on the first log on, I will always have to enter pw (and vice versa).

My question is: How do I ensure that I can log on automatically (with a password embedded in the system), without having to manually enter that password after each reboot.

I guess it is not really a "big deal" whether or not you have a log on password, since that password is easily retrieved by anyone anyway...

[Guest]

My question is: How do I ensure that I can log on automatically (with a password embedded in the system), without having to manually enter that password after each reboot.

You can use Tweak UI or type control userpasswords2 then uncheck "users must enter a user name and password to use this computer". It will ask for your password twice and then it will be saved for future logons.

[masterpointer]

Thanks! TweakUI works fine (except that it says that it is "scrambled", which it doesn't appear to be), but it still doesn't explain the mystery of the seemingly random results I get when I create an XP installation via nLite with password included.

regards, masterpointer.

[johnhc]

masterpointer, please reread my reply above. Enjoy, John.

[masterpointer]

sorry if I'm a bit slow. The TweakUI worked fine, but I don't understand "type control userpasswords2..."! Type where?

[johnhc]

masterpointer, that goes into a Run dialog (Start-Run...). If you want me to try to help, please read my previous replies and attach (not paste) your Last Session.ini. Enjoy, John.

[Crash&Burn]

[OT]

I read an interesting tidbit on one of the MSVP sites.

If you create a User w/ a blank password, WinXP and above - that is one of the more secure users...

Apparently, a Login w/ a blank password can only login locally.

So if you don't need remote login access w/ that UserName, a blank password means there is no password for someone to try to crack or gain remote access to your machine with that ID (no password, no remote access).

[/OT]

[masterpointer]

masterpointer, that goes into a Run dialog (Start-Run...). If you want me to try to help, please read my previous replies and attach (not paste) your Last Session.ini. Enjoy, John.

Thanks Johnhc. I knew about the tweakUI but not about the Control... input. That has helped me a lot.

I've attached one of the "last session.ini" files hereto as you suggested. Do you know of any way you can hide or scramble the log-on password to that noone can read it if they gain access to the system? The reason that is important is that I use a fingerprint entry to all my various websites and accounts, but that is useless if the log-on password is readable.

LAST_SESSION.INI

[masterpointer]

[OT]

I read an interesting tidbit on one of the MSVP sites.

If you create a User w/ a blank password, WinXP and above - that is one of the more secure users...

Apparently, a Login w/ a blank password can only login locally.

So if you don't need remote login access w/ that UserName, a blank password means there is no password for someone to try to crack or gain remote access to your machine with that ID (no password, no remote access).

[/OT]

hi crash&burn

I not only need a password, I also need to be able to either hide or scramble it so that no-one can read it if they should gain access.

regards masterpointer

[johnhc]

masterpointer, the Last Session you attached does not have the Unattended task active. How did you specify a password? Did you run nLite against the same source more than once? If so, that is probably your problem. Please see my first reply just one more time. I am far from a security knowledgeable person, but it is my understanding that the password is stored in Widows in a one way encryption. This means the entered PW is passed through this process and then checked against the stored one. The stored one cannot be passed through a process that yields the original PW. Please start over with a fresh copy of your CD files/folders and make one pass through nLite and see if your problems don't go away. Enjoy, John.

[Guest]

I not only need a password, I also need to be able to either hide or scramble it so that no-one can read it if they should gain access.

I'm not at all knowledgeable on how windows stores passwords and stuff so I did a little digging it after your posts. First I used Nirsoft's Network Password Recovery to see if it could see my password and I could have sworn it didn't but I have some doubts. Noticing he added support for Tweak UI in his changelog, I went ahead and had Tweak take care of the autologin. I did a regshot before and after to see what changes where made to the registry. I was shocked when I saw that Tweak had deleted this value...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"DefaultPassword"="MY PASSWORD WAS HERE IN PLAIN TEXT!"

I have no idea why that was there. I installed Windows with the password in WINNT.SIF...

[GuiUnattended]

EncryptedAdminPassword="No"

AutoLogon="Yes"

AdminPassword="MY PASSWORD"

I reran the Password Recovery Tool and it now pulled up my password. I changed it and had windows save it via control userpasswords2 and again the tool was able to pull it up. I rechecked "Users must enter a username and password to use this computer" and the tool wasn't able to view the password.

To sum things up. It appears if you have your password saved for autologon, it's easily readable by anyone who gains access. It may be readable by going to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon but not sure. When I have time, I'm going to retrace my steps on a fresh install to see if I can reproduce that registy value.

[johnhc]

Wow, -X-, good find. I looked on my real (host - not nLited) machine and have no DefaultPassword PW key. But, I do have one on my VM with an nLited Windows! On my next build I will use the Unattended option to encrypt my PW. Thanks, John!